Unable to migrate users from one AD to another using ADMT 3.2

Question

Hello.

So here is the case:

I have 4 DC's on Windows 2022 Standard

Domain.A

Subdomain.Domain.A

Domain.B

Subdomain.Domain.B

There is a trust relationship between Domain.A and Domain.B

I have ADMT 3.2 installed on Domain.A and on Subdomain.Domain.A , as well as i installed the Password Export Server Service (which is running as local Account)

I tried the same problem even if any firewalls are disabled.

Now I am trying to migrate a user in subdomain.domain.A to subdomain.domain.B

As a result I get the error : Target object could not be created. hr=0x80070005 Access is denied.

Does anyone have an idea why ADMT is not able to create the user on the destination DC server ?

Thanks

Answer 1

Hello Guy Goerres1,

Thank you for posting in Microsoft Community forum.

Please check if you can migrate any other AD object to target domain, such as workstations or member servers, groups etc.

Mybe it is related to permissions.

Migration accounts are user accounts in the source; they target forests with enough permissions to perform migration tasks. Accounts that are members of Domain Admins in the source and target forests will work, but you can create accounts with only the necessary permissions delegated for specific tasks such as migrating users or computers. The migration account in the target forest must be a local administrator on the member server where ADMT is installed.

Explore the Active Directory Migration Tool - Training | Microsoft Learn

You can also check if you install and configure ADMT correctly.

How to Install Active Directory Migration Tool (ADMT) 3.2 on Windows S (itprotoday.com)

Install and use ADMT 3.2 on Windows Server 2019 – DanteICT

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 2

Hello.

I am running as administrator (domain admin) the ADMT tools.

I don't understand how you can add an administrator of a subdomain into anothers AD server in another forest..

I can only add a domain admin of a subdomain in the domain admins group.

I don't see how you can add a domain admin user from domain A into another domain..

Regards

Answer 3

Hello

Good day!

1.Before you deploy ADMT, you need to set up External or Forest trust between two forests, to setup a forest trust both domains will need to be at a 2003 Forest Functional level or higher.

2.We should install ADMT and SQL database on one member server in target domain.

You need to migrate users from subdomain.domain.A to subdomain.domain.B, so you should install ADMT and SQL database one member server in target domain (subdomain.domain.B).

3. I don't see how you can add a domain admin user from domain A into another domain.

A: Sign in domain A and add domain B admin (select location B) to Administrators group in domain A.

Sign in domain B and add domain A admin (select location A) to Administrators group in domain B.

Best Regards,
Daisy Zhou

Answer 4

Hello.

Thank you for that hint. I was able to add the administrators of the administrators group of each domain.

Now trying from the destination domain to access the "password export server service" on the source domain.

But I receive the error . I cannot see anything in any documentation to solve the problem. Even if I try to run the "password export server" as domain administrator or local System Account, there is always the same error...

So any suggestion on this one ?

Thanks a lot.