NetIQ Domain Migration Administrator
Version 8.0 Service Pack 1
Date Published: May 2012
This service pack for the NetIQ Domain Migration Administrator product improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the NetIQ Migration Suite forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups.
This document outlines why you should install this service pack, provides information about installing the service pack, and identifies known issues.
For more information about this release and for the latest Release Notes, see the Domain Migration Administrator Documentation web site.
Why Install This Service Pack?
Domain Migration Administrator allows you to quickly migrate Microsoft Windows domains. Domain Migration Administrator enables you to copy user accounts, groups, and computer accounts to another domain. Using this product, you can then resolve the related file, folder, share, printer, and DCOM security permissions for the copied user accounts, groups, and computer accounts. Domain Migration Administrator provides the features you need to create a more secure, productive, and manageable environment. The following sections outline the key features and functions provided by this version, as well as issues resolved in this release.
Includes a Separate Agent Installer
This service pack includes a separate installer for installing the Domain Migration Administrator agent permanently on remote computers. When agents are needed to perform migration tasks, Domain Migration Administrator now detects agents that have already been installed and does not attempt to deploy them. For more information about using the separate agent installer, see the User Guide for Domain Migration Administrator.
Includes Previous Hotfixes
This service pack includes the fixes and enhancements in Hotfixes 72561, 72745, and 72951. For more information, see Previous Releases.
Adds Support for Intraforest Migrations with Windows 2008 R2 Source
This service pack adds support for intraforest migrations from Windows 2008 R2 source domains.
Domain Migration Administrator Agent Shut Down Unexpectedly when Processing DCOM Permissions
This service pack resolves an issue where the Domain Migration Administrator agent shut down unexpectedly when processing DCOM permissions. (ENG304513)
Domain Migration Administrator Shut Down Unexpectedly when Translating Security
This service pack resolves an issue where Domain Migration Administrator shut down unexpectedly when translating security on a Windows 2008 R2 file server. (ENG313894)
Domain Migration Administrator Shut Down Unexpectedly when Trying to Process an Invalid Target Path
This service pack resolves an issue where Domain Migration Administrator shut down unexpectedly instead of reporting an error when attempting to process an invalid target path. (ENG301747)
Server Consolidator Shut Down Unexpectedly when Trying to Select Printers
This service pack resolves an issue where Server Consolidator shut down unexpectedly when trying to select printers for migration. (ENG308121)
Slow Console Performance
This service pack resolves performance issues with the Domain Migration Administrator console. (ENG302342, ENG302383)
Unable to Configure Project for SidHistory Migration
This service pack resolves an issue where Domain Migration Administrator displayed errors during configuration of a project to migrate SidHistory for a Windows 2000 source domain. (ENG313477)
Unable to Translate Security for Local Profiles on Windows 7 Workstations
This service pack resolves an issue where Domain Migration Administrator was unable to translate security for local profiles on Windows 7 workstations with a Spanish version of the Windows operating system, displaying the following error: E20940: Failed to lookup the encrypted settings for profile (C:\Users\doej). (ENG313979)
Duplicate Accounts with Same CN Migrated to Same Container in Target Domain
This service pack resolves an issue where Domain Migration Administrator migrated two accounts with the same Common Name (CN) into the same target container. As a result, the domain controller in the target domain to which the changes were written was unable to replicate to other domain controllers. (ENG304357)
Clicking the STOP Button During a Migration Caused Migration Issues
This service pack resolves an issue where clicking the STOP button partway through a migration resulted in migrated groups not being moved into the correct OUs per the modeling table. Instead, Domain Migration Administrator put them in the container specified in the Migration Options wizard. In addition, the statistics for the project did not indicate that these groups were migrated, even though they were migrated to the target domain. (ENG304345)
Setting Target Server Override to Nonexistent Domain Controller Resulted in Copy Instead of Move
This service pack resolves an issue that occurred in intraforest migration scenarios, where setting the Target Server Override option to a nonexistent target domain controller resulted in users being copied instead of moved to the target server. After you install this service pack, if you specify an override domain controller that cannot be contacted for any reason, Domain Migration Administrator logs an error and does not perform the migration. (ENG303911)
Forward Slash or Comma in CN of User Account Caused Migration Issue
This service pack resolves an intraforest migration issue where user accounts that had a forward slash (/) or comma (,) in the Common Name (CN) resulted in Domain Migration Administrator not moving the accounts to the correct target OU. (ENG303723)
Different Domain Controller Used for Group Membership Queries Caused Migration to Fail
This service pack resolves an intraforest migration issue where Domain Migration Administrator attempted to use a different domain controller for group membership queries. Since the domain controller that Domain Migration Administrator tried to use was unavailable from the Domain Migration Administrator console, the migration failed with the error “RPC server unavailable.” (ENG303173)
Account Permissions Assigned in AD Users and Computers Not Synchronized
This service pack resolves an issue where AD account permissions assigned in Active Directory Users and Computers were not synchronized if user accounts were migrated and then synchronized using the Synchronize Migrated Objects option. (ENG302941)
Unable to Create PES Encryption Key after Installing Hotfix 72951
This service pack resolves an issue where users were unable to create a PES encryption key using the Create Password Export Server Encryption Key wizard after installing Domain Migration Administrator Hotfix 72951. (ENG308531)
Installing This Service Pack
Complete the following steps to install this service pack.
To install this service pack:
Upgrading from Previous Versions
If you are currently running Domain Migration Administrator 8.0 in your environment, you can upgrade your current installation by performing the steps provided in the section Installing This Service Pack. However, if you are currently using an earlier version of Domain Migration Administrator in your environment, you must uninstall the previous version before you upgrade. If you have defined a migration project in an existing Domain Migration Administrator installation and started performing the migration defined by that project, ensure you complete the migration before you uninstall Domain Migration Administrator. Once you have uninstalled the previous version, you can install this service pack without first installing Domain Migration Administrator 8.0.
For more information, see the User Guide.
Verifying the Service Pack Installation
Complete the following steps to verify that the service pack installation was successful.
To check the installed service pack version:
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Exporting a Project with the Same File Name as an Existing Exported File Overwrites the File
A known issue exists where Domain Migration Administrator does not display a warning if you export a project file with the same name as an exported project file that already exists in the default SQL Server backup folder. The existing file is overwritten in this case, so ensure you always perform a backup before you export a project file. Consider using naming conventions to avoid using the same names for similar projects. (ENG289438)
Uninstaller Does Not Remove the Domain Migration Administrator Databases
A known issue exists where uninstalling Domain Migration Administrator does not uninstall the Protar and project databases in Microsoft SQL Server. To work around this issue, manually remove the databases from the SQL Server computer. For more information about database removal, see the Microsoft SQL Server documentation. (ENG288059)
Password Migration Support for 64-bit Source Domain Controllers
A known issue exists where Domain Migration Administrator installed on a computer running Microsoft Windows Server 2003, Windows XP, or an earlier supported operating system cannot migrate passwords from a 64-bit source domain controller. Migrating passwords from a native-mode domain to a domain in a different forest requires the use of the Password Export Server (PES) installed on a domain controller in the source domain. Domain Migration Administrator interfaces with the PES to migrate passwords between domains. However, Password Export Server (PES) 2.0, which is the appropriate version for Microsoft Windows Server 2003, Windows XP, and earlier supported operating systems, does not support 64-bit systems. If you want to migrate passwords from a 64-bit source domain controller, upgrade your Domain Migration Administrator console computer to a later operating system that is supported by PES 3.1. Domain Migration Administrator 8.0 provides installers for both PES 2.0 and PES 3.1. PES 3.1 is also available for download from the Microsoft Web site. For more information about installing PES and related tasks, see the User Guide. (ENG285847)
Registry Errors During Migration of Windows Server 2008 R2 and Windows 7 Computers
A known issue exists where migrating Microsoft Windows Server 2008 R2 and Windows 7 computers results in some registry key translation errors, and Domain Migration Administrator reports the migration as "Completed with errors." This is a known issue in Microsoft's Active Directory Migration Tool (ADMT) 3.1. For more information about this issue and workarounds, see Microsoft Knowledge Base article 976659. (DOC288066)
Migrated Computers Are Disjoined from the Domain when Migrated with the Replace Option
A known issue exists where migrating computers at the same time with more than one Domain Migration Administrator console and choosing the Replace and update conflicting accounts option results in migrated computers being disjoined from their domain. To work around this issue, manually rejoin the disjoined computers to the domain. (DOC287376)
Members of Migrated Domain Local Groups May Be Denied Resource Access
A known issue exists where members of migrated Domain Local Groups may be denied access to resources after migration and security translation of the Domain Local Groups. This issue is caused by an inherent limitation of Domain Local Groups, which are designed to grant permissions to resources within a single domain. For more information, see the Microsoft Windows documentation. (DOC255899)
Entering an Invalid Parameter Causes SCCLI Failure
A known issue exists where entering the SCCLI RUNTASK command using an invalid parameter in the Server Consolidator command-line interface (SCCLI) causes the SCCLI to fail. To work around this issue, re-enter the command using valid parameters. For more information about valid SCCLI parameters, type /? in the SCCLI to view the Help. (ENG285688)
Full Path of the SQL Server Computer Is Not Displayed
A known issue exists where Domain Migration Administrator does not correctly display the full path of the SQL Server computer in the confirmation message after you export a project to the SQL Server computer. For example, instead of a path such as C:\Program Files\Microsoft SQL Server\Backup\DMAExport.bak, the message displays <SQL Instance Directory>\Backup\DMAExport.bak. This is only a display issue. Domain Migration Administrator exports the project to the correct SQL Server computer you specified. (ENG289440)
Additions to Documentation
Requirement for Migrating Printers Using Server Consolidator
To successfully migrate printers using Server Consolidator, the Allow Print Spooler to accept client connections group policy must be enabled on the target computer. This setting can be edited through Local Computer Policy or applied through Domain Group Policy.
This service pack also includes enhancements added in Hotfix 72561, Hotfix 72745, and Hotfix 72951.
This hotfix resolves an issue where performing an intraforest migration from a child domain to a parent domain using Domain Migration Administrator resulted in the loss of group membership for the migrated users. (ENG284254, ENG294476)
This hotfix resolves an issue where Domain Migration Administrator was unable to translate security for computers running the German version of the Windows operating system. Since local profiles are not stored in the same folder on English and German versions of Windows, Domain Migration Administrator could not find the local profile and generated an error indicating that the roaming profile could not be migrated. (ENG301344)
This hotfix resolves the following issues:
Domain Migration Administrator Console Shut Down Unexpectedly
This hotfix resolves issues with the MCSNetObjectEnum.dll file that caused the Domain Migration Administrator console to shut down unexpectedly when migrating one or more specific user accounts. (ENG305149, ENG305139)
Domain Migration Administrator Agent Shut Down During DCOM Processing
This hotfix resolves an issue with the MCSDCTWorkerObjects.dll file where the Domain Migration Administrator Agent service stopped unexpectedly during DCOM processing if it was unable to resolve any permission for a DCOM element. The Domain Migration Administrator agent now validates security descriptors and skips any DCOM permission settings it is unable to resolve, adding an entry to the Windows Event Log. (ENG304513)
MSExchangeMailboxGuid Did Not Migrate with the User Account
This hotfix resolves an issue caused by the McsADsClassProp.dll file where Domain Migration Administrator did not migrate the MSExchangeMailboxGuid AD property with the migrated user account, even if the corresponding entry row for MSExchMailboxGuid was deleted from the ExcludedW2KProps table of the project database. (ENG304981)
Pre-Migration Check Report for Workstations Failed to Complete
This hotfix resolves an issue with the Pre-Migration Check Report for Workstations. When this report was run for a project with a large number (200+) of unmigrated computers, the report failed to complete and the Domain Migration Administrator console became unresponsive. (ENG304287)
User or Group Permissions Did Not Migrate with the Object
This hotfix resolves an intraforest migration issue where permissions assigned directly to a group or user account on the Security tab were lost when Domain Migration Administrator migrated that group or user account. Domain Migration Administrator did not correctly update the reference for the migrated object, so the assigned permissions were still pointing to the source object, which no longer existed. (ENG305791)
Check Box Selection Not Retained During Migration
This hotfix resolves a group migration issue where the Manager can update membership list check box option that was selected on the source was no longer selected on the target after the corresponding group was migrated. Domain Migration Administrator now saves the NTSecurityDescriptor for a group before moving that group. (ENG305792)
Groups Not Migrated Correctly
This hotfix resolves an issue where Domain Migration Administrator was not properly migrating groups. In some cases, groups were not migrated at all, and the event log contained an entry similar to the following: hr=80072030 There is no such object on the server.. In other cases, groups were migrated but the modeling table information was not processed, the group was not moved to the correct target OU or to the migrated objects table in Domain Migration Administrator, and statistics for the project were not updated. (ENG307229)
Running Report Caused MMC Failure
This hotfix resolves an issue where running the "Computers Failed to Migrate" report caused a Microsoft Management Console (MMC) failure, so the Domain Migration Administrator console shut down unexpectedly. (ENG306859)
Group Memberships Not Retained
This hotfix resolves an issue where group memberships were not retained for migrated user accounts. (ENG294476)
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
© 2012 NetIQ Corporation and its affiliates. All Rights Reserved.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.