ADMT Series – 5. Machine Preparation

This post will look at preparing your workstations and servers to work with ADMT and to make sure you give ADMT the correct permissions and connectivity.

Local Administrators Group

The ADMT Migration Account that you use to migrate workstations and member servers must have local administrator rights in the the source domain. If you don’t the ADMT agent cannot be deployed which will result in errors such as:

ERR2:7006 Failed to install agent on \\xp1.source.local, rc=5 Access is denied.

ERR2:7674 Unable to determine the local path for ADMIN share on the machine 'xp1.source.local'. rc=-2147024891

We’ll look at two ways to achieve this with group policy.

Method 1. Restricted Groups

Create a Domain Local Security Group in the Source Domain, add the ADMT Service Account (ADMTUser in my case) to the group. You may decide to simply add the domain admins group from the target domain, as this includes the ADMTUser account. Also the Domain Admins group will get automatically added when the computers are migrated. The end result is the same though.

Create a new GPO and link it to the OU with the computer objects in.

Give it a name.

Dig down to Restricted Groups under the Computer Configuration.

Add the ADMT Admin Local Security group you created earlier.

Under This group is a member of: select add, type Administrators.

This is how it should look in the end.

Now if you run a gpupdate /force on a computer object within the OU you’ve applied the GPO to you should see the ADMT Admin group added.

Method 2. Net Localgroup

Another way to add the group or user to the local administrators is to use the Net local group command. This will run under the user context, so the users must already be local administrators on the machines for this to work.

Create a batch file with the following and deploy it to an OU containing users. It’s a bit of a dirty method but it works.

Format: net localgroup administrators "targetdomain\user-or-group" /add
Example specific: net localgroup administrators "target\ADMT Admin" /add

Windows Firewall

Firewalls, such as Windows Firewall in Windows XP Service Pack 2 (SP 2 or above), can prevent the Active Directory Migration Tool (ADMT) computer account migration from completing. Microsoft recommend for any migration tasks that use agent deployment and where Windows Firewall is in use, enable the File and Printer Sharing exception.

Personally I recommend disabling the firewall completely for the migration via group policy.

Create a new group policy object (as above), again linking it to the OU containing computer objects.

Dig down to the domain profile under the computer configuration, set Windows Firewall: Protect all network connections to disabled.

This covers the basic preparation required for ADMT run.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s