Troubleshooting Agent Operations

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

I am receiving an error message that the Active Directory Migration Tool (ADMT) could not verify auditing and TcpipClientSupport on domains

Cause: The agent is dispatched with invalid credentials or the migration environment is not configured correctly.

Solution: An agent is dispatched to a remote computer that uses the credentials of the account that is used to run ADMT. After the agent is installed on the remote computer, it runs under the Local System account. The credentials that you provide to the wizard, before the agent is dispatched to the remote computer, are used to write results back to a share that is created on the computer on which ADMT is running. The agent must have the right to log on locally to the remote computer, and, if the agent is used to migrate computers, it must have administrative rights in the source domain and be a local administrator on all workstations.

To ensure that you have the correct credentials, create trusts so that the source and target domain trust each other. Add the Domain Admins group of the target domain (target\Domain Admins) to the built-in Administrators group of the source domain (source\Administrators). Log on by using the target\Domain Admins account, and supply a set of credentials for the source\Administrators account when you are prompted. This provides you with administrative permissions on both the source domain and target domain.

Agent dispatch operations fail with credentials conflict errors

Cause: You have an active connection, such as a mapped drive or a printer, to a computer on which an agent is being installed. The dispatch operation fails because the credentials of the agent installation conflict with the existing set of credentials.

Solution: Remove any active connections between the computer that is running ADMT and the computer to which the agent is being dispatched.

When I try to view the results of a remote agent operation, I receive the following error: "Cannot open the \\ComputerName\(%SystemRoot%)$\temp\dctlog.txt file."

Cause: The default administrative share for the system volume of the computer to which the agent was dispatched is not enabled.

Because the default share is not enabled, ADMT cannot read the log file.

Solution: Re-enable the default share of the system volume.

When generating reports, I receive IDispatch error 3107

Cause: This error may occur when the Agent Monitor is closed before all agents have finished writing their results back to the ADMT reporting database.

Solution: To prevent this problem, wait until all agents have completed their tasks before closing the Agent Monitor.

I need to know which protocols and ports ADMT uses to establish console communication with domain controllers and ADMT agents running on workstations

Cause: When you run ADMT in environments that have a firewall, you might have to make firewall port exceptions to support ADMT-related traffic on your network.

Solution: The ADMT console uses Lightweight Directory Access Protocol (LDAP) port 389 to communicate with domain controllers and Remote Procedure Call (RPC) to communicate with ADMT agents. For RPC communication, any available RPC port in the range between 1024 and 5000 might be used. For more information, see 836429 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=122010).

Why are files that ADMT generates for agent deployment not removed after use?

Files that are generated on client computers where the ADMT agent service was run for security translation of local groups are placed in %windir%\onepointdomainagent.

Files at this location can remain after reboot for the following reasons:

  • If the computer still has ADMT installed.

  • If after you remove ADMT from the computer, you do not perform registry cleanup to remove any entries from the HKLM\Software\Microsoft\ADMT path.

  • If you reboot the computer without waiting for ADMT agent processes to exit or complete. To verify that ADMT processes have been exited, you can use Task Manager to verify that ADMTAgnt.exe and DctAgentServices.exe are no longer listed on the Processes tab. If either of these processes is listed, use Task Manager to end them first before you perform a reboot.