I agree with Tony as well. Right now we are migrating numerous NT4 and AD
domains into a common W2003 domain with length >=8 and complexity. No
problems. Using ADMT v2.0. I know this doesn't help to understand what
happened in you case, Jordan, but there must me something...
--
Regards, Willem
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Sunday, September 19, 2004 12:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2 PES question
I second Tony's point: you shouldn't need to change the policy for PW
lenght to make this work. However, Anonymous users must have access to
the target domain, which is the default in 2000, but not for 2003. This
is vor ADMTv2.
With ADMTv3 the PES runs as a service on the source domain, which allows
you to run it with special credentials => thus anonymous access is no
longer allowed.
/Guido
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Friday, September 17, 2004 5:15 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ADMT v2 PES question
Jordan
I'm glad it worked out for you. Apologies for misleading you and Dave
on this. I'm pretty confused right now because I thought I had
understood the behaviour pretty well.
I'll see if you can get someone from inside MS to provide a decent
description of how it actually works.
Tony
---------- Original Message ----------------------------------
From: Jordan Arendt <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Fri, 17 Sep 2004 08:49:58 -0600
Tony,
I'm using ADMT v2 into a 2k3 domain, so they may have changed it
somewhat. Anyway, I got it working so it's all good. Would have been
nice to see that mentioned somewhere in the docs I read though.
On Fri, 17 Sep 2004 09:38:03 -0400, Tony Murray
<[EMAIL PROTECTED]> wrote:
> David
>
> Strange. My experience was also first hand. We migrated a large
number of NT domains (with various different password policies) to a
single Windows 2000 AD domain using ADMT 2.0. In many cases the source
domain didn't conform to the password requirements (length, complexity)
of the target domain, but the passwords were still exported
successfully.
>
> Maybe the behaviour changes if the target domain is W2K3 AD?
>
> In any case, our discussion may be moot given the error that Jordan
sees. The "access is denied" in the error would appear to indicate some
other issue.
>
> Tony
>
>
> ---------- Original Message ----------------------------------
> From: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
> Date: Fri, 17 Sep 2004 08:50:58 -0400
>
> Tony,
>
> That situation was a first hand experience for me. Once I reset
> (loosened) the password policy on 2K3, the export went. In my case,
> it was not complexity that was stopping it, but minimum password
length.
>
> Jordan,
>
> I just remembered another gotcha. If you reinstalled the pes dll on
> the NT4 PDC or installed it after you did all the regedits, recheck
> the reg edits, as the pes install resets some of the values. Again
> another "first hand experience"
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: September 17, 2004 7:48 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] ADMT v2 PES question
>
> Jordan
>
> You might want to first double-check David's statement below. My
> understanding is that ADMT 2.0 doesn't enforce complexity in any way
> for exported passwords. It doesn't actually export the password, only
the hash.
> In other words, it won't know whether the password complexity
> requirements of the target domain are met by the password or not. The
> password complexity is only enforced when the user next changes
password.
>
> The only situation I know of where a new password is generated to meet
> the complexity requirements is where there is no password associated
> with the account in the source domain.
>
> Tony
> ---------- Original Message ----------------------------------
> From: Jordan Arendt <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date: Thu, 16 Sep 2004 11:12:51 -0600
>
> Thanks. I had "dumbed down" my default domain password policy as the
> NT 4 domain only required a password length of 6 characters. I am new
> to the site and didn't realize that complex passwords were not
> enforced, I just assumed it (ya ya ass u me). So anyway, I removed
> complex passwords from the domain security policy and will do so when
we do the actual migration.
> Then enforce it once everyone is migrated over. Sigh.
>
> Thanks again,
>
> Jordan
>
> On Wed, 15 Sep 2004 21:59:37 -0400, [EMAIL PROTECTED]
> <[EMAIL PROTECTED]> wrote:
> > Check you default domain password policy. Likely your source domain
> > has a weaker policy than the target (2K3) so it generates a random
> > Password that meets the policy and places it in a file in the
> > ADMT\logs
> directory.
> >
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Jordan
> > Arendt
> > Sent: September 15, 2004 6:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] ADMT v2 PES question
> >
> > 1. Yes. Can ping both ways from each machine. Wins servers are
> > entered correctly.
> >
> > 2. Yes the Pre-Windows 2000 Compatible Access group has the
> > following
> > members:
> > Anonymous Logon
> > Authenticated Users
> > Everyone
> >
> > On Wed, 15 Sep 2004 23:18:41 +0200, Paul van Geldrop
> > <[EMAIL PROTECTED]>
> > wrote:
> > > Jordan,
> > >
> > > 1) Did you verify that both DNS _and_ WINS resolution are
> > > functioning properly ? You will need both of these to function
> > > properly for the migration to work.
> > > 2) Did you add both the Anonymous Logon group as the Everyone
> > > group to the Pre-Windows 2000 Compatible Access group ?
> > >
> > > Regards,
> > >
> > > Paul.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Jordan Arendt" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 15, 2004 10:52 PM
> > > Subject: [ActiveDir] ADMT v2 PES question
> > >
> > > > Hi all,
> > > >
> > > > So, I've got a 2k3 forest that I am migrating an NT 4 domain
into.
> > > > I've setup a Password Export Server on a DC in my test NT 4
domain.
> > > > Set registry entries, established trusts, etc. When I go to
> > > > migrate a user, I get:
> > > >
> > > > WRN1:7557 Failed to copy the password for {user.} A strong
> > > > password has been generated instead. Unable to copy password.
> > > > Access
> is denied.
> > > >
> > > > I'm looking at
> > > > http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;32298
> > > > 1
> > > >
> > > > and have verified everything except:
> > > >
> > > > Pre-Windows 2000 Compatible Access has Read and Enumerate Entire
> > > > SAM Domain permissions on the object, as follows:
> > > > CN=Server,CN=System,DC={TargetDomain},DC={tld}
> > > >
> > > > Can anyone translate this for me? I'm not sure what I am
> > > > supposed to do here.
> > > >
> > > > Thanks,
> > > >
> > > > Jordan
> > > > List info : http://www.activedir.org/mail_list.htm
> > > > List FAQ : http://www.activedir.org/list_faq.htm
> > > > List archive:
> > > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > > List info : http://www.activedir.org/mail_list.htm
> > > List FAQ : http://www.activedir.org/list_faq.htm
> > > List archive:
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> >
> >
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> ________________________________________________________________
> Sent via the WebMail system at mail.activedir.org
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
>
> ________________________________________________________________
> Sent via the WebMail system at mail.activedir.org
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
________________________________________________________________
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
