How can I copy/migrate passwords from a Windows 2000 mixed-mode domain to a Windows 2000 or Window (NETIQKB49890)

  • 7749890
  • 02-Feb-2007
  • 13-Feb-2008

Resolution

goal

How can I copy/migrate passwords from a Windows 2000 "mixed-mode" domain to a Windows 2000 or Windows 2003 domain?



fact
Domain Migration Administrator 7.2

symptom
I can not copy/migrate passwords from my Windows 2000/2003 mixed-mode domain to my Windows 2000 or Windows 2003 domain.

cause

To migrate passwords from a Windows 2000 or later source domain, DMA requires a source Windows 2000 domain to run in native mode. If you are migrating from a Windows 2000 mixed mode domain, the domain must include at least one Windows NT 4.0 BDC.



fix

DMA will migrate passwords from a Windows 2000 mixed-mode domain unless one of the following conditions exists:

  • There are no Windows NT 4.0 BDCs in the source domain.
  • Although all source domain DCs are running Windows 2000, the domain function level cannot be raised to native mode.

If either of these conditions is true, you must install the Microsoft Password Export Service (PES) utility and use scripting to migrate passwords.

To use the PES utility and scripts to migrate passwords:

1. Run the following VBScript on the DMA console computerto create the PES key that can be used during the PES install:

 Dim oPasswordMigration, sOutputFile, sMixedDomainNetBIOS
 sMixedDomainNetBIOS = "NetBIOS name of source domain "
 sOutputFile = "file path and name "
 Set oPasswordMigration = WScript.CreateObject("MsPwdMig.PasswordMigration")
 oPasswordMigration.GenerateKey sMixedDomainNetBIOS, sOutputFile, ""

Note: This vbscript creates a PES key with no password for the specified source domain.  Replace the NetBIOS name of the source domain and choose any file path and name .

2. Install a Password Export Server on the source domain:

For Domain Migration Administrator to copy passwords from the source domain, install a PES on a domain controller in the source domain.
    Installing a PES:
    1. Log with an administrator account, to a domain controller in the source domain.
    2. Install the Microsoft 128-bit high encryption pack on the domain controller.
    3. Copy the following files from the Domain Migration Administrator computer (By default, these files are located in the Program Files\NetIQ\PES folder.):
       1. pwdmig.exe
       2. pwdmig.ini
       3. pwdmig.msi
       4. Run the pwdmig.msi program. During this process, be prepared to supply the PES encryption key file you created for the source domain and the Domain Migration Administrator computer. 
       5. Follow the instructions until you have finished installing the PES.
       6. Set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ AllowPasswordExport registry value to 1. Setting this value to 1 enables the PES to accept password migration requests. To disable the PES, set this registry value to 0.

3. Configure permissions and group policy:

Using a PES to copy passwords when migrating from a Windows 2000 or later native-mode domain to a Windows 2000 or later domain in a different forest requires certain permissions and group policy settings on the target domain.
 Configure the following permissions and group policy settings on the target domain:
      1. Allow Anonymous access group policy on the target domain controllers.
           1. On a Windows 2000 target domain, set the Additional restrictions for anonymous connections group policy to None or undefined.
           2. On a Windows 2003 target domain, set all of the Security Options group policies that restrict anonymous access to allow  access. For example, set the Network access: Do not allow anonymous enumeration of SAM accounts and Network access.
: Restrict  anonymous access to Named Pipes and Shares to allow access.
      2. Grant the Pre-Windows 2000 Compatible Access group Read permissions to the CN=Server,CN=System,DC=targetdom,DC=tld object. Where DC=targetdom,DC=tld is the distinguishedName of the target domain.
      3. Make the Everyone group a member of the Pre-Windows 2000 Compatible Access group. The Active Directory Users and Computers application blocks this action. To add the Everyone group to the Pre-Windows 2000 Compatible Access group, run the following command:   NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE ACCESS" EVERYONE /ADD
      4. On a Windows 2003 target domain, make the ANONYMOUS LOGON user account a member of the Pre-Windows 2000 Compatible Access group.

4. In the "Specify Migration Options" wizard, on the 'scripting page, select: "I want to specify scripts" and choose 'VBScripts'. Next select 'User Pre' as the script type and paste the following in to the dialog box, making sure that Sub PreProcess begins the script and End Sub ends the script, as follows:

Sub PreProcess
settings.put "AccountOptions.CopyPasswords", "Yes"
settings.put "AccountOptions.GenerateStrongPasswords", "No"
settings.put "Options.UseMSPwdCode", "Yes"
settings.put "Options.PasswordComputerName", "%PESServer% "
End Sub

Note: This vbscript is a user premigration script to change from generating strong passwords for each user to copying source account passwords using a PES.  It can be used when you want to use PES password migration for mixed-mode source domains.  You must replace "%PESServer% " with the actual name of the PES in the source domain (For example, "myPESComp").

5. In the "Specify Migration Options" wizard, on the 'Password Options' page, select: the 'Complex Passwords' radio button. Complete the wizard.

6. Migrate user accounts.

.


note

NetIQ Technical Support cannot support or troubleshoot scripts. You should test all scripts extensively before running them in your production environment.



note

For more information about using the Password Export Server, see the following Knowledge Base article:

How do I set up the Password Export Server (PES)?

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB44293



Additional Information

Formerly known as NETIQKB49890