This post will look at preparing your workstations and servers to work with ADMT and to make sure you give ADMT the correct permissions and connectivity.
Local Administrators Group
The ADMT Migration Account that you use to migrate workstations and member servers must have local administrator rights in the the source domain. If you don’t the ADMT agent cannot be deployed which will result in errors such as:
ERR2:7006 Failed to install agent on \\xp1.source.local, rc=5 Access is denied.
ERR2:7674 Unable to determine the local path for ADMIN share on the machine 'xp1.source.local'. rc=-2147024891
We’ll look at two ways to achieve this with group policy.
Method 1. Restricted Groups
Create a Domain Local Security Group in the Source Domain, add the ADMT Service Account (ADMTUser in my case) to the group. You may decide to simply add the domain admins group from the target domain, as this includes the ADMTUser account. Also the Domain Admins group will get automatically added when the computers are migrated. The end result is the same though.
Create a new GPO and link it to the OU with the computer objects in.
Give it a name.
Dig down to Restricted Groups under the Computer Configuration.
Add the ADMT Admin Local Security group you created earlier.
Under This group is a member of: select add, type Administrators.
This is how it should look in the end.
Now if you run a
gpupdate /force on a computer object within the OU you’ve applied the GPO to you should see the ADMT Admin group added.
Method 2. Net Localgroup
Another way to add the group or user to the local administrators is to use the Net local group command. This will run under the user context, so the users must already be local administrators on the machines for this to work.
Create a batch file with the following and deploy it to an OU containing users. It’s a bit of a dirty method but it works.
net localgroup administrators "targetdomain\user-or-group" /add
net localgroup administrators "target\ADMT Admin" /add
Firewalls, such as Windows Firewall in Windows XP Service Pack 2 (SP 2 or above), can prevent the Active Directory Migration Tool (ADMT) computer account migration from completing. Microsoft recommend for any migration tasks that use agent deployment and where Windows Firewall is in use, enable the File and Printer Sharing exception.
Personally I recommend disabling the firewall completely for the migration via group policy.
Create a new group policy object (as above), again linking it to the OU containing computer objects.
Dig down to the domain profile under the computer configuration, set
Windows Firewall: Protect all network connections to disabled.
This covers the basic preparation required for ADMT run.