Mombu the Microsoft Forum sponsored links

Go Back   Mombu the Microsoft Forum > Microsoft > SETUP AND DEPLOYMENT (TECHNET) > ADMT Error 7585: Access Denied when migrating users with groups
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 28th August 18:22
jt
External User
 
Posts: 1
Default ADMT Error 7585: Access Denied when migrating users with groups


Hi,

I am migrating Users & Groups from a 2000 domain to a new 2003 domain (new
forest) using ADMT v.3.
I can happily migrate users and groups seperately, but when I attempt to
update group membership of multiple groups, only the first group in the list
is updated. The process then halts with:
ERR3:7585 The account replicator is unable to continue. Access is denied.

It all works fine if I migrate the groups one at a time, but there are many
groups and this will kill me!

Here is the full log after I attempted to update memberhip of 3 groups
(GBPB, GBS7700 and Gbusiness&Commercial) - only the first in the list was
updated.


[Settings Section]
Task: Group Migration (20)
ADMT Console
User: UK-FWL\administrator
Computer: uk-fsws001.uk.fwl.local (UK-FSWS001)
Domain: uk.fwl.local (UK-FWL)
OS: Microsoft Windows Server 2003 5.2 (3790) Service Pack 1
Source Domain
Name: fwltech.com (FW-LOGISTICS)
DC: fwl-nt07.fwltech.com (FWL-NT07)
OS: Windows 2000 Server 5.0 (2195) Service Pack 4
OU:
Target Domain
Name: uk.fwl.local (UK-FWL)
DC: uk-fsws001.uk.fwl.local (UK-FSWS001)
OS: Windows Server 2003 5.2 (3790) Service Pack 1
OU: LDAP://uk.fwl.local/OU=Employees,DC=uk,DC=fwl,DC=local
Intra-Forest: No
Migrate Security Identifiers: Yes
Update Rights: Yes
Fix group membership: Yes
Conflict Option: Merge, rights = No, members = No, move objects = Yes
Migrate members: Yes
Password Option: Generate passwords, only for new objects = Yes
Password File: 'C:\WINDOWS\ADMT\Logs\passwords.txt'
Translate Roaming Profiles: No
Source Disable Option: Leave source account
Source Expiration: Do not expire source account
Target Disable Option: Set target same as source

[Object Migration Section]
2006-06-06 11:28:09 Starting Account Replicator.
2006-06-06 11:28:10 WRN1:7561 ADMT could not migrate some properties for
this object type (group) due to schema mismatches. Please refer to the
Schema Section in the migration log for a complete listing. The Schema
Section will be available once object migration is complete.
2006-06-06 11:28:10 CN=GBPB - Merged.
2006-06-06 11:28:10 SID for FW-LOGISTICS\GBPB added to the SID History of
UK-FWL\GBPB
2006-06-06 11:28:11 CN=GBS7799 - Merged.
2006-06-06 11:28:11 SID for FW-LOGISTICS\GBS7799 added to the SID History of
UK-FWL\GBS7799
2006-06-06 11:28:11 CN=GBusiness&Commercial - Merged.
2006-06-06 11:28:11 SID for FW-LOGISTICS\GBusiness&Commercial added to the
SID History of UK-FWL\GBusiness&Commercial
2006-06-06 11:28:11 Processing group membership for CN=GBPB.
2006-06-06 11:28:11 LDAP://uk-fsws001.uk.fwl.local/CN=Scott\,
Julie,OU=Staff,OU=Employees,DC=uk,DC=fwl,DC=local added.
2006-06-06 11:28:11
LDAP://uk-fsws001.uk.fwl.local/CN=replsrv,OU=Staff,OU=Employees,DC=uk,DC=fwl,DC=l ocal added.
2006-06-06 11:28:12 ERR3:7585 The account replicator is unable to continue.
Access is denied.
2006-06-06 11:28:12 Operation completed.


Thanks in advance for any help.

John
  Reply With Quote


  sponsored links


2 28th August 18:27
v-xuwen@onlinemicrosoftcom vincent xu
External User
 
Posts: 1
Default ADMT Error 7585: Access Denied when migrating users with groups


Hi,

Please check if you select built-in / well-known security principals in
conjunction with the "replace existing" being enabled in the migration
wizard first.

Also, please do following test:

1. Please create two new groups, do NOT add any users to its member lists
(ensure the group has no members) and then migrate this test groups to see
if the problem occurs.

2. Please check whether the status of the FSMO roles of the forest and
related domains. We have handled a similar issue where the root cause was
the RID FSMO owner cannot be accessed.

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

================================================== ====
Get Secure! - http://www.microsoft.com/security
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties,and confers no rights.
================================================== ====

--------------------

groups

microsoft.public.windows.server.migration:23968


(new

list


denied.


many


1


of

the


wl,DC=local added.

continue.
  Reply With Quote
3 28th August 18:28
jt
External User
 
Posts: 1
Default ADMT Error 7585: Access Denied when migrating users with group


Hi Vincent,

Thanks for your response. I have found the solution and, as ever, it hinged
on something basic. On our old domain we have 2 DNS servers, and 2 more on
our ne domain. The new DNW servers have conditional forwarders to the old
DNS servers, and the old DNS servers hold secondary copies of the new zones.
HOWEVER! one of the DNS servers did not have a copy of the new zone, as it
was restricted from transferring from the master in the new domain.

Seems obvious, but I only stumbled upon it when I was verifying the Trust -
it worked from one DC but not another.

It was a touch bizarre that the group migration did actually work, but only
for the first group selected - presumably more than one DC is contacted
during the process?

Thanks again.

John
  Reply With Quote
4 29th August 03:10
v-xuwen@onlinemicrosoftcom vincent xu
External User
 
Posts: 1
Default ADMT Error 7585: Access Denied when migrating users with group


Hi,

Honestly, I didn't see such scenario before. You issue gave me a lesson and
I really apprecaite it.

Have a good day.

Best regards,

Vincent Xu
Microsoft Online Partner Support

================================================== ====
Get Secure! - http://www.microsoft.com/security
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties,and confers no rights.
================================================== ====

--------------------

group


<OpxJqRgiGHA.4896@TK2MSFTNGXA01.phx.gbl>

group

microsoft.public.windows.server.migration:23989


hinged

on

old

zones.

it

-

only
  Reply With Quote


  sponsored links


Reply


Thread Tools
Display Modes




Copyright 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666