Re: ADMT V3 - Service Account Migration

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

the object migration seems to be OK

the first thing that comes to my mind when I see:

"Failed to update account and password information for the
\\blueservertest.GUARDIAN.AEGONUK.COM\MPI Files Server service, rc=1057.
The account name is invalid or does not exist, or the password is invalid
for the account name specified"

is...ADMT creates the service account on DCx while the server is looking at
another DC. And because the service account does not yet exist it cannot
validate it. Replication latency might be the cause. Are you able to update
the server manually now?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"MONDO" <MONDO@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9A4A397A-C634-4993-89B1-282F87254D6D@xxxxxxxxxxxxxxxx
> Jorge
>
> Please see the following extract from the migration log.
>
> [Object Migration Section]
> 2006-01-19 13:36:05 Starting Account Replicator.
> 2006-01-19 13:36:08 Removing CN=service test
> (LDAP://LYTADC001W23.GUARDIAN.aegonuk.com/CN=service test,OU=Service
> Accounts,DC=GUARDIAN,DC=aegonuk,DC=com) from the global groups it is a
> member
> of :
> 2006-01-19 13:36:09 Moved LDAP://GUARDIAN.AEGONUK.COM/CN=service
> test,OU=Service Accounts,DC=GUARDIAN,DC=aegonuk,DC=com to
> LDAP://sehadc001w23.aegonuk.com/CN=service test,ou=service
> accounts,ou=lythamdomainmigration,dc=aegonuk,dc=com
> 2006-01-19 13:36:09 Passwords will be stored in default location of
> 'C:\WINDOWS\ADMT\Logs\Passwords.txt' instead.
> 2006-01-19 13:36:09 Removed the 'Password must change' flag from
> servicetest1
> 2006-01-19 13:36:09 servicetest1 - Strong password generated.
> 2006-01-19 13:36:09 Granted the 'Logon As A Service' right for
> AEGONUK\servicetest1 on blueservertest.GUARDIAN.AEGONUK.COM
> 2006-01-19 13:36:12 ERR2:7411 Failed to update account and password
> information for the \\blueservertest.GUARDIAN.AEGONUK.COM\MPI Files Server
> service, rc=1057. The account name is invalid or does not exist, or the
> password is invalid for the account name specified.
> 2006-01-19 13:36:13 Granting privilege SeServiceLogonRight to CN=service
> test
> 2006-01-19 13:36:13 Updated user rights for CN=service test
>
> Cheers
>
> MONDO
>
>
> "Jorge de Almeida Pinto [MVP]" wrote:
>
>> The ADMTv3 help provides good information how to use and configure ADMT
>> and
>> PES and on how to perforn the different migration tasks.
>>
>> I have tried it myself and it did change the account used to the new
>> migrated account when migrating the service account through the user
>> migration wizard. Did you view the log file?
>>
>> I have included a copy of my log file so you can see it for yourself (and
>> checked the service was indeed update):
>>
>> [Object Migration Section]
>> 2006-01-18 11:41:37 Starting Account Replicator.
>> 2006-01-18 11:41:47 CN=Svc ADMT PES - Created
>> 2006-01-18 11:41:48 SID for COMPANY\Svc_ADMT-PES added to the SID History
>> of
>> ADCORP\Svc_ADMT-PES
>> 2006-01-18 11:41:51 Removed the 'Password must change' flag from
>> Svc_ADMT-PES
>> 2006-01-18 11:41:51 Svc_ADMT-PES - Strong password generated.
>> 2006-01-18 11:41:52 Granted the 'Logon As A Service' right for
>> ADCORP\Svc_ADMT-PES on w2kdc002.COMPANY.LAN
>> 2006-01-18 11:41:53 Updated account and password information for the
>> \\w2kdc002.COMPANY.LAN\PesSvc service.
>> 2006-01-18 11:41:54 Svc_ADMT-PES - Source account disabled.
>> 2006-01-18 11:41:54 Granting privilege SeServiceLogonRight to
>> Svc_ADMT-PES
>> 2006-01-18 11:41:54 Updated user rights for CN=Svc ADMT PES
>> 2006-01-18 11:41:55 Operation completed.
>>
>> In this case I identified the service account used by the PES service on
>> the
>> source DC, migrated that account to the target and it updated the service
>> on
>> the source with the credentials
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> # Jorge de Almeida Pinto #
>> MVP Windows Server - Directory Services
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "MONDO" <MONDO@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:7AC67433-1C5C-4D59-83CA-F6A193756D74@xxxxxxxxxxxxxxxx
>> >I am currently using ADMT to consolidate a child domain into its parent
>> > domain (within the same forest!). I am currently looking at migrating
>> > the
>> > service accounts and have identified all service accounts that run
>> > using a
>> > domain user account using the Service Account Migration Wizard. When I
>> > try
>> > to
>> > migrate the service accounts using the User Account Migration Wizard it
>> > migrates the account successfully (generating a random password) but
>> > does
>> > not
>> > update the service on the server the use the account from the parent
>> > domain.
>> >
>> > 1. Can you advise if there is any additional configuration required for
>> > migrating service accounts i.e. PES
>> > 2. Does ADMT not update the server service accounts by design?
>> > 3. What is the correct process for migrating service accounts?
>> >
>> > Thanks
>> >
>>
>>
>>
>>
>>


.

Relevant Pages

  • Re: how can we migrate 2000 to 2003 without rejoin user to new domain
    ... Thanks for your MPS Reports on both Win2k3 server and Win2k server. ... >I hope you can send the complete cab file by using another mail account ... >will be better to perform the migration process during the non-business ...
    (microsoft.public.windows.server.migration)
  • Re: Has anyone got delegation to work???
    ... I would use ADSI edit on the SQL service accounts to set the SPN rather than ... This is for a server called SQLNLB02 in the domain DOMSQL.COM ... (where the FQDN of the server is the server that uses the account ...
    (microsoft.public.sqlserver.security)
  • RE: ADMT local user profile migration
    ... Do you have any idea why I am getting "PES server not ... In Computer Migration: Failed to install agent. ... Do not expire source account ... > Target Disable Option: Disable target account ...
    (microsoft.public.windows.server.migration)
  • RE: Admin permissions
    ... Because I wanted to get this migration completed over the Christmas period, ... > Did the problem occur when you built up the Windows Server 2003 Domain? ... Yes - this is the account which gave the problem. ... Logging on to a client with the same Domain admin account ...
    (microsoft.public.windows.server.migration)
  • Re: Am I missing a step?
    ... printer mapping is not a problem with migration to the new server name. ... and then removing it from the domain (or reseting the account but i will ... Zones should be transfered with AD ...
    (microsoft.public.win2000.active_directory)