Windows 64bit (Windows 2008R2) ***
When Windows 2008R2 or any Windows 64bit server is involved in the password copy process the LSA must be manually edited before starting the process.
On the 64bit computer(s), DC or member server, navigate to:
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Lsa\
List: SecurityPackages
The SecutityPackages key must contain only: kerberose, msv1_0, schannel, wdigest, tspkg
Edit this key to be exact as above by removing any extra entries and reboot the server for the change to take effect.
Virus scan software must be disabled during a password migration. False Trojan readings and required files may be quarantined.
PDC - PDC Emulator (Windows 200x FSMO Server) requirements:
Drive letters must be shared example C$, D$ etc
The Windows directory must have the Administrative Share ADMIN$
Remote registry services must be running
The DCs must be reachable by Name (NETBIOS name Resolution must be working across subnets)
The DCs must be remotely manageable (Windows Firewall issues)
Service Account and the operator must have domain Administrative rights
Service Account must have logon Locally and Run as a Service Right.
The Target Domain Password Policy must be less restrictive then the Source Domain Password Policy
2 way trusts must be in place and functional
Password Copy in Workgroups
Drive letters must be shared example C$, D$ etc
The Windows directory must have the Administrative Share ADMIN$
Remote registry services must be running
The servers must be reachable by Name (NETBIOS name Resolution must be working across subnets)
The servers must be remotely manageable (Windows Firewall issues)
Service Account and the operator must be ADMINISTRATOR
Service Account must have logon Locally and Run as a Service Right.
The Target Password Policy must be less restrictive then the Source Password Policy
Password Copy Console Computer
Service Account and the operator must have domain Administrative rights
Service Account must have logon Locally and Run as a Service Right.
Windows Firewall must be turned off or set in the remote manage state
All DC must be reachable by name
Administrative Rights Domain Recommendations
Install the PasswordCopy Software on a computer in the Target Domain
Create or select an account from the Target Domain
Add or verify the account is a member of the Target Domain Admins group
Add or verify the Target Domain Admins group is a member of the Source domain Administrators local group
Add or verify the account can logon locally and run as a service on the source, target DCs and the local computer.
Use the account as the service account
Logon to the console computer with the account.
Windows Vista, Windows 2008 and Windows 7
PasswordCopy supports Windows Vista, Windows 2008 and Windows 7. However in order to run administrative tools on these platforms, Windows firewall and Windows User Account Control must be turned OFF
RemoteRegistry services must be running and netBIOS over IP resolution must be enabled
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.