RE: [ActiveDir] Interforest Password Migration

[Grillenmeier, Guido]

The account used by the PES does NOT have to have adminstrative credentials in the target domain!  It can be a simple domain user from the source domain. The difference with the previous PES version is, that now you don't need to have "Everyone" added to your "Pre-Windows 2000 compatible access" group since that version of the PES was always executed in the Local System security context on the source DC. Now that you're using a service account it will be an "Authenticated User" even in the target domain via the trust. Naturally, you need to have an account with administrative rights on the source domain to install the PES service on a DC.   The account performing the migration via ADMT must only have administrative creds on the source domain's OU and on the target domain's OU where you create the accounts (se he doesn't need to be a domain admin) - if you want to use sidHistory along with this, then grant the account (obviously via a group) the permission to "Migrate-SID-History" at the domain level.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams Sent: Freitag, 16. Dezember 2005 16:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interforest Password Migration Thanks for the reply. Yes this is the document that I am using as my guide to do this.   The only part I am not sure about is the part that says the "users must have administrator rights in both domains." As far as I can see it is not possible to to add the Domain Admin from one domain to the Domain Administrators group in the other domain. If you go into Active Directory Users and Computers to add accounts to Domain Admins the only location you are given is that domain. So I am assuming that the necessary right come from creating the trust relationship. When I created this I used the Domain wide authentication option. Can I assume that this gives Domain Admins in Domain1 appropriate rights to Domain 2   Thanks Lloyd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, December 16, 2005 4:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interforest Password Migration Is everything configured as mentioned in http://support.microsoft.com/kb/326480   Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams Sent: Friday, December 16, 2005 01:58 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interforest Password Migration I am using ADMT v3.0 to migrate users from one 2000/2003 forest to another 2003 forest. I have no trouble migrating users however I cannot migrate passwords. I have the password migration service installed on the PDC of the source domain. I have generated a key in the target domain, then used it in the source domain during the installation of the Password Migration Service. When I use ADMT to migrate the password I get "unable to establish a session with the password export server. Access is denied" I have the password export service on the source machine running as the administrator on the target machine. The trusts seem to verify OK, anyone have any idea?   Thanks Lloyd This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.