RE: NT4-2003 Migration woes

From: Joe Wu [MSFT] (joewu_at_online.microsoft.com)
Date: 02/26/04

• Next message: Joe Wu [MSFT]: "RE: SidHistory and password migration with ADMT"
• Previous message: Joe Wu [MSFT]: "RE: domain licensing server cannot be contacted!"
• In reply to: Janet: "RE: NT4-2003 Migration woes"
• Next in thread: Xrelixian: "Re: NT4-2003 Migration woes"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 26 Feb 2004 09:23:23 GMT

Hello Janet,

Thank you for your reply.

Please check the following suggestion below:

1. For Windows NT systems, there is a 128-Bit Service Pack (U.S. only). We
can also get a 128-bit Hign Encryption on a Windows NT 4.0 computer is to
install the Microsoft Internet Explorer 5.01 or later High Encryption Pack,
which installs 128-bit encryption.

The download address is:

Microsoft Strong Encryption Downloads
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
topics/issues/crypload.asp

You can check it by open IE, click About in the Help menu and then check
Cipher Strengt. Please also check this on the target DC.

2. Regarding the permissions on the CN=Server,CN=System,DC=¡­ object, it
can be viewed by clicking Active Directory Users and Computers on the View
menu when Advanced Features is enabled. The password export server (PES)
requires that the Pre-Windows 2000 Compatible Access group have the "Read
All Properties" direct permission for the CN=Server,CN=System,DC=... object.

3. The following steps are commonly used for the installation of PES. We
can try reinstalling it and then check if the problem still persists:

Part I: Export the encryption key from the target domain:
-----------------------------

Please complete the following steps on the domain controller in the target
domain on which you installed ADMT:

1. Insert a 3.5-inch disk into the floppy disk.
2. Open a command prompt, and then change to the directory on which you
installed ADMT. By default, this is the %SystemRoot%\Program Files\ folder.
3. Type the following command to create the encryption key to be used
during the migration of the user account passwords
"admt key <SourceDomainName> <FloppyDrive> [*/password] " (without the
quotation marks)

where:

- The admt command is the name of the executable program.
- The key command specifies the generation of an encryption key.
- <SourceDomainName> is the NetBIOS name of the domain that contains
the passwords that you want to migrate.
- <FloppyDrive> is the drive letter of the floppy disk drive where
the encryption key will be written, such as: A -or- A:
- [*/password] is optional; if you use it, you can encrypt the key
with a password. You can either type the password or you can type "*"
(without the quotation marks)

to receive a prompt for a password that is not displayed on the screen. If
you type a password, you need to use it when you complete the setup in the
source domain.

NOTE: For security reasons, providing a password is recommended.

Part II: Perform the following operations on the Source Domain
-----------------------------

1. Double-click the Pwdmig.exe file that is located in the
\i386\ADMT\PWDMIG folder on the Windows Server 2003 CD-ROM or ADMT
installation package.
2. Insert the 3.5-inch disk that you created when you receive the following
message:
Please insert the floppy into the floppy disk containing the password
encryption key for this source domain. Click OK to continue.
3. Type the password when you are prompted, and then click OK.
4. Click Next.
5. Click Finish.
6. Click Start, click Run, type regedit, and then click OK.
7. Locate the AllowPasswordExport registry value in the following registry
key:
HKLM\System\CurrentControlSet\Control\LSA
8. Double-click AllowPasswordExport.
9. Change the value "0" to "1", and then click OK.
10. Restart the computer for the settings to take effect.

Part III: Migrate the user account on the target domain.
------------------------------
1. Please logon to the target domain as an account which has both domains'
administrator permissions.
2. Use the ADMT tool to migrate the user accounts with their passwords.
3. Check if the problem has been resolved.

If the problem still persists, we can perform further research to
troubleshoot this problem.

Please let me know if anything is unclear. It is my pleasure to be of
further assistance.

Thanks, and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Janet" <janetb@mtn.ncahec.org>
|Sender: "Janet" <janetb@mtn.ncahec.org>
|References: <008101c3fa55$9433e920$a001280a@phx.gbl>
<7fTHxZt#DHA.2448@cpmsftngxa06.phx.gbl>
|Subject: RE: NT4-2003 Migration woes
|Date: Tue, 24 Feb 2004 08:02:12 -0800
|Lines: 154
|Message-ID: <086501c3faef$90930db0$a001280a@phx.gbl>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcP675CTizHUT4hJQdiSNYSqgG6wlw==
|Newsgroups: microsoft.public.windows.server.migration
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.migration:8211
|NNTP-Posting-Host: tk2msftngxa08.phx.gbl 10.40.1.160
|X-Tomcat-NG: microsoft.public.windows.server.migration
|
|Joe,
|Thanks so much for the reply - I'm new at this, so please
|chuckle quietly...
|
|1. Ping by both ip and servername resolve at both
|servers.; Trust relationships okay and verified from the
|2003 machine.
|2. The NT machine is 128-bit, and I thought I set up the
|2003 server that way. In trying to double-check myself,
|how do I find it now?
|3. Reboot has been done many times since the
|AllowPasswordExport was changed to 1.
|4. The restrict anonymous=0 is set this way.
|4a. The Pre-Windows 2000 Compatible Access includes
|Everyone and Anonymous Logon, but how do I check the
|permissions on the item below you listed last?
|
|Thanks so much,
|Janet
|
|>-----Original Message-----
|>Hello Janet,
|>
|>Thank you for your post.
|>
|>I would like to check the following first.
|>
|>1. Which DNS server do you set on the Windows NT domain
|controller? We need
|>to ensure that the name resolution works.
|>
|>2. Are both domain controller 128-bit encryption?
|>
|>3. Has the PES server (Windows NT DC) been rebooted
|after adding
|>AllowPasswordExport registry entry?
|>
|>4. Have you adjusted the following on the target DC?
|>
|>- RestrictAnonymous=0.
|>
|>- The Pre-Windows 2000 Compatible Access group has Read
|permissions on
|>"CN=Server,CN=System,DC={targetdom},DC={tld}".
|>
|>I look forward to your reply. Thanks and have a great
|day!
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "Janet" <janetb@mtn.ncahec.org>
|>|Sender: "Janet" <janetb@mtn.ncahec.org>
|>|Subject: NT4-2003 Migration woes
|>|Date: Mon, 23 Feb 2004 13:39:56 -0800
|>|Lines: 55
|>|Message-ID: <008101c3fa55$9433e920$a001280a@phx.gbl>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Thread-Index: AcP6VZQzICAnRWe2QEC4+cVxk/KBKw==
|>|Newsgroups: microsoft.public.windows.server.migration
|>|Path: cpmsftngxa06.phx.gbl
|>|Xref: cpmsftngxa06.phx.gbl
|microsoft.public.windows.server.migration:8176
|>|NNTP-Posting-Host: tk2msftngxa08.phx.gbl 10.40.1.160
|>|X-Tomcat-NG: microsoft.public.windows.server.migration
|>|
|>|I got to the migration step where you actually start
|the
|>|migration tool on 2003, and got the error "Unable to
|>|establish a session with the password export service.
|The
|>|source server does not have the password migration
|>|component installed." However, it is installed and is
|>|showing in add/remove programs. There were no errors
|>|during the installation of pwdmig.exe from the 2003 cd.
|I
|>|made the registry change to password export, and added
|>|tcpipclientsupport=1. But after the reboot, the
|password
|>|export was back to 0, so I changed it back to 1.
|>|
|>|Read:
|>|http://www.microsoft.com/technet/treeview/default.asp?
|>|url=/technet/prodtechnol/windowsserver2003/proddocs/depl
|oy
|>|guide/dssbi_reer_ewjo.asp
|>|
|>|and: http://support.microsoft.com/?id=322981
|>|
|>|1. I double-checked the localgroup (Pre-2000...)
|settings
|>|by trying to re-add and both said the command could not
|>|be completed because that was the current setting.
|>|2. I created a NEW key. I only have ONE 2003 server.
|And
|>|there is only ONE PDC.
|>|3. I went to the PDC-NT server, uninstalled the pwmig,
|>|rebooted, reinstalled pwmig.exe with the NEW key (no
|>|errors), rebooted.
|>|4. Verified the
|>|HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
|>|allowpasswordExport=1
|>|5. Verified the
|>|HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
|>|tcpipclientsupport=1
|>|6. Rebooted 2003 server
|>|
|>|Started up the Migration tool and received the same
|>|error: "Unable to establish a session with the password
|>|export server. The source server does not have the
|>|password migration componennt installed."
|>|
|>|
|>|But, just in case, I used: regsvr32 winnt\system32
|>|\pwmig.dll (it's dated 3/25/2003 but is shown as
|accessed
|>|2/23/2004). The registration is successful, but with
|the
|>|following message: "pwmig.dll was loaded, but the dll
|>|register server entry point was not found. "
|>|
|>|Is this a register dll problem on my NT server and so
|the
|>|2003 server doesn't think that I installed the pwmig
|>|files? Can I manually register all of the appropriate
|>|dlls?
|>|
|>|Anybody got any ideas?
|>|
|>|Janet
|>|
|>|
|>
|>.
|>
|

• Next message: Joe Wu [MSFT]: "RE: SidHistory and password migration with ADMT"
• Previous message: Joe Wu [MSFT]: "RE: domain licensing server cannot be contacted!"
• In reply to: Janet: "RE: NT4-2003 Migration woes"
• Next in thread: Xrelixian: "Re: NT4-2003 Migration woes"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint