none
ADMT 3.2 RPC Problems. ERR3:7585

    Question

  • Hi all

    i am scheduled to do a domain migration between a 2003 target domain and a 2008 r2 source domain. The target domain controllers are 2008 r2 and the source domain controllers are 2012 r2.

    The source domain has 2 domain controllers and when i try to do a group migration using each of the servers i get 2 different results. Not entirely sure why. hoping someone can help

    Source PDC Result:

    [Object Migration Section]
    2017-01-11 12:44:46 Starting Account Replicator.
    2017-01-11 12:45:07 ERR3:7585 The account replicator is unable to continue.   The RPC server is unavailable.
    2017-01-11 12:45:07 Operation completed.

    Source other DC Result:

    [Object Migration Section]
    2017-01-11 12:57:19 Starting Account Replicator.
    2017-01-11 12:57:26 CN=test              - Created
    2017-01-11 12:59:13 ERR2:7111 Failed to add sid history for test to test. RC=1722 
    2017-01-11 12:59:15 WRN1:7561 ADMT could not migrate some properties for this object type (group) due to schema mismatches.  Please refer to the Schema Section in the migration log for a complete listing.  The Schema Section will be available once object migration is complete.
    2017-01-11 12:59:20 Processing group membership for CN=test.
    2017-01-11 12:59:20      Cannot add testuser to CN=test, because testuser has not been migrated to the target domain.
    2017-01-11 12:59:23 Operation completed.

    On the source PDC i enabled the TcpClientSupport and on the source domain controllers i enabled auditing Account Management and also DS Access. they are both set to Success and Failure. Also did some advanced auditing settings as i read someone had to do that part.

    I followed this guide as my base setup: https://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html

    So we have external trust between the 2 domains. we have DNS conditional forwarders set up. Now i did mess about with SID filtering. think i disabled SID filtering but i ran the commands from both target and source domains.

    I know the ADMT server that sit in target domain works because i can migrate successfully from another domain.

    The service account TARGET\AdmtAdmin is domain admin in target domain and part of the Administrators in the source domain.

    In source domain on the domain controllers we ensured that Windows Firewall is off and we completely removed McAfee Endpoint Security Suite.

    We are suspecting the site to site VPN between the 2 countries and the 2 domains but the source and the target side both says ANY ANY on their rule set.

    Any ideas?

    Wednesday, January 11, 2017 12:24 PM

Answers

  • Hi,
    Sounds like a name resolution or firewall issue. From ADMT server please make sure you can access the source domain. Open ADUC from ADMT server and try to connect to the source domain.
    In my experience, many RPC issues relate to blocked ports. Please start to check this from this aspect.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 12, 2017 5:39 AM
    Moderator
  • Hi Wendy, 

    Just to follow up on this. I set up a lab and tested the ADMT which replicated the production source and target domains and then i went step by step to set it up and got it working without too much trouble.

    I am still not sure exactly what fixed it but what i changed was

    • Removed TCPClientSupport from source domain controller Windows Server 2012 R2
    • Disabled Windows Firewall using GPO linked to domain, although WF was turned off on domain controllers etc
    • Checked the audit settings again. it did not look like it changed any settings but i ran the commands again
      Did audit settings exactly as shown here
    • Moved SOURCE$$$ from builtin container to Users container

    Going to reset my lab setup and then do it all again, this time screenshotting and do another guide just like the one posted above.

    Tuesday, January 17, 2017 9:57 AM

All replies

  • Hi,
    Sounds like a name resolution or firewall issue. From ADMT server please make sure you can access the source domain. Open ADUC from ADMT server and try to connect to the source domain.
    In my experience, many RPC issues relate to blocked ports. Please start to check this from this aspect.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 12, 2017 5:39 AM
    Moderator
  • Hi Wendy,

    From the ADMT server in the target domain i have no problems opening up ADUC and change domain to the source domain.

    Another thing that might be important to mention is that the source PDC domain controller also has exchange 2013 installed, although it has been "disabled". I wondered if any changes might have been made in Registry under HKLM/System/CurrentControlSet/Services/TCPIP/Parameters. the stuff in there is not exactly the same as on my target PDC domain controller. Do you know if i need to restart the source DC after changing some of these parameters?

    Thursday, January 12, 2017 7:42 AM
  • Hi,

    Maybe, we could have a try, but I would suggest to reboot the PDC on non-business time which may avoid some problems for users.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 16, 2017 3:29 AM
    Moderator
  • Hi Wendy, 

    Just to follow up on this. I set up a lab and tested the ADMT which replicated the production source and target domains and then i went step by step to set it up and got it working without too much trouble.

    I am still not sure exactly what fixed it but what i changed was

    • Removed TCPClientSupport from source domain controller Windows Server 2012 R2
    • Disabled Windows Firewall using GPO linked to domain, although WF was turned off on domain controllers etc
    • Checked the audit settings again. it did not look like it changed any settings but i ran the commands again
      Did audit settings exactly as shown here
    • Moved SOURCE$$$ from builtin container to Users container

    Going to reset my lab setup and then do it all again, this time screenshotting and do another guide just like the one posted above.

    Tuesday, January 17, 2017 9:57 AM
  • Hi,
    Sounds like a name resolution or firewall issue. From ADMT server please make sure you can access the source domain. Open ADUC from ADMT server and try to connect to the source domain.
    In my experience, many RPC issues relate to blocked ports. Please start to check this from this aspect.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Not sure if it was Windows Firewall or not but i want to give you the answer. :) thank you for your assistance
    Tuesday, January 17, 2017 9:58 AM
  • Hi,
    Thank you for the feedback and marking the reply.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 18, 2017 2:08 AM
    Moderator