question

MikeMorgan-6402 avatar image
0 Votes"
MikeMorgan-6402 asked MikeMorgan-6402 commented

ERR2:7621 Failed to move source object

[Settings Section]
Task: User Migration (342)
ADMT Console
User: NEW\administrator
Computer: workstation.new.domain (workstation)
Domain: new.domain (NEW)
OS: Windows 10 Enterprise 10.0 (19043)
Source Domain
Name: old.domain (OLD)
DC: OLDDC01.old.domain (OLDDC01)
OS: Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
OU:
Target Domain
Name: new.domain (NEW)
DC: NEWdc01.new.domain (NEWDC01)
OS: Windows Server 2016 Standard 10.0 (14393)
OU: LDAP://new.domain/OU=Users,OU=Office,OU=Division,OU=Department,OU=Departments,DC=new,DC=domain
Intra-Forest: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Migrate groups: No
Migrate service accounts: Yes

[Object Migration Section]
2021-09-30 10:52:55 Starting Account Replicator.
2021-09-30 10:52:57 Removing CN=users name (LDAP://OLDDC01.old.domain/CN=users name,OU=Disabled Users,DC=old,DC=domain) from the global groups it is a member of :
2021-09-30 10:52:57 ERR2:7621 Failed to move source object 'CN=users name'. Verify that the caller's account is not marked sensitive and therefore cannot be delegated. hr=0x8009030e No credentials are available in the security package
2021-09-30 10:52:57 Operation completed.



NOTE!! "Account is sensitive and cannot be delegated" is NOT checked for this user account.

ADMT worked up until a few weeks ago, but then stopped. We did recently update our Exchange servers to CU21. That would be the only major change to Active Directory that we've made between the last time ADMT worked and the time it stopped working.

This is critical because we are only about two thirds of the way through our domain migration. With ADMT out, we're stuck. Doe anyone have any suggestions on how to troubleshoot this problem? Thanks.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered MikeMorgan-6402 commented

Hi @MikeMorgan-6402 ,

We can assume the the service account is not a member of the protected users group.

There are a few things you can check:

Ensure that constrained delegation has not been enabled, check this article https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview

When Logged in with the service account can you complete the operation in error report manually, do you get the same error.

Probably not related but worth checking, is the group in question protected by the sdprop process, check out the page: https://nettools.net/sdprop/

Does the service account have rights to update the target objects, in the error report the source user object has been deleted, is this the first time a source object has been deleted and hence why you are only just seeing the error. You could check the service account has effective right by look at the AD effective rights article on the NetTools site.

Is there any additional logging you can enable to get more details on the cause of the problem.

Hope this helps,
Gary.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Thank you for your response. It was helpful. When I read "We can assume the the service account is not a member of the protected users group", it made me think about the ADMTAdmin account configuration. I checked, and for some reason, the account had been removed from the restricted groups in the old domain ADMT-User-Add policy. I corrected that and ADMT is working again. Thanks.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi Mike M,

Thank you for your question.

There is a topic with a problem similar to yours, I believe it will help you, see it on the link below:

https://social.technet.microsoft.com/Forums/office/en-US/50cfceaf-e0a1-4d9e-9fe8-ce592a93bfa0/err27621-failed-to-move-source-object-ad-user-account-migration- issue-in-forest-using-admt-32?forum=winserverDS



If the answer is helpful, please vote positively and accept as an answer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.