AD Migration Agent: Access is denied. 1

[lsgko]

I've been trying really hard to get the Active Directory migration Agent to install on several NT 4 and XP Machines.


I've been getting the following error:

2004-07-09 19:22:22 Installing agent on 1 servers
2004-07-09 19:22:22 The Active Directory Migration Tool Agent will be installed on \\NTWKS
2004-07-09 19:22:22 ERR2:7006 Failed to install agent on \\NTWKS, rc=5 Access is denied.
2004-07-09 19:22:22 ERR2:7005 Failed to launch agent on \\NTWKS, hr=80070005 Access is denied.
2004-07-09 19:22:23 All agents are installed. The dispatcher is finished.


I've checked and made sure that DNS is working.
I originally had the processor architecture problem (Error accessing registry key

SYSTEM\CurrentControlSet\Control\Session Manager\Environment rc=5 Access is denied.)

I've tried adding the Domains Admins group to the local administrators group by using the command:
net localgroup administrators "<domain name>\domain admins" /add
(If I right click on My computer, I don't get a Manage menu choice as is mentioned in other solutions people have

given).

I found a suggestion to see if the LOCAL SERVICE group have permissions to the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

But I'm unsure how to do this as I find a LOCAL SERVICE group.

I've been through the How To Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration (MS KB 325851)

The only thing I didn't know how to do was: Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.


Any suggestions? I've been trying all day.

 

[mlichstein]

I replied on your thread on Anandtech. Basically, I need to know where you are running ADMT so I can troubleshoot this better.

 

[lsgko]

I'm running ADMT on a W2003 server.

 

[mlichstein]

As I posted in your other thread, make sure the trust is working.

Also, the easiest way to make this work is to log onto your 2003 DC as the domain administrator of the source (NT) domain. Then you will have the correct permissions to run ADMT against the clients.

 

[lsgko]

When I try to log onto the 2003 DC with as the domain administrator of the source (NT) domain, I get the error message: "The local policy of this system does not permit you to logon interactively."

I'm running a functional Domain level Windows 2003.
I tried adding the NT domain admin but can't see the NT domain in the Add user to a group. I can add users from the NT domain in the security tab. Does this mean that the Trust isn't working fully?

 

[lsgko]

Also, When I open up the Domain Admins group on the NT machine, I'm not sure how to add the 2003 domain admin user b/c all it lists is not members and an "<-add" button. I'm able to add the account to the LOCAL administrators group but not sure how to add it to the GLOBAL group of Domain Admins.


How do I do this?

 

[mlichstein]

When you tried to add the NT administrator account to the 2003 domain admins group, did you change the location in the object picker GUI? If you the change location button, and you don't see the NT domain listed there, the trust is not working correctly.

 

[lsgko]

I don't see the NT Domain when click the locations button when trying to add on the Member tab. But when I'm in the security tab I can see and search and add users from the NT domain.

Is there way to trouble shoot the trust, or should I just recreate it? The trust allows me to access files on both domains and seems to work, except for this.

 

[mlichstein]

How is your name resolution set up? One way to create a trust is to create secondary DNS zones on both domains. So create a secondary zone for the NT domain on your 2003 domain, and create a secondary for the 2003 domain on the NT domain. You could also do this with LMHOST files on both sides.

From the NT side, you should be able to ping your 2003 domain. So, you should be able to run "ping 2003domain.com" from the NT domain and get a domain controller to respond. This should also work in the other direction.

 

[lsgko]

BTW, when I created the trust (two way), I started on the 2003 machine and go some error messages but then did it on the NT domain. When I validated the trust on the 2003 machine and it said that the trust has been validated and is in place and is active.

 

[lsgko]

I'm able ping the 2003 domain from the NT machine. But I can't ping the NT domain from the 2003 machine.

What could be wrong?

 

[mlichstein]

How are you doing name resolution?

 

[lsgko]

I'm using DNS. I don't have any zones setup. I'm working on setting it up now.

I tried the LMhosts thing and it didn't seem to work, what do I need to do to get windows to reload the LMHOST file so that it is examined when I ping?

 

[mlichstein]

Try doing the DNS thing I suggested with the secondaries first.

If that doesnt work, post your LMHOST file. To load the LMHOST file into the cache, you run nbtstat -RR

 

[lsgko]

When you say LMHOST, should I be editing the LMHOSTS.sam located in C:\windows\system32\drivers\etc?

I tried adding the following line to the above file.
<IP Address> <domain name> #DOM:<domain name>

Would you be willing to talk over an instant messenging program?

 

[mlichstein]

No, lmhosts.sam is a template. The actual file should be lmhosts with no extension.

I can talk on aim or msn, whichever you prefer.

Send me an email at mlichstein AT gmail DOT com with your screenname.

 

[Jefflon]

I am having the exact same problem. Did you find a solution ??

Jefflon

 

[lsgko]

Yes, you have to make sure to log into the new server as a domain administor and then run the migration tool. Also, make sure that name resolution for the clients is working.

 

[gumbedamit]

My DNS is configured the correct way and I have all the rights in the world setup on both domains, I even set the local group policy to allow me to login locally with the source domain credentials, I still get the same error: Access Denied! and I still get this message when I try to logon with the source credentials: The local policy of this system does not permit you to logon interactively."

Has anyone been able to use this tool with success?
thanx in advance.
gumby