Resolution
Domain Migration Administrator 7.x
symptom
Error: Failed to launch agent on <computer_name>, hr=80070005 Access is denied, when attempting to migrate computers or translate security on computers.
symptom
When running reports, the agent monitor on the DMA console states: install failed, access is denied.
symptom
The dispatch.log contains: E20285 you do not have administrative privileges on <computername>, the agent will not be installed.
cause
This is a common issue, and it is indicating that the account you have logged into the DMA console with is not an Administrator on the machine where you are trying to install the agent.
fix
DMA uses the credentials of the user account logged in to the DMA console to install the Agent on the machine, thus the logged on user should have administrative rights on the remote machine. This is not the same as the account specified during the wizard. Once the Agent is installed it runs under the security context of the local system account.
Please refer to NETIQKB2057 - During a computer migration, why do I have to provide an account?
We recommend using a two account system as explained under the heading 'Multiple migration Accounts' in Chapter 2 of the DMA User Guide. This procedure is summarized as follows:
We recommend that you migrate users and groups using an account that is a member of the Domain Admins global group in the target domain, and a member of local Administrators group in the source domain.
When migrating computers, or translating security on computers that are in the source domain, or running reports on computers that are in the source domain, we recommend that you use an account that is a member of Domain Admins in the source domain. By default, this account is a member of the administrators local group on each computer in the source domain.
Please refer to NETIQKB1434 - What is the best practice in terms of logon account permissions necessary to successfully migrate computers?
Also, this same user account should be added to the 'Built-in Administrators Domain Local Group' on the target Domain Controller. This is done by:
- Open 'Active Directory Users and Computers' and locate the Builtin container.
- Open the 'Administrators' group.
- Click the Members tab and click Add to add the user account from the source domain. If you are not running DMA on a domain controller, this source account should also be a member of the local Administrators group on the DMA console machine.
If you are having difficulty establishing these permissions, verify that the trusts between the source and target domain are in effect.
note
For more information regarding permissions requirements, please refer to Appendix B "Detailed Permission Requirements" in the DMA 7.1 User Guide or NETIQKB3035"What are the minimum permission requirements for Domain Migration Administrator and Server Consolidator operations?"