DCTlog.txt logging ends after security translation and domain affiliation is not changed when a computer migrations is attempted.
The last line in the DCTlog.txt refers to translating security on the registry keys.
This will occur running DMA with a Source Domain Admin account and Translating Security in replace mode while at the same time changing the domain affiliation through the Computer Migration wizard. This is a result of DMA running Security Translation first and replacing the Source Domain Admin group in the Local Administrator's group with the Target Domain which would result in the Source account losing it's permission to change Domain affiliation. One of the following can be done to prevent this:
- In the 'Translate Security Settings' wizard, do not select the Local Groups option in the Object section to have Security Translated. As a result this will not Translate Security for the Administrator Local group or any Local groups on the target machine.
- Remove the mapping of the Source Domain Admin group to Target Domain Admin group from the Migrated Objects table found in the Protar.mdb Access 2000 database file, located in the C:\Program Files\NetIQ\DMA folder. If a mapping does not exist then DMA will not Translate Security for the Account.
- Run the Security Translation in 'Add' mode so both the Source and Target Domain Account will exist in the ACL's. This is the best option for backup in case of a failed migration. Once the Source Sids are no longer needed then run the 'Translate Security Settings' wizard in remove mode and the agent will only remove the Source Sids, cleaning up the ACLs and leaving the Target SIDs intact.
- Migrate the machine before running the 'Translate Security Settings' wizard.
A fix for this issue is being considered for an upcoming DMA release. This article will be updated with the latest information as soon as it is available.