ERR2:7621 Failed to move source object

Mike Morgan 41 Reputation points
2021-09-30T16:21:34.51+00:00

[Settings Section]
Task: User Migration (342)
ADMT Console
User: NEW\administrator
Computer: workstation.new.domain (workstation)
Domain: new.domain (NEW)
OS: Windows 10 Enterprise 10.0 (19043)
Source Domain
Name: old.domain (OLD)
DC: OLDDC01.old.domain (OLDDC01)
OS: Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
OU:
Target Domain
Name: new.domain (NEW)
DC: NEWdc01.new.domain (NEWDC01)
OS: Windows Server 2016 Standard 10.0 (14393)
OU: LDAP://new.domain/OU=Users,OU=Office,OU=Division,OU=Department,OU=Departments,DC=new,DC=domain
Intra-Forest: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Migrate groups: No
Migrate service accounts: Yes

[Object Migration Section]
2021-09-30 10:52:55 Starting Account Replicator.
2021-09-30 10:52:57 Removing CN=users name (LDAP://OLDDC01.old.domain/CN=users name,OU=Disabled Users,DC=old,DC=domain) from the global groups it is a member of :
2021-09-30 10:52:57 ERR2:7621 Failed to move source object 'CN=users name'. Verify that the caller's account is not marked sensitive and therefore cannot be delegated. hr=0x8009030e No credentials are available in the security package
2021-09-30 10:52:57 Operation completed.

NOTE!! "Account is sensitive and cannot be delegated" is NOT checked for this user account.

ADMT worked up until a few weeks ago, but then stopped. We did recently update our Exchange servers to CU21. That would be the only major change to Active Directory that we've made between the last time ADMT worked and the time it stopped working.

This is critical because we are only about two thirds of the way through our domain migration. With ADMT out, we're stuck. Doe anyone have any suggestions on how to troubleshoot this problem? Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,930 questions
0 comments
Accepted answer
  1. Gary Reynolds 9,391 Reputation points
    2021-09-30T21:11:43.69+00:00

    Hi @Mike Morgan ,

    We can assume the the service account is not a member of the protected users group.

    There are a few things you can check:

    Ensure that constrained delegation has not been enabled, check this article https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview

    When Logged in with the service account can you complete the operation in error report manually, do you get the same error.

    Probably not related but worth checking, is the group in question protected by the sdprop process, check out the page: https://nettools.net/sdprop/

    Does the service account have rights to update the target objects, in the error report the source user object has been deleted, is this the first time a source object has been deleted and hence why you are only just seeing the error. You could check the service account has effective right by look at the AD effective rights article on the NetTools site.

    Is there any additional logging you can enable to get more details on the cause of the problem.

    Hope this helps,
    Gary.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,391 Reputation points
    2021-10-01T08:15:35.363+00:00

    Hi Mike M,

    Thank you for your question.

    There is a topic with a problem similar to yours, I believe it will help you, see it on the link below:

    https://social.technet.microsoft.com/Forums/office/en-US/50cfceaf-e0a1-4d9e-9fe8-ce592a93bfa0/err27621-failed-to-move-source-object-ad-user-account-migration- issue-in-forest-using-admt-32?forum=winserverDS

    If the answer is helpful, please vote positively and accept as an answer.

    0 comments