You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
292 lines
23 KiB
292 lines
23 KiB
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
|
|
"http://www.w3.org/TR/REC-html40/strict.dtd">
|
|
<HTML DIR="LTR">
|
|
<HEAD>
|
|
<TITLE>Troubleshooting</TITLE>
|
|
<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">
|
|
<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">
|
|
<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>
|
|
|
|
<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
|
|
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "[email protected] <mailto:[email protected]>" r (n 0 s 0 v 0 l 0))'>
|
|
<META NAME="MS.LOCALE" CONTENT="EN-US">
|
|
<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">
|
|
<META NAME="MS-HAID" CONTENT="a_ADMTTroubleshooting">
|
|
</HEAD>
|
|
<BODY>
|
|
|
|
|
|
<H1><A NAME="H1_53869318"></A>Troubleshooting</H1>
|
|
|
|
<H2><A NAME="H2_53869653"></A>What problem are you having?</H2>
|
|
|
|
<TABLE>
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">I am receiving an error message that Active Directory Migration Tool could not verify auditing and TcpipClientSupport on domains.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> All necessary configuration changes have not been made.</P>
|
|
<P><B>Solution:</B> Properly configure your migration environment and try the operation again.</P>
|
|
<P><B>See also: </B><A HREF="admtchkbeforeusing.htm">Checklist: Before using Active Directory Migration Tool</A>, <A HREF="admtsystemreq.htm">Migration requirements</A>, <A HREF="admtbeforeintermig.htm">Before performing an interforest migration</A>, and <A HREF="admtbeforeintramig.htm">Before performing an intraforest migration</A></P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">Active Directory Migration Tool agents either fail to install or will not run on a remote computer.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> The agent is dispatched with invalid credentials or the migration environment is not configured correctly.</P>
|
|
|
|
<P><B>Solution:</B> An agent is dispatched to a remote computer using the credentials of the account used to run Active Directory Migration Tool. Once installed on the remote computer, the agent runs under the local system account. The credentials that you provide to the wizard before the agent is dispatched to the remote computer are used to write results back to a share created on the computer on which Active Directory Migration Tool is running. The agent must have the right to log on locally to the remote computer, and, if the agent is used to migrate computers, it must have Administrative rights in the source domain.</P>
|
|
|
|
<P>To ensure that you have the correct credentials, create trusts such that the source domain trusts the target domain and the target domain trusts the source domain. Add the Domain Admins group of the target domain (target\Domain Admins) to the built-in Administrators group of the source domain (source\Administrators). Log on using the target\Domain Admins account and supply a set of credentials for the source\Administrators account when prompted. This will provide you with administrative permissions on both the source and target domains.</P>
|
|
|
|
<P><B>See also: </B><A HREF="admtsystemreq.htm">Migration requirements</A></P></DIV>
|
|
</TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">Agent dispatch operations are failing with credentials conflict errors.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> You have an active connection, such as a mapped drive or a printer, to a computer on which an agent is being installed. The dispatch operation will fail because the credentials of the agent installation conflict with the existing set of credentials.</P>
|
|
|
|
<P><B>Solution:</B> Remove any active connections between the computer that is running Active Directory Migration Tool and the computer to which the agent is being dispatched.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">I am receiving the following error: "Cannot connect to agent."</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> The agent monitor tried to connect to the agent while the agent was still initializing.</P>
|
|
|
|
<P><B>Solution:</B> Click <B>Refresh</B> one or more times to update the the Agent Monitor.</P>
|
|
</DIV></TD></TR>
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">When I try to view the results of a remote agent operation, I receive the following error: "Cannot open the \\<i>ComputerName</i>\(<NOBR>%SystemRoot%</NOBR>)$\temp\dctlog.txt file." </A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> The default administrative share for the system volume of the computer to which the agent was dispatched is not enabled.</P>
|
|
|
|
<P>Because the default share is not enabled, the Active Directory Migration Tool cannot read the log file.</P>
|
|
|
|
<P><B>Solution:</B> Reenable the default share of the system volume.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">I am receiving the following error (W10431): "The Program Files folder name on \\<I>ComputerName</I> is in an unrecognized format "\ADMIN$"</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> By default, the Active Directory Migration Tool agent is installed to the folder specified by the <NOBR>%ProgramFiles%</NOBR> environment variable on the target computer. Since this environment variable does not exist by default on Windows NT 3.51 computers, the agent is installed to the <NOBR>%SystemRoot%</NOBR> folder instead.</P>
|
|
|
|
<P><B>Solution:</B> This is a warning message. No action is necessary.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">Active Directory Migration Tool was not able to change the domain affiliation of a particular computer. This failure caused the computer to lose affiliation with any domain.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> This can be caused by an incorrect migration environment configuration or some malfunction with either the source or target computers. </P>
|
|
|
|
<P><B>Solution:</B> Join the computer to a domain and create the computer account in the domain as described in the following procedures:</P>
|
|
|
|
<P><b>To change the domain membership of a computer running Windows NT 4.0 or earlier</b></P>
|
|
<OL>
|
|
<LI>Log on to the computer using an account with local administrator permissions.</LI>
|
|
|
|
<LI>Open the <B>Control Panel</B>, and then double-click <B>Network</B>.</LI>
|
|
<LI>Click <B>Change</B>, and then, in <B>Domain Name</B>, type the name of the domain you want this computer to join.</LI>
|
|
</OL>
|
|
|
|
<P><b>To change the domain membership of a computer running Windows 2000</b></P>
|
|
<OL>
|
|
<LI>Log on to the computer using an account with local administrator permissions.</LI>
|
|
<LI>On the Desktop, right-click <B>My Computer</B>, and then click <B>Properties</B>.</LI>
|
|
<LI>On the <B>Network Identification</B> tab, click <B>Properties</B>, and then click <B>Domain</B>.</LI>
|
|
<LI>In <B>Domain</B>, type the name of the domain you want this computer to join.</LI>
|
|
</OL>
|
|
<P class="note">Notes</P>
|
|
<UL>
|
|
<LI>To join a domain, you must enter credentials of an account with administrative permissions on the domain you want the computer to join.</LI>
|
|
|
|
<LI>You must restart the computer to complete joining the computer to the domain.</LI>
|
|
</UL>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">The Remove existing user rights option did not work.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> If the Group Policy template associated with a user whose user rights are being removed contains the nondomain-qualified name of the user (for example, if it contains User1 instead of DomainA\User1), then the remove operation will fail.</P>
|
|
|
|
<P><B>Solution:</B> Correct the user name entry in the Group Policy template.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">I cannot find the Active Directory Migration Tool log files.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Solution:</B> Active Directory Migration Tool creates several log files in the Logs folder under the Active Directory Migration Tools folder on the computer on which the tool is installed. User and group migration progress is recorded in Migration.log; dispatcher progress is recorded in Dispatcher.log; and the progress of the Trust Migration Wizard is recorded in Trust.log. Additionally, the progress of each agent is recorded in log files named for the computer to which the agents are dispatched. These log files are located in the Agents folder under the previously mentioned Logs folder. Each agent also records information a Dctlog.txt file which is created in the folder specified by the %TEMP% variable on each computer to which an agent is dispatched.</P>
|
|
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">I cannot read the event log entries for the Active Directory Migration Tool agent.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> You are not on a computer on which Active Directory Migration Tool has been installed.</P>
|
|
|
|
<P><B>Solution:</B> The agent may write log entries to the computer on which it runs. Since the agent software is removed when the agent's task is finished, you can view the event log entries on the computer to which the agent was dispatched by running the Windows 2000 Event Viewer from the computer on which Active Directory Migration Tool is installed.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">I need more information from the Active Directory Migration Tool logs.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> Incorrect logging level setting.</P>
|
|
|
|
<P>By default, Active Directory Migration Tools writes summary information to its log files. The level of detail can be increased by changing the registry entry that controls the logging level.</P>
|
|
|
|
<P><B>Solution:</B> On the computer on which Active Directory Migration Tool is installed, set the value of the HKEY_LOCAL_MACHINE\Software\Mission Critical Software\DomainAdmin\TranslationLogLevel registry key to 7.</P>
|
|
|
|
<P>Verbose logging mode is used for problem diagnosis and troubleshooting. The verbose logging mode can create very large log files, particularly in cases where large numbers of files, or other objects whose access control lists must be updated, exist on the target computer. Since the agent logs are written to the folder specified by the %TEMP% environment variable, the volume to which that environment variable points should have ample disk space. When logging in verbose mode, it may be necessary to change the value of the %TEMP% environment variable before dispatching an agent.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">Generated reports do not show up in Active Directory Migration Tool.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> When the tool generates reports, it does not automatically update the console.</P>
|
|
|
|
<P><B>Solution:</B> To view the reports, close and reopen Active Directory Migration Tool.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">When generating reports, I receive IDispatch error 3107.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> This error may occur when the Agent Monitor is closed before all agents have finished writing their results back to the Active Directory Migration Tool reporting database.</P>
|
|
|
|
<P><B>Solution:</B> To prevent this problem, wait until all agents have completed their tasks before closing the Agent Monitor.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">After an interforest migration, users cannot log on to their new domain.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> When performing an interforest migration, Active Directory Migration Tool always sets the <B>User Must Change Password</B> option for migrated users. If the user account has the <B>User Cannot Change Password</B> option set, then the target account won't be able to log on until one or both options have been changed.</P>
|
|
|
|
<P><B>Solution:</B> Change the options using one of the following methods:</P>
|
|
|
|
<P><b>To enable the ability to change the user password</b></P>
|
|
<OL>
|
|
<LI>In Active Directory Users and Computers, on the <B>View</B> menu, click <B>Advanced Features</B>.</LI>
|
|
<LI>Right-click the user, and then click <B>Properties</B>.</LI>
|
|
<LI>On the <B>Security</B> tab, allow the <B>Change Password</B> permission for <B>Everyone</B> and for the user.</LI>
|
|
</OL>
|
|
|
|
<P><b>To remove the User Must Change Password flag</b></P>
|
|
<UL>
|
|
<LI>In Active Directory Users and Computers, right-click the user, and then click <B>Reset Password</B>.</LI>
|
|
</UL>
|
|
</DIV></TD></TR>
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">After an intraforest migration, users cannot log on to their new domain.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> The user account passwords used in the old domain may violate the password restrictions in the new domain.</P>
|
|
|
|
<P>In an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=IntraforestMigration"> intraforest migration</A>, user account passwords from the source domain are migrated to the target domain. If the source domain user accounts have passwords that violate the password restrictions (such as minimum length) in the target, then the affected migrated users will be unable to log on until their password has been set to a value that fits the target domain password policy.</P>
|
|
|
|
<P>If the users try to use the invalid passwords, their new user accounts may be locked. If you selected <B>Close target accounts</B> in the Migrate Users Wizard, the new user accounts will be disabled. As a result, the migrated users may not be able to log on until their accounts have been unlocked or marked as enabled. </P>
|
|
|
|
<P><B>Solution:</B> Reset the user account passwords to a value that fits the new domain's password policy, and enable the user accounts if they were disabled due to repeated password failure.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">Migrated users receive an error indicating that their user name or password is incorrect.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> Migrated users cannot log on due to password policy, even though password policies appear to be disabled.</P>
|
|
|
|
<P>During a migration, some administrators may choose to disable their password policies on the target domain. If they try to accomplish this by turning off the minimum password length policy without setting the password policy to zero, it is possible that the users will not be able to log on because an effective password policy is still in effect.</P>
|
|
|
|
<P><B>Solution:</B> Set the password policy to a length of zero. After the zero length policy is in effect, the minimum password length policy can be turned off.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">SID History migration is not working</A>.</P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> There are a number of conditions that must be satisfied for SID History migration to work.</P>
|
|
|
|
<P><B>Solution:</B> Properly configure the migration environment before running Active Directory Migration Tool, and review the configuration topics before proceeding with the migration.</P>
|
|
|
|
<P><B>See also: </B><A HREF="admtchkbeforeusing.htm">Checklist: Before using Active Directory Migration Tool</A>, <A HREF="admtsystemreq.htm">Migration requirements</A>, <A HREF="admtbeforeintermig.htm">Before performing an interforest migration</A>, and <A HREF="admtbeforeintramig.htm">Before performing an intraforest migration</A>.</P>
|
|
<P class="note">Note</P>
|
|
<UL>
|
|
<LI><P>When migrating a previously migrated security principal to a new domain, the criteria for migrating SID History should be in place for all three domains.</P>
|
|
|
|
<P>For example, you have the following three domains: DomainA, DomainB, and DomainC. DomainA is a Windows NT 4.0 domain. DomainB and DomainC are Windows 2000 domains operating in native mode. User1 in DomainA (DomainA\User1) was migrated to DomainB as DomainB\User1 and SID History was translated. DomainB\User1 now has the primary SID for DomainB\User1 and the SID History value for DomainA\User1. If an administrator wants to migrate DomainB\User1 to DomainC\User1 and preserve all of DomainB\User1's SIDs, then the proper configuration settings must be in place to allow migration from DomainA to DomainC and from DomainB to DomainC. If DomainA has been decommissioned, or if proper configuration cannot be satisfied between DomainA and DomainC, then Active Directory Migration Tool will migrate the SID for DomainB\User1 to DomainC\User1 and log the fact that it could not migrate the DomainA\User1 SID.</P>
|
|
|
|
<P>If DomainA does not exist, ADMT will write an error message to the log, but migration will still be successful. This error message can be ignored.</P></LI>
|
|
</UL></DIV></TD></TR>
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">Permissions on a resource show "Account Unknown" for a migrated group or user.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> If, when migrating a group or user account, domain controllers in the source domain are no longer available, computers in domains outside the target forest that are running Windows NT 3.51, Windows NT 4.0, or Windows 2000 (in a domain operating in mixed mode) may not be able to resolve the group or user object's SID History with the target domain's Global Catalog.</P>
|
|
|
|
<P>As long as the source domain is accessible, the group or user account name can be resolved. The inability to resolve the account name is an administrative problem only. The inability to resolve the group or user account name through SID History does not prevent that account from having the desired access to that resource. For example, if a user shows up as "Account Unknown" in a group's membership list, that user is still a member of that group and has the rights associated with that group.</P>
|
|
|
|
<P><B>Solution:</B> This SID History resolution problem can be fixed by running the Security Translation Wizard to replace the source account SID with the new target account SID for all resources on all affected computers. This problem will be much more prevalent if you decommission the source account domain prior to migrating the source resource domain. Therefore, you should decommission all source domains together as the last step in the migration process.</P>
|
|
</DIV></TD></TR>
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">After migration, new user accounts in the target domain are unable to access resources where the source domain accounts have permissions.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> The settings necessary to run Active Directory Migration Tool have not been correctly established.</P>
|
|
|
|
<P>Most migration problems are caused by an incorrectly configured migration environment.</P>
|
|
|
|
<P><B>Solution:</B> Open the migration log file and find the account you migrated with SID History. If SID History was added to the account, you should see an entry similar to the following:</P>
|
|
<P>1999-10-06 18:28:50-SID for <i>UserAccountName</i> added to the SID History of <i>UserAccountName</i></P>
|
|
<P>If you receive an error message, it's almost certain you have not configured the environment correctly, and you should review the configuration topics before retrying the migration.</P>
|
|
|
|
<P>For information on up-to-date information and scenarios describing the various tools and methods used to migrate Windows NT networks to Windows 2000 networks and to restructure existing Windows 2000 networks, see the Domain Migration and Restructuring tools page at the <A ID="extUrl" HREF="http://www.microsoft.com/isapi/redir.dll?prd=Domain Migration and Restructuring tools" TITLE="http://www.microsoft.com/" TARGET="_new">Microsoft Web site</A>.<SPAN CLASS="printOnly"> (http://www.microsoft.com/)</SPAN></P>
|
|
|
|
<P><B>See also: </B><A HREF="admtchkbeforeusing.htm">Checklist: Before using Active Directory Migration Tool</A>, <A HREF="admtsystemreq.htm">Migration requirements</A>, <A HREF="admtbeforeintermig.htm">Before performing an interforest migration</A>, and <A HREF="admtbeforeintramig.htm">Before performing an intraforest migration</A>.</P>
|
|
</DIV></TD></TR>
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">I am receiving the following error: "The Recycle Bin on C:\ is corrupt or invalid. Do you want to empty the Recycle Bin for this drive?"</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> This is by design. For security reasons, each user who logs on to a
|
|
Windows 2000 computer receives their own, user specific Recycle Bin. The access control list (ACL) for each instance of the Recycle Bin can contain only one user specific SID. When a user's profile is migrated in Add mode, the SID of the source domain user is added to the SID History of the Recycle Bin. This essentially places two user specific SIDs in the Recycle Bin's ACL. This problem does not occur if profiles are migrated in Replace mode.</P>
|
|
|
|
<P><B>Solution:</B> Click <B>Yes</B> to the error message, and the Recycle Bin will be emptied without a problem. If you click <B>No</B>, the error will continue to appear until the Recycle Bin is emptied.</P>
|
|
</DIV></TD></TR>
|
|
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">Users in Windows NT domains and Windows 2000 domains that are not trusted cannot access Distributed file system (Dfs) shares in Windows 2000 domains.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> This is by design.</P>
|
|
|
|
<P><B>Solution:</B> If you plan to use Dfs shares in your domain, you should migrate the computers first or migrate the computers and users in the same migration session.</P>
|
|
</DIV></TD></TR>
|
|
|
|
<TR><TD><P><A ID="expand" HREF="#" CLASS="expandToggle">SID History does not work for migrated Exchange service accounts.</A></P>
|
|
<DIV CLASS="expand">
|
|
|
|
<P><B>Cause:</B> Active Directory Migration Tool correctly migrates the Exchange service accounts, but there is a special manual process for updating Exchange service accounts that must be completed while running Exchange. Failure to follow this process could result in system failure or data loss on the Exchange system.</P>
|
|
|
|
<P><B>Solution:</B> Review walkthrough material, scenarios, and other information about performing a domain migration on the Microsoft Domain Migration and Restructuring tools Web page at the <A ID="extUrl" HREF="http://www.microsoft.com/isapi/redir.dll?prd=Domain Migration and Restructuring tools" TITLE="http://www.microsoft.com/" TARGET="_new">Microsoft Web site</A>.<SPAN CLASS="printOnly"> (http://www.microsoft.com/)</SPAN> You can also contact Microsoft Product Support Services for details on how to change the service account used by Exchange services in a site.</P>
|
|
|
|
<P><B>See also:</B> <A HREF="admtresources.htm">Resources</A></P>
|
|
</DIV></TD></TR>
|
|
</TABLE>
|
|
|
|
</BODY>
|
|
</HTML>
|
|
|