RE: Using ADMT to migrate service accounts on workstations
From: Rebecca Chen [MSFT] (v-rebc_at_online.microsoft.com)
Date: 10/27/04
- Next message: Rebecca Chen [MSFT]: "Re: Migrate local nt4 server groups to ad domain group"
- Previous message: Rebecca Chen [MSFT]: "Re: How to create Mixed mode?"
- In reply to: John Strachan: "RE: Using ADMT to migrate service accounts on workstations"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 27 Oct 2004 03:21:10 GMT
Hi John,
Hi John,
Oh, yes, I agree with you that the script would better in your scenario. If
you are familiar with the script, it is very convenient in the network
administration since we can use the scripts do many things. To some those
who are not familiar with the script, they can use wizard. ;)
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Using ADMT to migrate service accounts on workstations
>thread-index: AcS7PWdP5ebUrnf4T9aKhySQ+YlDlA==
>X-WBNR-Posting-Host: 160.79.214.162
>From: "=?Utf-8?B?Sm9obiBTdHJhY2hhbg==?="
<JohnStrachan@discussions.microsoft.com>
>References: <DFD1D529-700B-44FF-9781-120ADA08A37B@microsoft.com>
<E269A04B-C671-477F-B8C4-469D1E81CC85@microsoft.com>
<IgyTunDuEHA.3600@cpmsftngxa10.phx.gbl>
<6BED50BF-89F2-48EA-982D-E785B2FE304A@microsoft.com>
<OnlK7#vuEHA.2692@cpmsftngxa10.phx.gbl>
>Subject: RE: Using ADMT to migrate service accounts on workstations
>Date: Tue, 26 Oct 2004 02:23:07 -0700
>Lines: 260
>Message-ID: <F96F64DA-D432-43EF-BEC5-DDDCB51F992B@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:14745
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>Thanks Rebecca,
>I think it's much easier to use a script to change the username and
password
>on each workstation and to use a group policy to grant it logon as a
service
>right.
>The problem is that service account migration wizard would need every
>workstation to be switched on and available, which is impossible for us.
We
>would therefore need to do workstations in batches and re-migrate the
service
>account. So the password would change and we would need a script to update
>the password on each machine anyway!
>John
>
>"Rebecca Chen [MSFT]" wrote:
>
>> Hi John,
>>
>>
>> I understand..
>>
>> After further research, you are correct that ADMT does not copy the
service
>> account password. It is not a bug but a by-design behavior.
>>
>> The root reason ADMT must generate a complex password instead of copying
>> passwords for service accounts is that ADMT needs to know what the
>> clear-text password is in order to update the service account for
services
>> that are using the account. If ADMT copied the password in hash format,
>> ADMT would not know what the password is and therefore could not update
the
>> account on any services.When migrate the user account, ADMT only need to
>> copy the password in hash.
>>
>> Generally, it is recommended to query the service accounts with ADMT -
>> Service Accounts Migration Wizard first. Then during the migration
process
>> of user accounts with ADMT - User Account Migration Wizard, we can
>> configure ADMT to update the service control manager (SCM) on the
computers
>> that run these services so that they will use the new service accounts
to
>> run these services:
>>
>> - During the User Account Migration Wizard, there is a stage of "Service
>> Account Information".
>>
>> -Please check the list service accounts (please pay more attention on
the
>> Computer and Status column). You can use the Skip/Include button to
select
>> accounts that will migrate to the target domain are marked "Include",
and
>> then select Migrate all service accounts and update SCM for items marked
>> include. (NOTE: If you are also migrating other user accounts that are
not
>> service accounts, this wizard page tells you that you have selected some
>> accounts that are marked as service accounts in the ADMT database. By
>> default, the accounts are marked as Include. To change the status of the
>> account, select the account, and then click the Skip/Include button.
>>
>> Any update, let us get in touch!
>>
>> Best regards,
>>
>> Rebecca Chen
>>
>> MCSE2000 MCDBA CCNA
>>
>>
>> Microsoft Online Partner Support
>> Get Secure! - www.microsoft.com/security
>>
>> =====================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>> --------------------
>> >Thread-Topic: Using ADMT to migrate service accounts on workstations
>> >thread-index: AcS4PeL4C5pw3adTSK2mdMyZAZ3fcw==
>> >X-WBNR-Posting-Host: 193.129.249.21
>> >From: "=?Utf-8?B?Sm9obiBTdHJhY2hhbg==?="
>> <JohnStrachan@discussions.microsoft.com>
>> >References: <DFD1D529-700B-44FF-9781-120ADA08A37B@microsoft.com>
>> <E269A04B-C671-477F-B8C4-469D1E81CC85@microsoft.com>
>> <IgyTunDuEHA.3600@cpmsftngxa10.phx.gbl>
>> >Subject: RE: Using ADMT to migrate service accounts on workstations
>> >Date: Fri, 22 Oct 2004 06:49:01 -0700
>> >Lines: 144
>> >Message-ID: <6BED50BF-89F2-48EA-982D-E785B2FE304A@microsoft.com>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.migration
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: cpmsftngxa10.phx.gbl
microsoft.public.windows.server.migration:14682
>> >X-Tomcat-NG: microsoft.public.windows.server.migration
>> >
>> >Hi Rebecca,
>> >
>> >I've already seen the documentation and followed it in my migration
tests.
>> >The issue is that the service account password gets reset to a new
strong
>> >password every time the account gets re-migrated. This means that the
>> >workstations that have already been migrated have the wrong password
and
>> the
>> >service fails to start. If you could update the SCM on machines that
have
>> >already been migrated, that would be a good method but it doesn't seem
to
>> >possible in ADMTv2.
>> >
>> >I have written a script to change the service password on all
>> workstations,
>> >which I think will work.
>> >
>> >John
>> >
>> >"Rebecca Chen [MSFT]" wrote:
>> >
>> >> Hi John,
>> >>
>> >> ADMT white paper has detailed the Service account migration wizard.
You
>> can
>> >> use user migration wizard combine the service account wizard. Below
is a
>> >> part of
>> >>
>> >> Following the discovery process, any subsequent migrations of a
service
>> >> account via user account migration will by default migrate the
service
>> >> account and update the Service Control Manager on the associated
machine.
>> >> If the user migration is performed using the User Migration Wizard,
the
>> >> administrator will have an opportunity to selectively block or enable
>> >> service account migrations by particular service and machine. This
is
>> >> achieved by clicking on the service and user account and selectively
>> >> enabling or skipping the migration. This interface is presented in
the
>> >> form of the Service Account Information page whenever a User
Migration
>> >> Wizard task includes a service account.
>> >>
>> >> If migration of service accounts is enabled, ADMT displays an
additional
>> >> warning that the Security Translation Wizard may need to be run if
>> service
>> >> accounts hold privileges from machine local group memberships that
could
>> be
>> >> lost as a consequence of migration.
>> >>
>> >> If service account permissions are granted based on machine local
>> groups,
>> >> then Security Translation should be run to update Local Groups.
>> >>
>> >> You can download the white paper via the link below:
>> >>
>> >> Active Directory Migration Tool Overview
>> >>
>>
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.
>> >> asp
>> >>
>> >>
>> >>
>> >> How To Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003
Migration
>> >> http://support.microsoft.com/?kbid=325851
>> >>
>> >>
>> >> Migrating Accounts From Windows NT 4.0 Domains to Windows 2000
>> >> http://www.microsoft.com/technet/community/columns/profwin/pw0402.mspx
>> >>
>> >>
>> >> You can also so some demo about ADMT to execise before you real
migrat:
>> >>
>> >>
>>
http://www.microsoft.com/windowsserver2003/evaluation/demos/sims/admt/viewer
>> >> .htm
>> >>
>> >>
>> >> HTH!
>> >>
>> >> Best regards,
>> >>
>> >> Rebecca Chen
>> >>
>> >> MCSE2000 MCDBA CCNA
>> >>
>> >>
>> >> Microsoft Online Partner Support
>> >> Get Secure! - www.microsoft.com/security
>> >>
>> >> =====================================================
>> >>
>> >> When responding to posts, please "Reply to Group" via your newsreader
so
>> >> that others may learn and benefit from your issue.
>> >>
>> >> =====================================================
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> >> --------------------
>> >> >Thread-Topic: Using ADMT to migrate service accounts on workstations
>> >> >thread-index: AcS3c5r3DeAjWjhPRyC0exeNB+XmrQ==
>> >> >X-WBNR-Posting-Host: 193.129.249.21
>> >> >From: "=?Utf-8?B?Sm9obiBTdHJhY2hhbg==?="
>> >> <JohnStrachan@discussions.microsoft.com>
>> >> >References: <DFD1D529-700B-44FF-9781-120ADA08A37B@microsoft.com>
>> >> >Subject: RE: Using ADMT to migrate service accounts on workstations
>> >> >Date: Thu, 21 Oct 2004 06:41:02 -0700
>> >> >Lines: 27
>> >> >Message-ID: <E269A04B-C671-477F-B8C4-469D1E81CC85@microsoft.com>
>> >> >MIME-Version: 1.0
>> >> >Content-Type: text/plain;
>> >> > charset="Utf-8"
>> >> >Content-Transfer-Encoding: 7bit
>> >> >X-Newsreader: Microsoft CDO for Windows 2000
>> >> >Content-Class: urn:content-classes:message
>> >> >Importance: normal
>> >> >Priority: normal
>> >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >> >Newsgroups: microsoft.public.windows.server.migration
>> >> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>> >> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >> >Xref: cpmsftngxa10.phx.gbl
>> microsoft.public.windows.server.migration:14651
>> >> >X-Tomcat-NG: microsoft.public.windows.server.migration
>> >> >
>> >> >I'm using Active Directory Migration Tool v2 (in case you hadn't
>> guessed!)
>> >> >
>> >> >"John Strachan" wrote:
>> >> >
>> >> >> Migrating workstations from NT4 to Win2003 domain.
>> >> >> Each workstation runs a Sophos service using a domain account.
>> >> >> I need to migrate workstations in batches.
>> >> >> We are using password migration.
>> >> >>
>> >> >> If I use the service account migration tool, I assume the
procedure
>> is:
>> >> >> 1. For a batch of workstations, run service account translation
>> wizard.
>> >> >> 2. Migrate the service account to the new domain
>> >> >> 3. Migrate the workstations to the new domain
>> >> >>
>> >> >> This would presumably work, except that when I migrate the service
>> >> account,
>> >> >> it does NOT keep the previous password. (Password migration works
>> fine
>> >> for
>> >> >> normal users, so I assume this is by design). When I migrate the
next
>> >> batch
>> >> >> of workstations and remigrate the service account, the password
for
>> the
>> >> >> service account changes and the service on all the previously
>> migrated
>> >> >> workstations (which are still configured with the old password)
fails!
>> >> >>
>> >> >> I can see no documentation at all on migrating service accounts on
>> >> >> workstations. They all refer to member servers, where you can
>> manually
>> >> change
>> >> >> a service passwords. Ths isn't an option with several hundred
>> >> workstations.
>> >> >>
>> >> >> Thanks in advance
>> >> >> John
>> >> >
>> >>
>> >>
>> >
>>
>>
>
- Next message: Rebecca Chen [MSFT]: "Re: Migrate local nt4 server groups to ad domain group"
- Previous message: Rebecca Chen [MSFT]: "Re: How to create Mixed mode?"
- In reply to: John Strachan: "RE: Using ADMT to migrate service accounts on workstations"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
