I am doing some testing with the Active Directory Migration Toolkit Version 3.2 on a Windows Server 2008 R2.
I am sure I met all the prerequisites in the source domain, target domain and on the ADMT machine. Basically I can migrate Users, Groups and Computers also with the SID history. What´s causing some headaches is:
a) A Database / exclusion list related error message in the ADMT Logs, although the migration itself always finishes with "success".
b) The exclusion of a huge amount of AD attributes by default.
About a)
On every migration, the first line I get in the Log is this one:
Unable to store default excluded system properties in database. Unspecified error (0x80004005)
I had a look at the ADMT Databases TaskProperties Table and the Exclusion columns are all empty (for example AccountOptions.ExcludedSystemProps is NULL)
Also when using VBScript to query the exclusions, they are all empty:
Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. UserPropertiesToExclude: InetOrgPersonPropertiesToExclude : GroupPropertiesToExclude : ComputerPropertiesToExclude : SystemPropertiesToExclude:
The User which is running the ADMT is a local Admin and the BUILTIN\Administrators are sysadmin on the SQL Server. So I doubt this is a permission problem. The ADMT Whitepaper states that 2 properties are excluded by default (mail and proxyAddresses), but not even they are included in the Exclusion list. Somehow ADMT has problems saving that information in the Database, which I think is causing my problem b)
About b)
Looking at a Log after the migration of a User account, I can see that a huge amount of AD attributes are excluded. Many of them are needed and I want to include them. Since there´s no inclusion list in ADMT I cannot add them by hand and I think problem b)
is connected to problem a). Many of these excluded attributes exist in the target Domain, since it also has for example an Exchange Server up and running. I assume since the ADMT cannot save to the Exclusion list in the SQL table, it just leaves out all AD
attributes which are not required to create an Account in the target Domain. Apart from the SIDHistory, which gets migrated fine, it looks to me that the new Accounts in the target Domain have just the bare minimum AD attributes filled which are required to
create a User at all.
Here´s an excerpt from a "successfully" migrated User log file:
mail,proxyAddresses,msDS-PSOApplied,msDS-HostServiceAccount, DUP-houseIdentifier-8dbbf431-f20e-426d-9fe1-5f8e0b46d7ca, DUP-labeledURI-45078ae9-7c90-4274-9014-7c638a9de597,altRecipient,altRecipientBL, attributeCertificate,attributeCertificateAttribute,audio,authOrig,authOrigBL, autoReply,autoReplyMessage,businessRoles,carLicense,dLMemDefault, dLMemRejectPerms,dLMemRejectPermsBL,dLMemSubmitPerms,dLMemSubmitPermsBL, dLMemberRule,deletedItemFlags,delivContLength,delivExtContTypes, deliverAndRedirect,deliveryMechanism,departmentNumber,dnQualifier,employeeNumber, employeeType,enabledProtocols,expirationTime,extensionAttribute1, extensionAttribute10,extensionAttribute11,extensionAttribute12, extensionAttribute13,extensionAttribute14,extensionAttribute15, extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5, extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9, extensionData,folderPathname,formData,forwardingAddress,gecos,gidNumber, heuristics,hideDLMembership,homeMDB,homeMTA,homePostalAddress,importedFrom, internetEncoding,ipHostNumber,jpegPhoto,kMServer,language,languageCode, logRolloverInterval,loginShell,mAPIRecipient,mDBOverHardQuotaLimit, mDBOverQuotaLimit,mDBStorageQuota,mDBUseDefaults,mailNickname,memberUid, monitoredConfigurations,monitoredServices,monitoringAvailabilityStyle, monitoringAvailabilityWindow,monitoringCachedViaMail,monitoringCachedViaRPC, monitoringMailUpdateInterval,monitoringMailUpdateUnits, monitoringRPCUpdateInterval,monitoringRPCUpdateUnits,msDFSR-ComputerReferenceBL, msDFSR-MemberReferenceBL,msDS-ObjectReferenceBL,msDS-PhoneticCompanyName, msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName, msDS-PhoneticLastName,msDS-SourceObjectDN,msExchADCGlobalNames, msExchALObjectVersion,msExchAddressBookFlags,msExchAddressBookPolicyLink, msExchAggregationSubscriptionCredential,msExchAlternateMailboxes, msExchApprovalApplicationLink,msExchArbitrationMailbox,msExchArchiveAddress, msExchArchiveDatabaseBL,msExchArchiveDatabaseLink,msExchArchiveGUID, msExchArchiveName,msExchArchiveQuota,msExchArchiveStatus,msExchArchiveWarnQuota, msExchAssistantName,msExchAuditAdmin,msExchAuditDelegate, msExchAuditDelegateAdmin,msExchAuditOwner,msExchAvailabilityOrgWideAccountBL, msExchAvailabilityPerUserAccountBL,msExchBlockedSendersHash,msExchBypassAudit, msExchBypassModerationBL,msExchBypassModerationFromDLMembersBL, msExchBypassModerationFromDLMembersLink,msExchBypassModerationLink,msExchCU, msExchCalculatedTargetAddress,msExchCalendarRepairDisabled, msExchCapabilityIdentifiers,msExchCoManagedByLink,msExchCoManagedObjectsBL, msExchConferenceMailboxBL,msExchConfigurationUnitBL, msExchContentConversionSettings,msExchControllingZone,msExchCustomProxyAddresses, msExchDelegateListBL,msExchDelegateListLink,msExchDeviceAccessControlRuleBL, msExchDirsyncID,msExchDirsyncSourceObjectClass,msExchDisabledArchiveDatabaseLink, msExchDisabledArchiveGUID,msExchDumpsterQuota,msExchDumpsterWarningQuota, msExchELCExpirySuspensionEnd,msExchELCExpirySuspensionStart, msExchELCMailboxFlags,msExchEdgeSyncCookies,msExchEdgeSyncRetryCount, msExchEdgeSyncSourceGuid,msExchEnableModeration,msExchEwsApplicationAccessPolicy, msExchEwsEnabled,msExchEwsExceptions,msExchEwsWellKnownApplicationPolicies, msExchExchangeServerLink,msExchExpansionServerName,msExchExtensionAttribute16, msExchExtensionAttribute17,msExchExtensionAttribute18,msExchExtensionAttribute19, msExchExtensionAttribute20,msExchExtensionAttribute21,msExchExtensionAttribute22, msExchExtensionAttribute23,msExchExtensionAttribute24,msExchExtensionAttribute25, msExchExtensionAttribute26,msExchExtensionAttribute27,msExchExtensionAttribute28, msExchExtensionAttribute29,msExchExtensionAttribute30,msExchExtensionAttribute31, msExchExtensionAttribute32,msExchExtensionAttribute33,msExchExtensionAttribute34, msExchExtensionAttribute35,msExchExtensionAttribute36,msExchExtensionAttribute37, msExchExtensionAttribute38,msExchExtensionAttribute39,msExchExtensionAttribute40, msExchExtensionAttribute41,msExchExtensionAttribute42,msExchExtensionAttribute43, msExchExtensionAttribute44,msExchExtensionAttribute45, msExchExtensionCustomAttribute1,msExchExtensionCustomAttribute2, msExchExtensionCustomAttribute3,msExchExtensionCustomAttribute4, msExchExtensionCustomAttribute5,msExchExternalDirectoryObjectId, msExchExternalOOFOptions,msExchExternalSyncState,msExchFBURL, msExchForeignGroupSID,msExchGenericForwardingAddress, msExchGroupDepartRestriction,msExchGroupJoinRestriction, msExchHABRootDepartmentBL,msExchHABShowInDepartments,msExchHideFromAddressLists, msExchHomeServerName,msExchHouseIdentifier,msExchIMACL,msExchIMAP4Settings, msExchIMAPOWAURLPrefixOverride,msExchIMAddress,msExchIMMetaPhysicalURL, msExchIMPhysicalURL,msExchIMVirtualServer,msExchImmutableId, msExchInconsistentState,msExchIntendedMailboxPlanBL, msExchIntendedMailboxPlanLink,msExchInterruptUserOnAuditFailure, msExchIsMSODirsynced,msExchLabeledURI,msExchLastExchangeChangedTime, msExchLicenseToken,msExchLitigationHoldDate,msExchLitigationHoldOwner, msExchMDBRulesQuota,msExchMailboxAuditEnable,msExchMailboxAuditLastAdminAccess, msExchMailboxAuditLastDelegateAccess,msExchMailboxAuditLastExternalAccess, msExchMailboxAuditLogAgeLimit,msExchMailboxFolderSet,msExchMailboxFolderSet2, msExchMailboxGuid,msExchMailboxMoveBatchName,msExchMailboxMoveFlags, msExchMailboxMoveRemoteHostName,msExchMailboxMoveSourceArchiveMDBBL, msExchMailboxMoveSourceArchiveMDBLink,msExchMailboxMoveSourceMDBBL, msExchMailboxMoveSourceMDBLink,msExchMailboxMoveSourceUserBL, msExchMailboxMoveStatus,msExchMailboxMoveStorageMDBBL, msExchMailboxMoveTargetArchiveMDBBL,msExchMailboxMoveTargetArchiveMDBLink, msExchMailboxMoveTargetMDBBL,msExchMailboxMoveTargetMDBLink, msExchMailboxMoveTargetUserBL,msExchMailboxOABVirtualDirectoriesLink, msExchMailboxPlanType,msExchMailboxSecurityDescriptor,msExchMailboxTemplateLink, msExchMailboxUrl,msExchManagementSettings,msExchMasterAccountHistory, msExchMasterAccountSid,msExchMaxBlockedSenders,msExchMaxSafeSenders, msExchMessageHygieneFlags,msExchMessageHygieneSCLDeleteThreshold, msExchMessageHygieneSCLJunkThreshold,msExchMessageHygieneSCLQuarantineThreshold, msExchMessageHygieneSCLRejectThreshold,msExchMobileAllowedDeviceIDs, msExchMobileBlockedDeviceIDs,msExchMobileDebugLogging,msExchMobileMailboxFlags, msExchMobileMailboxPolicyLink,msExchMobileRemoteDocumentsAllowedServersBL, msExchMobileRemoteDocumentsBlockedServersBL, msExchMobileRemoteDocumentsInternalDomainSuffixListBL,msExchMobileSettings, msExchModeratedByLink,msExchModeratedObjectsBL,msExchModerationFlags, msExchOURoot,msExchOWAAllowedFileTypesBL,msExchOWAAllowedMimeTypesBL, msExchOWABlockedFileTypesBL,msExchOWABlockedMIMETypesBL, msExchOWAForceSaveFileTypesBL,msExchOWAForceSaveMIMETypesBL,msExchOWAPolicy, msExchOWARemoteDocumentsAllowedServersBL, msExchOWARemoteDocumentsBlockedServersBL, msExchOWARemoteDocumentsInternalDomainSuffixListBL,msExchOWASettings, msExchOWATranscodingFileTypesBL,msExchOWATranscodingMimeTypesBL, msExchObjectCountQuota,msExchObjectID,msExchOmaAdminExtendedSettings, msExchOmaAdminWirelessEnable,msExchOnPremiseObjectGuid, msExchOrganizationsAddressBookRootsBL,msExchOrganizationsGlobalAddressListsBL, msExchOrganizationsTemplateRootsBL,msExchOriginatingForest,msExchPOP3Settings, msExchParentPlanBL,msExchParentPlanLink,msExchPartnerGroupID,msExchPfRootUrl, msExchPoliciesExcluded,msExchPoliciesIncluded,msExchPolicyEnabled, msExchPolicyList,msExchPolicyOptionList,msExchPreviousAccountSid, msExchPreviousHomeMDB,msExchPreviousMailboxGuid,msExchProvisioningFlags, msExchProxyCustomProxy,msExchQueryBaseDN,msExchRBACPolicyBL,msExchRBACPolicyLink, msExchRMSComputerAccountsBL,msExchRMSComputerAccountsLink,msExchRecipLimit, msExchRecipientDisplayType,msExchRecipientTypeDetails, msExchRecipientValidatorCookies,msExchRemoteRecipientType, msExchRequireAuthToSendTo,msExchResourceCapacity,msExchResourceDisplay, msExchResourceGUID,msExchResourceMetaData,msExchResourceProperties, msExchResourceSearchProperties,msExchRetentionComment,msExchRetentionURL, msExchSMTPReceiveDefaultAcceptedDomainBL,msExchSafeRecipientsHash, msExchSafeSendersHash,msExchSendAsAddresses,msExchSenderHintTranslations, msExchServerAdminDelegationBL,msExchServerAssociationBL, msExchServerAssociationLink,msExchServerSiteBL,msExchSetupStatus, msExchShadowAssistantName,msExchShadowC,msExchShadowCo,msExchShadowCompany, msExchShadowCountryCode,msExchShadowDepartment,msExchShadowDisplayName, msExchShadowFacsimileTelephoneNumber,msExchShadowGivenName,msExchShadowHomePhone, msExchShadowInfo,msExchShadowInitials,msExchShadowL,msExchShadowMailNickname, msExchShadowManagerLink,msExchShadowMobile,msExchShadowOtherFacsimileTelephone, msExchShadowOtherHomePhone,msExchShadowOtherTelephone,msExchShadowPager, msExchShadowPhysicalDeliveryOfficeName,msExchShadowPostalCode, msExchShadowProxyAddresses,msExchShadowSn,msExchShadowSt, msExchShadowStreetAddress,msExchShadowTelephoneAssistant, msExchShadowTelephoneNumber,msExchShadowTitle,msExchShadowWWWHomePage, msExchShadowWindowsLiveID,msExchSharingAnonymousIdentities, msExchSharingPartnerIdentities,msExchSharingPolicyLink,msExchSignupAddresses, msExchSupervisionDLBL,msExchSupervisionDLLink,msExchSupervisionOneOffBL, msExchSupervisionOneOffLink,msExchSupervisionUserBL,msExchSupervisionUserLink, msExchSyncAccountsPolicyDN,msExchTUIPassword,msExchTUISpeed,msExchTUIVolume, msExchTextMessagingState,msExchThrottlingPolicyDN,msExchTransportInboundSettings, msExchTransportOutboundSettings,msExchTransportRecipientSettingsFlags, msExchUCVoiceMailSettings,msExchUMAddresses,msExchUMAudioCodec, msExchUMAudioCodec2,msExchUMCallingLineIDs,msExchUMDtmfMap,msExchUMEnabledFlags, msExchUMEnabledFlags2,msExchUMFaxId,msExchUMListInDirectorySearch, msExchUMMailboxOVALanguage,msExchUMMaxGreetingDuration,msExchUMOperatorNumber, msExchUMPhoneProvider,msExchUMPinChecksum,msExchUMRecipientDialPlanLink, msExchUMServerWritableFlags,msExchUMSpokenName,msExchUMTemplateLink, msExchUnmergedAttsPt,msExchUsageLocation,msExchUseOAB,msExchUserAccountControl, msExchUserBL,msExchUserCulture,msExchVersion,msExchVoiceMailboxID, msExchWhenMailboxCreated,msExchWindowsLiveID,msOrg-GroupSubtypeName, msOrg-IsOrganizational,msOrg-Leaders,msOrg-LeadersBL,msOrg-OtherDisplayNames, msRADIUS-FramedIpv6Route,msRADIUS-SavedFramedIpv6Route,msRTCSIP-AcpInfo, msRTCSIP-ApplicationOptions,msRTCSIP-ArchivingEnabled,msRTCSIP-DeploymentLocator, msRTCSIP-FederationEnabled,msRTCSIP-GroupingID,msRTCSIP-InternetAccessEnabled, msRTCSIP-Line,msRTCSIP-LineServer,msRTCSIP-OptionFlags,msRTCSIP-OriginatorSid, msRTCSIP-OwnerUrn,msRTCSIP-PrimaryHomeServer,msRTCSIP-PrimaryUserAddress, msRTCSIP-PrivateLine,msRTCSIP-TargetHomeServer,msRTCSIP-TargetUserPolicies, msRTCSIP-TenantId,msRTCSIP-UserEnabled,msRTCSIP-UserExtension, msRTCSIP-UserLocationProfile,msRTCSIP-UserPolicies,msRTCSIP-UserPolicy, msSFU30Aliases,msSFU30Name,msSFU30NisDomain,msSFU30PosixMember, msSFU30PosixMemberOf,networkAddress,nisMapName,oOFReplyToOriginator,otherMailbox, pOPCharacterSet,pOPContentFormat,personalPager,photo,preferredLanguage, promoExpiration,protocolSettings,publicDelegates,publicDelegatesBL, registeredAddress,replicatedObjectVersion,replicationSensitivity, replicationSignature,reportToOriginator,reportToOwner,roomNumber,secretary, securityProtocol,shadowExpire,shadowFlag,shadowInactive,shadowLastChange, shadowMax,shadowMin,shadowWarning,submissionContLength,supportedAlgorithms, targetAddress,telephoneAssistant,textEncodedORAddress,trackingLogPathName,type, uid,uidNumber,unauthOrig,unauthOrigBL,unixHomeDirectory,unixUserPassword, unmergedAtts,userPKCS12,userSMIMECertificate, x500uniqueIdentifier
I triple checked the ADMT Whitepaper for the requirements in the source Domain, target Domain and on the ADMT machine. I was not able to find any errors. Why the exclusion fields are not filled in the ADMT database is beyond my understanding. The same is with the huge number of excluded attributes. I thought apart from the 2 attributes mentioned in the Whitepaper and the attributes which are not existing in the target Domain, ADMT will migrate all attributes and you have to exclude the ones you don´t need. For me it seems to work the other way round.