RE: Unable to migrate computers from W2K to W2K3 SBS

Hello Yeundj16,

Thank you for posting in the SBS newsgroup.

Also, many thanks for Norm's input.

According to your description, I understand that you received this error
message "Access is denied", when you try to migrate computer accounts from
Windows 2000 Domain to SBS 2003 Domain. If I have misunderstood the
problem, please don't hesitate to let me know.

I have checked the Dispatch.log and DCTLog.txt files, and found the
following information:

==================================
2005-11-29 12:15:26 WRN1:7290 Processor architecture for machine
\\QUEUE-SP1.Eastern.toronto.epba.ca is unknown, Error accessing
registry key SYSTEM\CurrentControlSet\Control\Session
Manager\Environment rc=5 Access is denied.
2005-11-29 12:15:26 ERR2:7006 Failed to install agent on
\\QUEUE-SP1.Eastern.toronto.epba.ca, rc=5 Access is denied.
2005-11-29 12:15:26 ERR2:7005 Failed to launch agent on
\\QUEUE-SP1.Eastern.toronto.epba.ca, hr=80070005 Access is denied.
==================================

1. Based on my research, this issue may occurs if the local service
account does not have any permissions on
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
\Description value on the client computer.

Added Local Service with Read permissions to the "Description" value in the
path in the registry on the client computer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

To do so, please run "regedit" (without the quotation marks) on the command
prompt on the client computer, locate the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Right-click it and select Premissions, click Add to add the "LOCAL SERVICE"
has "Read" permission on this key.

RELATED KNOWLEDGE BASE ARTICLES
=================================

153183.KB.EN-US How to Restrict Access to the Registry from a Remote
Computer
http://support.microsoft.com/default.aspx?scid=KB;EN-US;153183

314837.KB.EN-US How to Manage Remote Access to the Registry
http://support.microsoft.com/default.aspx?scid=KB;EN-US;314837

832222 You cannot connect to a remote Windows Server 2003 domain controller
by
http://support.microsoft.com/?id=832222

2. Please try to log in to the target domain (SBS 2003 Server) with the
Administrator account of the source domain (Windows 2000 Server), and then
try again to check if the issue can be reproduced.

=================================
2005-11-29 15:08:36 ERR3:7075 Failed to change domain affiliation,
hr=8007054b The specified domain either does not exist or could not
be contacted.
=================================

Considering the current condition, please kindly help me double-check the
following information:

1. Please check the Domain Admins group for the source server from the
built-in Administrators group on any client computer. By default, the
Domain Admins group is added to the built-in Administrators group of the
client computer when it is joined to the domain.

2. Type the correct netbiosname of the source domain to launch the ADMT
wizard.

3. Ensure the client computers are got IP address from SBS 2003 DHCP
Server, and run "ipconfig /all" (without the quotation marks) on the
command prompt on the client computers, make sure the Preferred DNS Server
is pointed to Internal IP address of the SBS 2003 Server. The client
computers should be able to ping both domain controllers by FQDN.

We can run "ipconfig /release" command-line on the client computer to
release the current IP address, then run "ipconfig /flushdns" to purge the
DNS resolver cache, and then run "ipconfig /renew" to get a new IP address.

4. Disable any personal firewalls running on the client computers. For
example, disable Internet Connection Firewall on Windows XP Professional.
If you are running ISA Server 2000 as your firewall, do not disable
Microsoft Firewall Client on the client computers.

5. Verify that the netlogon, RPC, and server services are running. Ensure
that File and Printer Sharing for Microsoft Networks and the Client for
Microsoft Networks are enabled.

6. If all settings appear to be correct and the migration still fails,
follow these steps:

1) Log on to the client machine as administrator.
2) Right-click the network connection and choose properties.
3) Click on "Client for Microsoft Networks" and click the uninstall button.
4) Reboot the machine
5) Log back in to the client machine
6) On the properties of the network connection, click the install button
7) Under clients, choose Client for Microsoft Networks
8) Reboot the machine
Once the machine comes back up, attempt to migrate it again.

7. If ADMT still fails after removing and reinstalling the Client for
Microsoft Networks and File and Printer sharing, rename the computer and
retry ADMT.

You may also refer to the following KB article:

828261 "ERR3:7075 Failed to change domain affiliation, hr=800706fb" error
when
http://support.microsoft.com/?id=828261

Migrating from Small Business Server 2000 or Windows 2000 Server to Windows
Small Business Server 2003
http://go.microsoft.com/fwlink/?LinkId=49928

By the way, please kindly note that this issue is rather time-consuming, to
resolve it, we may need more deeper troubleshooting and collect more log.
If the case and the issue is urgent to your business, it is recommended
that you contact CSS support, since there could have more interactive
troubleshoot process with Microsoft Support professional and even have
remote assistance. Due to support nature of public newsgroup, it is not
convenient to be done here.

To obtain the phone numbers for specific technology request please take a
look at the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.

I appreciate your time and cooperation. Please do not hesitate to let me
know if you have any further concerns, I am looking forward to hearing from
you.

Best regards,

Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>From: yeungj16@xxxxxxxxx
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: Unable to migrate computers from W2K to W2K3 SBS
>Date: 1 Dec 2005 11:23:18 -0800
>Organization: http://groups.google.com
>Lines: 105
>Message-ID: <1133464998.478169.100930@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>NNTP-Posting-Host: 209.82.10.7
>Mime-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>X-Trace: posting.google.com 1133465006 18277 127.0.0.1 (1 Dec 2005
19:23:26 GMT)
>X-Complaints-To: groups-abuse@xxxxxxxxxx
>NNTP-Posting-Date: Thu, 1 Dec 2005 19:23:26 +0000 (UTC)
>User-Agent: G2/0.2
>X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
Maxthon; .NET CLR 1.0.3705; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
>Complaints-To: groups-abuse@xxxxxxxxxx
>Injection-Info: g47g2000cwa.googlegroups.com; posting-host=209.82.10.7;
> posting-account=yiqtDA0AAAAmZWVjOSYQlKtTMBpCtRZJ
>Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!postnews.google.com!g47g2000cwa.googlegroups.com!not-for-mail
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:227083
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I am trying to migrate from a Win2k domain to a SBS 2k3
>domain. I am following the instructions in the white-
>paper: Migrating from SBS 2000 or Win 2000 Server to SBS
>2003
>
>
>Everything is great until I migrate the computers using the "Computer
>Migration Wizard". The workstations are mixed of WinXP SP1 and SP2.
>Initially I received the error in the Dispatch.log for Access Denied
>and I solved it in the wrong method. I set the permission for
>everyone, this fix the problem but I don't want to do this. Clearly
>this is a permission problem and I can't seem to find any solution on
>the web. The following is my Dispatch.log:
>
>2005-11-29 12:15:26 Created account input file for remote agents:
>DCTCache.033
>2005-11-29 12:15:26 Installing agent on 1 servers
>2005-11-29 12:15:26 The Active Directory Migration Tool Agent will be
>installed on \\QUEUE-SP1.Eastern.toronto.epba.ca
>2005-11-29 12:15:26 WRN1:7290 Processor architecture for machine
>\\QUEUE-SP1.Eastern.toronto.epba.ca is unknown, Error accessing
>registry key SYSTEM\CurrentControlSet\Control\Session
>Manager\Environment rc=5 Access is denied.
>2005-11-29 12:15:26 ERR2:7006 Failed to install agent on
>\\QUEUE-SP1.Eastern.toronto.epba.ca, rc=5 Access is denied.
>2005-11-29 12:15:26 ERR2:7005 Failed to launch agent on
>\\QUEUE-SP1.Eastern.toronto.epba.ca, hr=80070005 Access is denied.
>2005-11-29 12:15:27 All agents are installed. The dispatcher is
>finished.
>
>Once I set the permission to everyone, the ADMT agent installed fine on
>the XP machines but the next error was "ERR3:7075 Failed to change
>domain affiliation". I check the web and a lot of people said this
>is caused by DNS error. My DNS on the workstations are pointing to the
>target domain and I tried every possible solution and they all did not
>work. The following is my DCTLog.txt.
>
>2005-11-29 15:07:23
>2005-11-29 15:07:23 Active Directory Migration Tool, Starting...
>2005-11-29 15:07:23 Starting Security Translator.
>2005-11-29 15:07:23 Agent is running in local mode.
>2005-11-29 15:07:23 Read 7 accounts from C:\Program
>Files\OnePointDomainAgent\DCTCache.042
>2005-11-29 15:07:23 SecurityTranslation Files:Yes Shares:Yes
>LGroups:Yes UserRights:Yes Printers:Yes Profiles:Yes RecycleBin:Yes
>TranslationMode:Replace Eastern.toronto.epba.ca EPBrokers.local
>2005-11-29 15:07:23 Starting
>2005-11-29 15:07:24 Translating local machine.
>2005-11-29 15:07:25 Skipping A:\, rc=21 The device is not ready.
>2005-11-29 15:07:25 Processing C:\
>2005-11-29 15:08:03 Processing recycle bin files and folders on C:\.
>2005-11-29 15:08:03 Examining:
>S-1-5-21-1757981266-926492609-839522115-500
>2005-11-29 15:08:03 Skipping D:\. D:\ is a CD-ROM drive.
>2005-11-29 15:08:03 Processing shares on local machine.
>2005-11-29 15:08:03 Processing printer security...
>2005-11-29 15:08:03 Translating local groups.
>2005-11-29 15:08:04 Translating user rights.
>2005-11-29 15:08:04 ADMT only performs user rights translation in
>Append mode.
>2005-11-29 15:08:04 Translating security on registry keys.
>2005-11-29 15:08:31 This profile translation automatically switches
>from replace mode to add mode if the user is currently logged on or if
>the profile is in use for other reasons. In order to disable the
>switching, you need to set the registry
>HKLM\Software\Microsoft\ADMT\DisallowFallbackToAddInProfileTranslation
>(REG_DWORD) to 1 on the ADMT machine.
>2005-11-29 15:08:31 ------Account Detail---------
>2005-11-29 15:08:31 The account detail section uses the following
>format: AccountName(OwnerChanges, GroupChanges, DaclChanges,
>SaclChanges).
>2005-11-29 15:08:31 -----------------------------
>2005-11-29 15:08:31 6 users, 1 groups
>2005-11-29 15:08:31 7 accounts selected. 7 resolved, 0 unresolved.
>2005-11-29 15:08:31 Examined Changed Unchanged
>2005-11-29 15:08:31 Files 12062 0 12062
>2005-11-29 15:08:31 Dirs 976 0 976
>2005-11-29 15:08:32 Shares 0 0 0
>2005-11-29 15:08:32 Members 8 0 8
>2005-11-29 15:08:32 User Rights 44 0 44
>2005-11-29 15:08:32 Exchange Objects 0 0
> 0
>2005-11-29 15:08:32 Containers 0 0 0
>2005-11-29 15:08:32 DACLs 103173 0 103173
>2005-11-29 15:08:32 SACLs 0 0 0
>2005-11-29 15:08:32 Examined Changed No Target
>Not Selected Unknown
>2005-11-29 15:08:32 Owners 103179 0 103179
> 0 0
>2005-11-29 15:08:32 Groups 103179 0 103179
> 0 0
>2005-11-29 15:08:32 DACEs 420879 0 420879
> 420879 0
>2005-11-29 15:08:32 SACEs 0 0 0
> 0 0
>2005-11-29 15:08:36 ERR3:7075 Failed to change domain affiliation,
>hr=8007054b The specified domain either does not exist or could not
>be contacted.
>2005-11-29 15:08:37 Wrote result file C:\Program
>Files\OnePointDomainAgent\QUEUE-SP15499734.result
>2005-11-29 15:08:37 Operation completed.
>
>
>Any help would be greatly appreciated. Thanks in advance.
>
>

.

Loading