In the manual “ADMT Guide: Migrating and Restructuring Active Directory Domains,” section “Enabling Migration of Passwords”, the manual is a tad vague on the following instruction:
Membership in Administrators, or equivalent, is the minimum required to complete this procedure.
While technically true this instruction lacks the important caveat as to exactly which account requires membership in the Administrators group and in which domain. Below is a table I created for my own reference which has resulted in error free object migrations each time.
|Target Domain||Source Domain|
|PC running ADMT must be joined to target domain||TWO-Way trust with target domain|
|Domain Account running ADMT needs rights to write to OU that source objects will be copied to||Run password migration service with account from domain that has full control over user objects|
|Run ADMT under account logged into target domain and is member of source domain “Administrators” group||Add account for Target Domain to group “Administrators”|
One tell-tell sign when the account in the target domain is not in the Administrators group in the source domain is that you get this error in the log file located at c:\windows\admt\logs\MigrationXXXX.txt
[Object Migration Section] 2012-04-12 17:12:41 Starting Account Replicator. 2012-04-12 17:12:48 ERR3:7585 The account replicator is unable to continue. Access is denied. 2012-04-12 17:12:48 Operation completed.