This document describes Quest Migration Manager for Active Directory common issues and suggestions for troubleshooting the issues.

DIRECTORY MIGRATION AND SYNCHRONIZATION:

1. Users are mismatched between source and target:

This can occur if a new user is created on the source using an existing user as a template. Its matching attribute (by default extensionAttribute15), which contains information about matching, is copied from the template as well. If the directory synchronization is running, this will result in incorrect object matching. The workaround is to clean the matching attribute for the incorrectly matched user.

2. Modified properties are not synchronized:

If an object has been excluded from synchronization and then some of its properties are modified, these changes will not be synchronized by the DSA (Directory Synchronization Agent) after that object is returned to the synchronization scope. Full resynchronization is needed for these changes to be applied.

3. Dynamic objects are migrated as static:

In case of Windows 2003 as source and target: Dynamic objects are migrated as static. This is by design. This behavior can be changed by a script.

4. DSA does not function:

Check whether the account used by DSA has local administrator rights on computer where the DSA was installed.

5. "Manager can update membership list" checkbox is not migrated:

This checkbox will appear only after running the Active Directory Processing Wizard.

6. Groups are not synched; fail with error message: "_SrcuserAccountControl not found in object":

Skip msExchMailboxSecurityDescriptor attribute for groups.

7. Objects are not created on target; fail with error message "Error 0xe1000010. Attribute {175A3F38-A46C-496c-943D-9DDEAC7726CC}_objectRDN not found in object":

sAMAccountName or name attributes are skipped; if these attributes are skipped, already existing objects will be synched, but creation of new objects will fail.

8. Error "0x80070005. Cannot install AePAgent. Cannot get path to the Windows directory on the remote system. Access is denied":

Account specified for source domain does not have local Admin permissions on source DC.

9. Error "0xe100002d. Failed to bind to Target.local (dn=) as user Admin@Target.local with 4230 authentication type":

Server service is not running on target DC.

If the migration is from a child domain or to a child domain, the service account must be granted at least read on the root domain, so that a proper LDAP connection can be established.

10. Error "0xe1100012. Cannot initialize Migration Agent on host Error 0x80070005. Access is denied":

Account specified for Aelita Migration Agent service on target DC must be local system account.

11. Cannot determine CPU type - Access denied:

Account specified for source domain does not have local Admin permissions on source DC.

12. Slow performance:

- Index the Matching attribute. This attribute is specified in the Domain Pair Properties/Object Matching/Service Attributes. By default, this is extentionAttribute15 or adminDisplayName (the latter is used when extentionAttribute15 is not present in the AD schema.).
- Put the ADAM database and the DSA on different computers.
- Set only the matching rules needed. The matching rules are set in Domain Pair, just the Properties/Object Matching. By default, these include account name, e-mail, and SIDHistory. Leaving only rules needed can significantly improve DSA performance.

The DSA.log file is located in %Program Files%\Quest Software\Migration Manager\DSA\CONFIGS.


RESOURCE UPDATING AND MOVING COMPUTERS TO A TARGET DOMAIN:

Resource Updating Manager (RUM):

1. Migrated users do not have access to source resources even with SIDHistory:

Check if the SID filtering is turned on. One needs to turn off SID filtering for each source domain to be migrated. SID filtering is turned on by default.

2. Cannot move (change) computers membership from Source Domain to Target Domain:

- Check if the server or workstation is available (Online).
- Check if the Domain is available (online).
- Check if it is not already a membership on Target.
- Check for Administrative rights, not only for adding workstation, server to domain but also ADAM.

3. Target user cannot logon to the corresponding source roaming profile using SIDHistory:

In the release version of Windows XP (before Service Pack 1), and versions of Windows 2000 earlier than Service Pack 4 (SP4), Windows does not check the permissions of the target roaming profile folder, if it already exists when a roaming user profile is created.
Please refer to the following Microsoft KB article to resolve the problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;327462

The VMover.log and VMTotal.log files are located in %Program Files%\Common Files\Aelita Shared\Migration Tools.


ACTIVE DIRECTORY PROCESSING:

Active Directory Processing Wizard (ADPW):

1. A resource processing task cannot be started:

Check if a resource processing task has been fully configured. A resource processing task that has not been fully configured yet cannot be started. The corresponding wizards then start and hang.

2. Cannot update SIDhistory:

- Check if the objects (users and groups) were migrated.
- Check if the source or target objects are not deleted.
- Check if Source and Target Domains are available.
- Check for Administrative permissions.

The ADPW.log file is located in %Program Files%\Common \Common Files\Aelita Shared\Migration Tools.


EXCHANGE SERVER PROCESSING:

Exchange 5.5 Server Processing Wizard (E55PW):

1. Cannot update resources on Exchange server 5.5:

- Check if the objects (users and groups) were migrated.
- Check if the source or target objects are not deleted.
- Check if Source and Target Domains are available.
- Check if the Exchange server is Online.
- Check which port is in use for server connectivity (by default 389).
- Check for administrative rights, not only domain local, but also administrative rights on Exchange server.

The E55PW_Trace.Log file is located in %Program Files%\Common Files\Aelita Shared\Migration Tools.


Exchange 2000/2003 Server Processing Wizard (E2KPW):

1. Exchange 2000 Processing Wizard cannot edit the resource processing:

- Check how many nodes are specified in the task. Exchange 2000 Processing Wizard cannot edit the resource processing task or view its properties and history if there are objects with more than 9 nodes specified in the task. The nodes are: Exchange Organization, Administrative Group, and Server.

2. Cannot update resources on Exchange 2000/2003server:

- Check if the objects were migrated.
- Check if the source or target objects are not deleted.
- Check if Source and Target Domains are available.
- Check if the Exchange server is Online.
- Check for Admin rights, not only domain local, but also Admin rights on Exchange server.

The E2KPW_Trace.Log file is located in %Program Files%\Common Files\Aelita Shared\Migration Tools.


SMS SERVER PROCESSING:

SMS Processing Wizard (SMSPW):

1. The wizard cannot update the SMS server on the local computer if credentials were specified to connect.

The SMSWizard.log file is located in %Program Files%\Common Files\Aelita Shared\Migration Tools.


SQL SERVER PROCESSING:

SQL Processing Wizard (SQLPW):

1.The wizard cannot process the SQL server used to store the Migration Manager for Exchange configuration database.

The SQLWiz.log file is located in %Program Files%\Common Files\Aelita Shared\Migration Tools.


TRUST MIGRATION:

Trust Migration Wizard (TMW):

1. The wizard cannot migrate trusts:

- Check if Source and Target Domains are available.
- Check for Administrative rights and permissions.

The TMW.log file is located in %Program Files%\Common Files\Aelita Shared\Migration Tools.


SITE MIGRATION:

Site Migration Wizard (SMW):

The SMW.log file is located in %Program Files%\Common Files\Aelita Shared\Migration Tools.