Gentlemen, thanks to all for your contributions to this. will be going to customer site later this week to do some exhaustive testing on this issue
(assuming of course that the computers have not melted in the ridiculously warm weather we are having here !) any other things that you can add will be v gladly received. GT ----- Original Message ----- From: "Rick Kingslan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 11, 2003 11:16 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > Stuart, Graham - > > The Agent exec is ADMTAGNT.EXE. Also, I don't remember it running under the > Explorer process, as when we did our migrations (well, the on-going saga...) > it was an easy matter to check how a machine was doing by bringing up task > manager to determine status and load on the box. Had to do this numerous > times as workstations took too long and we needed to determine the real > status of the process. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart > Sent: Friday, July 11, 2003 3:41 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > G, > > Can't really speak to the specific technical upgrade process for ADMT. If I > remember correctly, we simply installed the latest version over the top of > the new one and everything seemed to work out. I think we did have to > reinstall the password export service again... > > We ran the majority of our migrations from the ADMTv2 off of the .Net Server > (e.g. 2003) Beta 3 CD. We wanted the v2 because of the password migration > bit. We did update the ADMT from the Beta3 version to the RC1 version at > about 3/4 through our migration. We didn't really see any differences and > upgrading didn't solve a broke workstation migration issue we were having on > a dual-proc machine. > > If it is the NT policy, then on the NT workstation you are trying to > migrate, back out the allowed run policy and then try the migration again. > If changing the policy via poledit doesn't work you can try looking at the > reg keys. JSI FAQ (http://www.jsiinc.com/SUBA/tip0000/rh0050.htm) lists the > two you need to look at > (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor > er\ RestrictRun = 1 and entries under > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explore > r\RestrictRun). Test the workstation by running some "unallowed" application > first so that you know the policy has really been backed out and not > reapplied through whatever your distribution mechanism is. > > If backing off the NT policy doesn't work then re-verify the ADMT setup > (http://support.microsoft.com/?kbid=260871). Can you migrate any other > NT/2000/XP workstations? If so then ADMT is probably set up correctly and > the trouble will be with the specific NT workstation build. > > According to JSI's note 0362, the RestrictRun policy only works on processes > run from the Explorer process. I have no clue if the agent process is being > remotely initiated on the workstation via the Explorer process but if > between workee and no-workee this is the only difference..... > > Additionally, I couldn't find in my brief surfing expedition what > specifically the agent .exe are. Looking at our ADMT console the two > probable candidates are "ADMTAgnt.exe" and "DCTAgentService.exe". If the > only solution is to add the agent executables to the allowed list then > hopefully someone else on the mailing list knows what these really are. > > Stuart Fuller > Active Directory > State of Montana > > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Friday, July 11, 2003 12:25 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > Stuart, i share your views. > > i have assmued this is going to be a problem general to NT4 workstation > migration - based on first two tested - both failed with identical message. > > the number of NT4 workstations still in production means a manual migration > is not the most practical option. > > in the course of resolving this i have observed that the contents of the > ADMT2 distribution are about 8 months more recent than the production ADMT2 > programs that were "in good faith !!" from the .NET RC1 media, > > i am assuming the upgrade to be a supported process and will just see if > this issue is not specific to ADMT version - i have also noted from > netiq.com that they had to patch migration software to resolve similar > issues of computer migration migration - > > do you have any issues specific to versions of ADMT ?? > > if it does prove to be issues of the allowedrunlist "whacking me" then the > question remains as to what exe's need to be added to support the ADMT > operation > > thanks for your support > > GT > ----- Original Message ----- > From: "Fuller, Stuart" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, July 11, 2003 6:30 PM > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > G, > > > > Let me clarify what I stated earlier... > > > > ADMT needs to be able to resolve the name of the workstation (e.g. > > find it on the network) and be able to get to the admin$ share on the > workstation. > > When you run ADMT workstation migration, you are running in the > > security context of the user logged into the ADMT console (unless you > > use > "runas"). > > This user needs to have administrator privileges on the target > workstation. > > You can test this very simply by mapping a drive to the target > workstation's > > admin$ share. If that works then you know that the ADMT user does > > have admin rights and the share is working. We have found that this > > cheese-o-matic test is the best indication that the ADMT workstation > > migration will run correctly. > > > > However from your other posts, I don't think normal ADMT security is > > your issue. It looks like the "allowed list" of applications from the > > NT > Policy > > is whacking you. > > > > In any event, the whole point of the ADMT is to automate the > > workstation migration. If this is a problem for only a couple of > > machines, you could just manually migrate them. Join them directly to > > the new AD domain and simply copy over the user profile. You may have > > to work on fixing > printers > > and resetting some file rights but usually on a user workstation that > > is pretty minimal. > > > > When we were doing our migration, we ran into about one out every two > > hundred workstations that had some type of underlying problem where > > ADMT would bonk. We took those as one-offs and figured it was easier > > to spend > 10 > > minutes manually migrating the workstation then spending hours trying > > to figure out why ADMT was failing. On the ones that we did > > troubleshoot, it was never ADMT fault, it something whacked with the > > workstation OS, IP stack, NIC, or even <<shudder>> the Novell client. > > > > Stuart Fuller > > Active Directory > > State of Montana > > > > > > -----Original Message----- > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > Sent: Friday, July 11, 2003 8:58 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > > > Rick, thanks your time on this issue. > > > > my view is that we failing at the installation of the agent - as i > > read it this takes place using the credentials of the logged in user > > at the ADMT console ?? > > > > GT > > > > > > ----- Original Message ----- > > From: "Rick Kingslan" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, July 11, 2003 2:05 PM > > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > Graham - > > > > > > I have no documentation of an 'allowedrunlist' policy or setting in > > > NT 4.0 (not saying that it doesn't exist - just in the limited time > > > I have this > > AM > > > I can't find anything). But, given that it does exist, yes - that's > > > what I'm saying. If the policy does truly enforce WHO can run WHAT > > > - then this could be an issue. > > > > > > With that being said - this agent (ADMT), in my experience, runs at > > > the LocalSystem context, and therefore should not be subject to the > > > rules of a ruleset applied by system policy, AFAIK. > > > > > > Rick Kingslan MCSE, MCSA, MCT > > > Microsoft MVP - Active Directory > > > Associate Expert > > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham > > > Turner > > > Sent: Friday, July 11, 2003 5:20 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > Rick, thanks for post reply. > > > > > > is your inference then that it is conceivable that a restrictive > > > allowedrunlist "tattooed" into the registry is able to prevent > > > whatever application it is to run on the NT4 workstation. ??? > > > > > > GT > > > > > > > > > ----- Original Message ----- > > > From: "Rick Kingslan" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Thursday, July 10, 2003 1:13 AM > > > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > > > > Graham, > > > > > > > > System Policy on NT 4.0 is truly tatooed to the system. If you > > > > turn it > > > off > > > > and back on, it's still there - unless manually removed or the > > > > policy is backed out via the de-application of said policy. > > > > > > > > And, sadly - I can't tell you right now what needs to run (yes the > > > > Agent, damn it - but what IS the Agent?).... > > > > > > > > Rick Kingslan MCSE, MCSA, MCT > > > > Microsoft MVP - Active Directory > > > > Associate Expert > > > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham > > > > Turner > > > > Sent: Wednesday, July 09, 2003 4:25 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > > but then thinking about it no - when i failed on the first nt4 > > > > host > > > thought > > > > it was down to that computer so tried another one straight away - > > > > same access denied result > > > > > > > > have spoken with the developers of the nt4 build - there is a > > > > system > > > policy > > > > with an allowedrunlist policy - that was that even while logged > > > > off this registry value is tattooed into the computer registry ???? > > > > > > > > if this is possible which i must confess to not being sure on then > > > > need to work out what actually needs to be allowed to run for the > > > > admt dispatch agent to execute > > > > > > > > clutching at straws a bit !!! > > > > > > > > GT > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Wilkinson, Stephen" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Wednesday, July 09, 2003 2:01 PM > > > > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > > > > > > > I think Larry's first response could be it Graham. > > > > > > > > > > We saw exactly this in our testing with the Quest Migrator product. > > > > > You must make sure there is no computer account with the same > > > > > name already in the AD - hiding in an OU you least expect it! > > > > > (ours got there during testing by manually moving test boxes in > > > > > and out of the ad domain and forgetting to remove the computer > accounts. > > > > > > > > > > > > > > > Stephen Wilkinson > > > > > > > > > > Tel +44(0)207 4759276 > > > > > Mobile +44(0)7973 143970 > > > > > E-Mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Duncan, Larry [mailto:[EMAIL PROTECTED] > > > > > Sent: 08 July 2003 21:45 > > > > > To: '[EMAIL PROTECTED]' > > > > > > > > > > Has the "Everyone" group been added to the "Pre-Windows 2000 > > > > > Compatible Access" group in the new domain? > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > > Sent: Tuesday, July 08, 2003 3:24 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > > > > Am attempting the migration of computer from NT4 source domain > > > > > to Windows 2000 target domain. > > > > > > > > > > the migration environment is working fine with windows 2000 > > > > > professional clients > > > > > > > > > > have got issues with the migration of an NT4 workstation > > > > > > > > > > the extract from dispatch.log on the admt server is attached > > > > > from which i > > > > am > > > > > hoping to get a few clues as to the "access denied" > > > > > > > > > > have checked the "obvious" issues such as sourcedom\domain > > > > > admins being a member of the local administrators group and the > > > > > computer migration being run while logged an as a member of that > > > > > sourcedom\domain admins group > > > > > > > > > > Thanks > > > > > > > > > > GT > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > ---------------------------------------------------------------- > > > > > -- > > > > > -- > > > > > -- If you have received this e-mail in error or wish to read our > > > > > e-mail disclaimer statement and monitoring policy, please refer > > > > > to http://www.drkw.com/disc/email/ or contact the sender. > > > > > ---------------------------------------------------------------- > > > > > -- > > > > > -- > > > > > -- > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/