none
Domain migration ERR3:7075 Failed to change domain affiliation, hr=8007054a This operation is only allowed for the Primary Domain Controller of the domain

    Question

  • Dear All

    Hope some one faced this issue and can help me with the solution for member server migration.

    I'm in process of Intraforest migration using ADMT 3.1, we already have established trust between domains. Domain A (Source domain) have both the DC's running on Windows 2003 with Functional level Windows 2003 , while in Domain B ( Target domain )we have both Windows 2008 and Windows 2003 domain with the same Functional level of Windows 2003. Also we have installed Exchange 2007 SP2 in Domain B. We have installed ADMT in Domain B , created the necessary service acct to be used for migration purpose and provide them whatever the privileges required on both source and target domain. The issue is that all the user and group migration was successfully done, while member server migration is failed eventhough that migration service account is added to the local admin group of these member servers in source domain which need to be migrated , also the domain local setting policy for Network access has been enabled with LLCSRPC, BROWSER, netlogon ...(Named Pipes that can be accessed anonymously.)

    Also we have unistall and then install the Microsoft Network client services but getting the error when viewing the Agent Details. ERR3:7075 Failed to change domain affiliation, hr=8007054a This operation is only allowed for the Primary Domain Controller of the domain.

    For information purpose, Agents are installed successfully. Please advice, we almost applied all the possible solutions mentiond in that discussion, also we explicitely selected the Target Primary Domain Controller during the Domain Selection of ADMT wizard.

    Regards

    Farhan

    Saturday, July 10, 2010 9:26 AM

Answers

  • Hi,

    Did you follow all the suggestions of "Migrating Workstations and Member Servers" section of "ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains"

    http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

    If so, please find ADMT logs in c:\Windows\ADMT\Logs folder and send to tfwst@microsoft.com for research.

    If not, please check your operations and follow the guide to try again. It’s also suggested to read through this article to get better understand of migration.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 15, 2010 9:33 AM
    Moderator

All replies

  • Are you performing a test migration?  Try to do a full migration instated of “test mode” migration. 

    http://support.microsoft.com/kb/828261/en-us

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, July 12, 2010 2:51 PM
  • Dear Santosh and All

    Thanks for the reply.We are not using the ADMT version 2 we are using ADMT versin 3.1 in which there is no test migration option full migration option.So what can be solution of this error.Please reply asap.

     

    Regards

    Farhan

    Tuesday, July 13, 2010 10:47 AM
  • Hi,

    Did you follow all the suggestions of "Migrating Workstations and Member Servers" section of "ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains"

    http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

    If so, please find ADMT logs in c:\Windows\ADMT\Logs folder and send to tfwst@microsoft.com for research.

    If not, please check your operations and follow the guide to try again. It’s also suggested to read through this article to get better understand of migration.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 15, 2010 9:33 AM
    Moderator
  • Dear All

    Any solution for it.

    Regards

    Farhan

    Tuesday, July 20, 2010 11:53 AM
  • Dear All,

    Please find the attached ADMT log files

    2010-07-20 16:37:58 Active Directory Migration Tool - scripted computer migration started.

    [Settings Section]
    Task: Computer Migration (38)
    ADMT Console
        User:       Live\administrator
        Computer:   XYZ.Live.net (XYZ)
            Domain:     Live.net (Live)
            OS:         Windows Server (R) 2008 Standard without Hyper-V 6.0 (6002) Service Pack 2
    Source Domain
        Name:   Test.net (Test)
        DC:     ABC0Z5A.Test.net (ABC0Z5A)
            OS:     Windows Server 2003 5.2 (3790) Service Pack 2
        OU:    
    Target Domain
        Name:   Live.net (Live)
        DC:     XYZ.Live.net (XYZ)
            OS:     Windows Server® 2008 Standard without Hyper-V 6.0 (6002) Service Pack 2
        OU:     LDAP://XYZ.Live.net/OU=Live-Computers,DC=Live,DC=net
    Intra-Forest: Yes
    Translate Option: Replace
    Translate Files:         No
    Translate Local Groups:  Yes
    Translate Printers:      No
    Translate Registry:      No
    Translate Rights:        Yes
    Translate Shares:        No
    Translate User Profiles: No
    Conflict Option: Ignore
    Perform Pre-check Only: No

    [Object Migration Section]
    2010-07-20 16:37:59 Starting Account Replicator.
    2010-07-20 16:37:59 CN=TEST01          - Created
    2010-07-20 16:38:00  - Set password for CN=TEST01.
    2010-07-20 16:38:00 Operation completed.

    [Agent Dispatch Section]
    2010-07-20 16:38:01 Read 3 accounts from the database that were previously migrated from the domain 'Test.net' to the domain 'Live.net'.
    2010-07-20 16:38:02 Created account input file for remote agents: Accounts000038.txt
    2010-07-20 16:38:02 Installing agent on 1 servers
         
    2010-07-20 16:38:02 The Active Directory Migration Tool Agent will be installed on TEST01.Test.net
    2010-07-20 16:38:06 Started job:  TEST01.Test.net 000038_TEST01 {E71CEB07-EBF6-4DA4-AD80-F9086BFADBEE}
         

    [Agent Summary Section]
    ***** Start of Pre-check Summary *****
    Machine Name               Status Message
    TEST01.Test.net Passed 
    ***** End of Pre-check Summary *****
    ***** Start of Agent Operation Summary *****
    For more information about operations that completed with warnings or errors, refer to the Agent Details section.
    Machine Name               Status                Message
    TEST01.Test.net Completed with Errors 
    ***** End of Agent Operation Summary *****
    ***** Start of Post-check Summary *****
    Machine Name               Status      Message
    TEST01.Test.net Not Started 
    ***** End of Post-check Summary *****

    [Agent Details Section]

    Details for TEST01.Test.net
    Local Machine
        Computer:   TEST01.Test.net (TEST01)
            Domain:     Test.net (Test)
            OS:         Windows Server (R) 2008 Standard 6.0 (6002) Service Pack 2
    2010-07-20 16:38:06 Starting Security Translator.
    2010-07-20 16:38:06 Agent is running in local mode.
    2010-07-20 16:38:06 Read 1 accounts from C:\Windows\OnePointDomainAgent\Accounts000038.txt
    2010-07-20 16:38:06 SecurityTranslation LGroups:Yes UserRights:Yes TranslationMode:Replace Test.net Live.net
    2010-07-20 16:38:06 Starting
    2010-07-20 16:38:06 Translating local groups.
    2010-07-20 16:38:06 Translating user rights.
    2010-07-20 16:38:06 ADMT only performs user rights translation in Append mode.
    2010-07-20 16:38:06 ------Account Detail---------
    2010-07-20 16:38:06 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
    2010-07-20 16:38:06 -----------------------------
    2010-07-20 16:38:06 0 users, 1 groups
    2010-07-20 16:38:06 1 accounts selected.  1 resolved, 0 unresolved.
    2010-07-20 16:38:06            Examined        Changed     Unchanged
    2010-07-20 16:38:06 Files              0              0             0
    2010-07-20 16:38:06 Dirs               0              0             0
    2010-07-20 16:38:06 Shares             0              0             0
    2010-07-20 16:38:06 Members           14              0            14
    2010-07-20 16:38:06 User Rights       55              0            55
    2010-07-20 16:38:06 Exchange Objects          0              0             0
    2010-07-20 16:38:06 Containers         0              0             0
    2010-07-20 16:38:06 DACLs              0              0             0
    2010-07-20 16:38:06 SACLs              0              0             0
    2010-07-20 16:38:06            Examined        Changed     No Target   Not Selected     Unknown
    2010-07-20 16:38:06 Owners            0              0             0              0           0
    2010-07-20 16:38:06 Groups            0              0             0              0           0
    2010-07-20 16:38:07 DACEs             0              0             0              0           0
    2010-07-20 16:38:07 SACEs             0              0             0              0           0
    2010-07-20 16:38:08 ERR3:7075 Failed to change domain affiliation, hr=8007054a   This operation is only allowed for the Primary Domain Controller of the domain.
    2010-07-20 16:38:08 Wrote result file C:\Windows\OnePointDomainAgent\000038_TEST01.result
    2010-07-20 16:38:08 Operation completed.

    Regards

    Farhan

    Tuesday, July 20, 2010 4:07 PM
  • Thank you for update. Let’s check the following:

    1. Did your set the following registry key on the target domain controllers:

    Registry path: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

    Registry value: AllowNT4Crypto
    Type: REG_DWORD
    Data: 1

    Note: This registry setting corresponds to the Allow cryptography algorithms compatible with Windows NT 4.0 setting in Group Policy.

    2. Make sure the File and Printer Sharing exception is enabled in Firewall.

    3. If the error still occurs, let’s try to monitor the network traffic:

    Download Microsoft Network Monitor.
    http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en

    1. Run Network Monitor and start capturing on source Domain.
    2. Reproduce the problem.
    Stop the capturing, save the result and upload the file to Windows Live SkyDrive (http://www.skydrive.live.com/). If you would like other community member to analyze the report, you can paste the link here, if not, you can send the link to tfwst@microsoft.com.

    Let us know which is your PDC, which is your RID master?

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 22, 2010 6:22 AM
    Moderator
  • has anyone found a solution to this problem?  I have been looking for ages while using admt 3.1 and following all the tutorials.  The migration of users, profiles has worked but for renaming the computer to the new domain in domain B, i am also getting the error ERR3:7075 Failed to change domain affiliation, hr=8007054a   This operation is only allowed for the Primary Domain Controller of the domain.  

     

    I ran the network monitor on the source DC but didn't see any connections coming from either the computer to be migrated nor the server running admt 3.1

     

    thanks

    Friday, July 29, 2011 7:22 AM
  • Do you use RODC in target domain?

    How many sites in your target forest?

    Which dc you specify when migrate servers - PDC, IM or closest to migrated server?

    Check accessibility for All target and source DCs from server which you try to migrate (\\<DCName>\netlogon and \\<DC FQDN>\netlogon)

    Thursday, August 04, 2011 7:02 AM
  • This is an old thread.  Please create a new thread with your question. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, August 05, 2011 6:32 PM
  • I know this is an "old thread" according to Santhosh but it is still relivant and I wanted to add my two cents worth after spending almost two weeks in e-mail support hell with Microsoft and an addition 3.5 hours on the phone with a GREAT support engineer from Microsoft. This after following, to the letter, the "ADMT Guide: Migrating and Restructuring Acive Directory Domains" published June 2010.

    The Long and short of my config and the solution is as follows:

    Source Forest:

       Empty Root - tng.biz
          Child Domain - nabholz.tng.biz
          Child Domain - nabco.tng.biz   <---  Domain to be migrated

       This forest is Windows 2003 native mode. The schema master and  domain naming master are located in the root domain. The PDC emulator, RID master &
       infrastructure master are on a Windows 2003 R2 DC in the source domain.
       There are two DCs in the source domain. One is the Windows 2003 R2 DC and the other is a Windows 2008 R2 DC.

    Target Forest:

       Single forest / domain - nabco.local

       This forest is a Windows 2008 R2 native mode forest. There are two DCs in this domain in two different sites / subnets.

    When the ADMT tool is run, migration of the global groups and user accounts works fine. However, migration of Windows Vista & 7 workstations and Windows 2008 R2 member servers fail. Reviewing the logs reveals the following error:

       ERR3:7075 Failed to change domain affiliation, hr=8007054a   This operation is only allowed for the Primary Domain Controller of the domain.

    This error proved to be ellusive to pin down with web-base searches. In general, we ended up emplementing several possible solutions, including:

       Setting the HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters\AllowNT4Crypto to a value of 1 on the source & target DCs.
       Setting the Default Domain Controller GPO to "Allow cryptography algorithms capatible with Windows NT 4.0" to enabled under:
          Computer Configuration\Policies\Administrative Templates\System\Net Logon
       Manually testing moving a workstation / member server to the target domain without the use of ADMT.

    Once I finally go Microsoft Support to provide a competent support engineer, we had the problem resolved in a matter of a couple of hours. The problem is on Windows 2008 R2 and Window 7 kernel based systems. Basically, they are not configured to handle the Null Session Pipes the way that Windows 2003 does. This leads to a mismatch that does not allow the workstation / member server to migrated cleanly. This is not limited to the DCs. This is any system that uses the Windows 7 / 2008 R2 kernel.

    The way this was determined is that we set the following values in the specified registry key on the Windows 2008 R2 DCs in both the source and target domains (remember that we did not have to do this for the Windows 2003 R2 DC - we found this out when we went to make the change on the 2003 DC and the values were already there!):

       Specified registry key
          HKLM\System\CurrentControlSet\Services\LanManServer\Paramters\NullSessionPipes

       Values to include (must be done exactly - they are case sensative):
          COMNAP
          COMNODE
          SQL\QUERY
          SPOOLSS
          NETLOGON
          LSARPC
          samr
          BROWSER
          LLSRPC

    After the registry keys were set and the servers rebooted, a computer migration was again attempted. This time, the error that was logged was:

       ERR3:7075 Failed to change domain affiliation, hr=80070005   Access is denied.

    We then set the Default Domain Policy GPO in the source and target domains to the following (the target domain was probably overkill but it was better safe than sorry):

       Location:
          Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\

       Key to Set:
          Network access: Named Pipes that can be accessed

       Values to Set:
          COMNAP 
          COMNODE 
          SQL\QUERY 
          SPOOLSS 
          NETLOGON
          LSARPC
          samr 
          BROWSER
          LLSRPC

    After this was set, we initiated a GPUPDATE on the machine to be migrated and rebooted the system. Once the system was back online we attempted another machine migration. This time it was successful and the ADMT logs showed these beautiful lines:

    2011-09-22 21:18:18 The Active Directory Migration Tool Agent will be installed on SystemName.NABCO.TNG.BIZ
    2011-09-22 21:19:14 Started job:  SystemName.NABCO.TNG.BIZ 000036_SystemName {111A1111-1A11-1A1A-11AA-A11A1AAA111A}
    2011-09-22 21:23:31 Done waiting for the computer 'SystemName.NABCO.TNG.BIZ' to reboot.
    2011-09-22 21:23:32 Post-check passed on the computer 'SystemName.NABCO.TNG.BIZ'.  The new computer name is 'SystemName.nabco.local'.

    I will say that if your systems run any type of antivirus or third-party firewall, you need to remove both prior to migration and then add them back after the migration. I did not have this problem but many people have.

    On a personal note, I have done a number of AD - to - AD migrations in my former position with one of the leading outsourcing providers in the United States and this is the first time that:

    1. I received such poor support from Microsoft's e-mail support team. It was horrible and when I quizzed MS about the support hours I was told that the e-mail support team is in China and only works from 9:00 AM - 6:00 PM China time (don't beleive me, PM me and I will send you the e-mail). That means that US based companies can get one e-mail a day at best during normal working hours. Good move Microsoft!!!
    2. I found glaring mistakes in the Microsoft documentation that should have been included in a revised version.

    Normally, we used Quest Migrator for AD in my previous life and never had an issue. This is only the second time I have used the ADMT tool and I am still singularly unimpressed with it (although it is better than when I used the 2.x version).

    I am going to post this same thing in as many forums as I can find to help others in the same situation.


    Will Smothers
    • Proposed as answer by Vadim Sekterev Wednesday, April 17, 2013 9:49 AM
    Friday, September 23, 2011 2:36 PM
  • Will,

    Thanks for sharing the information and solution.  I have documented this issue in my following blog:

    http://portal.sivarajan.com/2010/10/admt-err37075-failed-to-change-domain.html

    We really appreciate the detailed information. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, September 23, 2011 3:09 PM
  • Hi,

    The issue is not solved , Issue still exist NullSessionPipes registry key is already enabled . 

    COMNAP 
    COMNODE 
    SQL\QUERY 
    SPOOLSS 
    netlogon 
    lsarpc 
    samr 
    browser

    But issue still exit . I have been to all post for the above issue but it is still not solved.

    Thursday, June 02, 2016 11:34 AM
  • Hi Will,

    Thanks for the details explaination.

    Does this also apply to Intraforest domain migration and on windows 2012 DC / Windows 10 client. cause I am getting the same error

    Thanks,

    Gururaj Meghraj


    Guru

    Thursday, August 24, 2017 11:38 PM