RE: Encryption Key Access Denied
From: SBY (SBY_at_discussions.microsoft.com)
Date: 10/27/04
- Next message: Rebecca Chen [MSFT]: "RE: ADMT error"
- Previous message: curtfenz: "RE: Can't map a user/Offline Folder issue"
- In reply to: Rebecca Chen [MSFT]: "RE: Encryption Key Access Denied"
- Next in thread: SBY: "RE: Encryption Key Access Denied"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 27 Oct 2004 04:05:04 -0700
Rebecca
Yes, that is the exact problem.
To give you more background, I am building a Windows 2003 Forest from
scratch, side by side to our Windows 2000 forest. The plan is to Build the AD
2003 and then migrate everthing over.I am at the testing stage now and stuck
at this point.
When I try to migrate users with their present passwords, I get the " can
not acces the password export server,Access Denied". But whenn I try
migrating the user accounts with the other options " complex and same as
username" it all works OK.
I am wandering if this could be a trust problem.
I have attached the migration and trust logs as requested.
Thanks in advance for your help
Steve
Trust.log
2004-10-26 13:30:01
2004-10-26 13:30:01 Enumerating the trusting domains of the source domain
staff.stockport.ac.uk.
2004-10-26 13:30:01 Enumerating the trusting domains of the source domain
college.stockcoll.ac.uk.
2004-10-26 13:30:01 Enumerating the trusted domains of the source domain
staff.stockport.ac.uk.
2004-10-26 13:30:01 mail.stockport.ac.uk is a trusted domain of the source
domain staff.stockport.ac.uk
2004-10-26 13:30:01 mail.stockport.ac.uk is a trusting domain of the source
domain staff.stockport.ac.uk
2004-10-26 13:30:01 college.stockcoll.ac.uk is a trusted domain of the
source domain staff.stockport.ac.uk
2004-10-26 13:30:01 college.stockcoll.ac.uk is a trusting domain of the
source domain staff.stockport.ac.uk
2004-10-26 13:30:01 stockcoll.ac.uk is a trusted domain of the source domain
staff.stockport.ac.uk
2004-10-26 13:30:01 stockcoll.ac.uk is a trusting domain of the source
domain staff.stockport.ac.uk
2004-10-26 13:30:01 Enumerating the trusted domains of the source domain
college.stockcoll.ac.uk.
2004-10-26 13:30:01 college.stockcoll.ac.uk already trusts stockcoll.ac.uk
2004-10-26 13:30:01 college.stockcoll.ac.uk already is trusted by
stockcoll.ac.uk.
Migration.log
2004-10-26 14:33:35
2004-10-26 14:33:35 Active Directory Migration Tool, Starting...
2004-10-26 14:33:35 Starting Account Replicator.
2004-10-26 14:33:35 Account MigrationWriteChanges:No STAFF COLLEGE
CopyUsers:Yes CopyGlobalGroups:Yes CopyLocalGroups:Yes CopyComputers:No
StrongPwd:All
2004-10-26 14:33:36 CN=Bella - Created
2004-10-26 14:33:36 CN=Tweenies - Created
2004-10-26 14:33:36 Processing group membership for CN=Tweenies.
2004-10-26 14:33:36 staff.stockport.ac.uk\Milo has been added to CN=Tweenies
but the name may not be resolved in the target domain because the target
domain may not trust the account's domain.
2004-10-26 14:33:36 staff.stockport.ac.uk\Fizz has been added to CN=Tweenies
but the name may not be resolved in the target domain because the target
domain may not trust the account's domain.
2004-10-26 14:33:36 staff.stockport.ac.uk\Jake has been added to CN=Tweenies
but the name may not be resolved in the target domain because the target
domain may not trust the account's domain.
2004-10-26 14:33:36
LDAP://college.stockcoll.ac.uk/CN=Bella,CN=Users,DC=college,DC=stockcoll,DC=ac,DC=uk added.
2004-10-26 14:33:37 Updated user rights for CN=Bella
2004-10-26 14:33:37 Updated user rights for CN=Tweenies
2004-10-26 14:33:37 Operation completed.
Migration1.log
2004-10-27 11:36:31
2004-10-27 11:36:31 Active Directory Migration Tool, Starting...
2004-10-27 11:36:31 Starting Account Replicator.
2004-10-27 11:36:31 Account Migration STAFF COLLEGE CopyUsers:Yes
CopyGlobalGroups:Yes CopyLocalGroups:Yes CopyComputers:No
2004-10-27 11:36:32 CN=Jake - Created
2004-10-27 11:36:32 WRN1:7124 Tweenies - already exists.
2004-10-27 11:36:33 WRN1:7561 ADMT could not migrate some properties for
this object type (user) due to schema mismatches. Please refer to
PropMap.log for a complete listing.
2004-10-27 11:36:33 WRN1:7651 Unable to retrieve operating system version of
password export server 'STAFF3'. Access is denied.
2004-10-27 11:36:33 - Set password for Jake.
2004-10-27 11:36:35 WRN1:7561 ADMT could not migrate some properties for
this object type (group) due to schema mismatches. Please refer to
PropMap.log for a complete listing.
2004-10-27 11:36:35
LDAP://dc2.college.stockcoll.ac.uk/CN=Jake,CN=Users,DC=college,DC=stockcoll,DC=ac,DC=uk - added to group CN=Tweenies
2004-10-27 11:36:35 Updated user rights for CN=Jake
2004-10-27 11:36:35 Operation completed.
"Rebecca Chen [MSFT]" wrote:
> Hello,
>
> Do you mean you have encountered access denied error when you migrate the
> password? I suggest you logon to the win2k3 server with the admin previlege
> on both domains and refer to the following instructions to mgirate accounts:
>
> To enable support for password migration:
>
> Part I: Target Domain
> ---------------------
>
> Complete the following steps on the domain controller in the target domain
> on which you installed ADMT:
>
> 1. Insert a 3.5-inch disk into the floppy disk.
>
> 2. Open a command prompt, and then change to the directory on which you
> installed ADMT. By default, this is the %SystemRoot%\Program Files\ folder.
>
> 3. Type the following command to create the encryption key to be used
> during the migration of the user account passwords
>
> "admt key <SourceDomainName><FloppyDrive> [*/password]" (without the
> quotation marks) where:
>
> - The admt command is the name of the executable program.
> - The key command specifies the generation of an encryption key.
> - <SourceDomainName> is the NetBIOS name of the domain that contains the
> passwords that you want to migrate.
> - <FloppyDrive> is the drive letter of the floppy disk drive where the
> encryption key will be written.
> - [*/password] is optional; if you use it, you can encrypt the key with a
> password. You can either type the password or you can type "*" (without the
> quotation marks) to receive a prompt for a password that is not displayed
> on the screen. If you type a password, you need to use it when you complete
> the setup in the source domain.
>
> Part II: Source Domain
> ----------------------
>
> Complete the following steps on the PES in the source domain:
>
> 1. Double-click the Pwdmig.exe file that is located in the \i386 folder on
> the Windows Server 2003 CD-ROM.
>
> 2. Insert the 3.5-inch disk that you created when you receive the following
> message:
>
> Please insert the floppy into the floppy disk containing the password
> encryption key for this source domain. Click OK to continue.
>
> 3. Type the password when you are prompted, and then click OK.
>
> 4. Click Next.
>
> 5. Click Finish.
>
> 6. Click Start, click Run, type regedit, and then click OK.
>
> 7. Locate the AllowPasswordExport registry value in the following registry
> key:
>
> HKLM\System\CurrentControlSet\Control\LSA
>
> 8. Double-click AllowPasswordExport.
>
> 9. Change the value "0" to "1", and then click OK.
>
> 10. Restart the computer for the settings to take effect.
>
>
> The password migration solution in ADMT was designed to provide a secure
> general solution to password migration. Here are the key features of this
> solution:
>
> !$ The password export server (PES) works on Windows NT 4.0 domain
> controllers (including systems that have SYSKEY installed), on Windows 2000
> domain controllers, and on Windows Server 2003 domain controllers.
>
> More info:
> How to Use Active Directory Migration Tool Version 2 to Migrate from
> Windows 2000 to Windows Server 2003
> http://support.microsoft.com/default.aspx?scid=kb;en-us;326480
>
> If the issue persists, please upload your admt log here for research.
>
> HTH!
>
>
> Best regards,
>
> Rebecca Chen
>
> MCSE2000 MCDBA CCNA
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
> >Thread-Topic: Encryption Key Access Denied
> >thread-index: AcS7Vxl89prlXMHGQACiy+Wbppdd0w==
> >X-WBNR-Posting-Host: 194.82.4.220
> >From: =?Utf-8?B?U0JZ?= <SBY@discussions.microsoft.com>
> >Subject: Encryption Key Access Denied
> >Date: Tue, 26 Oct 2004 05:27:03 -0700
> >Lines: 12
> >Message-ID: <1235D8C7-DD14-47D3-9737-7E6408F7C2D0@microsoft.com>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.migration
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:14748
> >X-Tomcat-NG: microsoft.public.windows.server.migration
> >
> >Hi
> >
> >I have created an Encryption password key on a Windows 2000 Domain
> >controller, but when I try to migrate user accounts from the windows 2000
> >domain to the Win2k3 domain using ADMT, I get "access denied" when trying
> to
> >access the encryption key.
> >
> >Can anyone help??
> >
> >thanks
> >
> >SBY
> >
>
>
- Next message: Rebecca Chen [MSFT]: "RE: ADMT error"
- Previous message: curtfenz: "RE: Can't map a user/Offline Folder issue"
- In reply to: Rebecca Chen [MSFT]: "RE: Encryption Key Access Denied"
- Next in thread: SBY: "RE: Encryption Key Access Denied"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
