RE: Encryption Key Access Denied
From: Rebecca Chen [MSFT] (v-rebc_at_online.microsoft.com)
Date: 10/27/04
- Next message: Rebecca Chen [MSFT]: "RE: Profile migration"
- Previous message: Rebecca Chen [MSFT]: "RE: sites and how to"
- In reply to: SBY: "Encryption Key Access Denied"
- Next in thread: SBY: "RE: Encryption Key Access Denied"
- Reply: SBY: "RE: Encryption Key Access Denied"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 27 Oct 2004 06:39:38 GMT
Hello,
Do you mean you have encountered access denied error when you migrate the
password? I suggest you logon to the win2k3 server with the admin previlege
on both domains and refer to the following instructions to mgirate accounts:
To enable support for password migration:
Part I: Target Domain
---------------------
Complete the following steps on the domain controller in the target domain
on which you installed ADMT:
1. Insert a 3.5-inch disk into the floppy disk.
2. Open a command prompt, and then change to the directory on which you
installed ADMT. By default, this is the %SystemRoot%\Program Files\ folder.
3. Type the following command to create the encryption key to be used
during the migration of the user account passwords
"admt key <SourceDomainName><FloppyDrive> [*/password]" (without the
quotation marks) where:
- The admt command is the name of the executable program.
- The key command specifies the generation of an encryption key.
- <SourceDomainName> is the NetBIOS name of the domain that contains the
passwords that you want to migrate.
- <FloppyDrive> is the drive letter of the floppy disk drive where the
encryption key will be written.
- [*/password] is optional; if you use it, you can encrypt the key with a
password. You can either type the password or you can type "*" (without the
quotation marks) to receive a prompt for a password that is not displayed
on the screen. If you type a password, you need to use it when you complete
the setup in the source domain.
Part II: Source Domain
----------------------
Complete the following steps on the PES in the source domain:
1. Double-click the Pwdmig.exe file that is located in the \i386 folder on
the Windows Server 2003 CD-ROM.
2. Insert the 3.5-inch disk that you created when you receive the following
message:
Please insert the floppy into the floppy disk containing the password
encryption key for this source domain. Click OK to continue.
3. Type the password when you are prompted, and then click OK.
4. Click Next.
5. Click Finish.
6. Click Start, click Run, type regedit, and then click OK.
7. Locate the AllowPasswordExport registry value in the following registry
key:
HKLM\System\CurrentControlSet\Control\LSA
8. Double-click AllowPasswordExport.
9. Change the value "0" to "1", and then click OK.
10. Restart the computer for the settings to take effect.
The password migration solution in ADMT was designed to provide a secure
general solution to password migration. Here are the key features of this
solution:
!$ The password export server (PES) works on Windows NT 4.0 domain
controllers (including systems that have SYSKEY installed), on Windows 2000
domain controllers, and on Windows Server 2003 domain controllers.
More info:
How to Use Active Directory Migration Tool Version 2 to Migrate from
Windows 2000 to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;326480
If the issue persists, please upload your admt log here for research.
HTH!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Encryption Key Access Denied
>thread-index: AcS7Vxl89prlXMHGQACiy+Wbppdd0w==
>X-WBNR-Posting-Host: 194.82.4.220
>From: =?Utf-8?B?U0JZ?= <SBY@discussions.microsoft.com>
>Subject: Encryption Key Access Denied
>Date: Tue, 26 Oct 2004 05:27:03 -0700
>Lines: 12
>Message-ID: <1235D8C7-DD14-47D3-9737-7E6408F7C2D0@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:14748
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>Hi
>
>I have created an Encryption password key on a Windows 2000 Domain
>controller, but when I try to migrate user accounts from the windows 2000
>domain to the Win2k3 domain using ADMT, I get "access denied" when trying
to
>access the encryption key.
>
>Can anyone help??
>
>thanks
>
>SBY
>
- Next message: Rebecca Chen [MSFT]: "RE: Profile migration"
- Previous message: Rebecca Chen [MSFT]: "RE: sites and how to"
- In reply to: SBY: "Encryption Key Access Denied"
- Next in thread: SBY: "RE: Encryption Key Access Denied"
- Reply: SBY: "RE: Encryption Key Access Denied"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
