question

NTex-7916 avatar image
0 Votes"
NTex-7916 asked dangerranger-0183 answered

ADMT User Migration

Hi all,

I've been doing migration from multiple child domains to parent domain in my organization.

We've done this in past, no issues we used ADMT as always.

Now ADMT 3.2 is been working good so far on normal accounts.

When we ran into IT Administrative Accounts, we had to turn off "This account is sensitive..." option, but still after many hours we still get errors on this accounts:
ERR2:7621 Failed to move source object 'CN=USERNAME'. Verify that the caller's account is not marked sensitive and therefore cannot be delegated. hr=0x8009030e No credentials are available in the security package

Also double check, the DC Delegation they are not constrained, at the moment.

Any suggestions ?

Thanks

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NTex-7916 avatar image
0 Votes"
NTex-7916 answered

No, I even removed temporarily all groups from this user, except the Domain Users which it's his Primary.
In the past while doing Forest upgrades, used to be Schema Admin, but no longer, we only add it to Schema Admin when changes are needed, to keep AD secure.

Despite it's fair old account, it's not protected user group either.
I will try with main Enterprise default account on ADMT, which is the account for Disaster Recovery with credentials on safe. 😊

Also, I was thinking on Exchange attributes.
We used to run Exchange and Lync server, this child domain has still some Exchange attributes, servers are no longer running since we migrate to Azure 365 through MIM.

Need to dive deeper on this during the weekend, I guess.

Thanks for your information Vicky 😊

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered JoyQiao-MSFT edited

Hi,

You should uncheck the option this account is sensitive and cannot be delegated before the move on impacted user accounts and check that the delegation is already allowed as described in the following links:

62188-image.png

admt-err2-7621-while-migrating-accounts-within-the-forest.html






Please don't forget to mark helpful reply as answer





image.png (10.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered VickyWang-MFST edited

ERR2:7621 Failed to move source object 'CN=migrTEST'. Verify that the caller's account is not marked sensitive and therefore cannot be delegated. hr=0x8009030e No credentials are available in the security package


This could be because of following setting in your source domain controllers properties (select DC in AD Users and Computers snap-in and right-click):
62270-image.png

Notice that Do not trust this computer for delegation is set.

The right value for migration is Trust this computer for delegation to any service (Kerberos only):



62433-image.png

Hope this information can help you
Best wishes
Vicky



image.png (26.1 KiB)
image.png (25.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NTex-7916 avatar image
0 Votes"
NTex-7916 answered

When we ran into IT Administrative Accounts, we had to turn off "This account is sensitive..." option, but still after many hours we still get errors on this accounts:
ERR2:7621 Failed to move source object 'CN=USERNAME'. Verify that the caller's account is not marked sensitive and therefore cannot be delegated. hr=0x8009030e No credentials are available in the security package

Also double check, the DC Delegation they are not constrained, at the moment.

I appreciate your replies and I know was very hasty on my posting, but you're also hasty on your reading.

I explained we did all that...plenty of posts on Internet with check for DC delegation, mentioned wasn't constrained at all and user doesn't had sensitive attribute checked... so any more ideas / hints ?

Thanks





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Check whether this account is in the protected user group?base on my knowladage, protected user was protected by domain controllers and unable to :

Authenticate with NTLM authentication.

Use DES or RC4 encryption types in Kerberos pre-authentication.

Be delegated with unconstrained or constrained delegation.

Renew the Kerberos TGTs beyond the initial four-hour lifetime.

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#domain-controller-protections-for-protected-users

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

Hope this information can help you
Best wishes
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,


Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.


Best Regards,
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dangerranger-0183 avatar image
0 Votes"
dangerranger-0183 answered

Is there any update on the fix for this problem? I am having the same issue. Account is not set to sensitive and the delegation settings on the DC in Active Directory Users and Computers is correct. User is not a member of the protect users group either. Issue only happens when going from one particular child domain to other child domains and the parent domain. All other child domains and the parent domain can migrate user accounts to this particular child domain.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.