How do I set up the Password Export Server (PES)? (NETIQKB44293)

  • 7744293
  • 02-Feb-2007
  • 30-Jun-2008

Environment

Domain Migration Administrator 7.2

Situation

How do I set up the Password Export Server (PES)?

How do I migrate passwords from a native-mode source Active Directory domain?

How do I migrate passwords from a Windows 2000 or 2003 native-mode domain to a domain in a different forest?

Resolution

Domain Migration Administrator (DMA) version 7.2 introduced the ability to migrate passwords from a native-mode source Active Directory domain. If you are not using DMA version 7.2 or later, you will not be able to migrate passwords from a native mode Active Directory domain in a different forest.

Migrating passwords from a Windows 2000 or later native-mode domain to a domain in a different forest requires installing the Password Export Server (PES) on a domain controller in the source domain. DMA uses the PES to migrate passwords between domains. Use the following steps to install the Password Export Server.

  1. Generate a Password Export Server encryption key file.
    • When DMA migrates users from a native-mode domain to a Windows 2000 or later domain in a different forest, it uses the PES in the source domain to change the password in the target domain. To maintain the integrity of the passwords in the source domain, the PES requires a trusted connection with the entity requesting the password change. Domain Migration Administrator establishes this trusted connection by generating a PES encryption key file. This key file is specific to the source domain and the DMA computer on which you generate the file. When you install the PES, use this file to secure a trusted communication between the PES and DMA.
      • WARNING - For security reasons, create and store the encryption key file on removable media, such as a floppy disk or CD-ROM. If unauthorized users gain access to the encryption key file, they could simulate the PES and learn the current passwords for target domain accounts being migrated.
      • To create a PES encryption key file:
        1. Ensure the Microsoft 128-bit high encryption pack is installed on the DMA computer.
        2. Start DMA.
        3. In the left pane, click Domain Migration Administrator or select a specific project.
        4. On the Action menu, click Create Password Export Server Encryption Key.
        5. Specify the information on the Password Export Server (PES) Encryption Key Creation window. For more information about an option, click Help.
        6. Click Create Key.
  2. Install a Password Export Server in the source domain.
    • For DMA to copy passwords from the source domain, install a PES on a domain controller in the source domain. Enabling the PES requires editing a registry key.
      • WARNING: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved.  Make sure that you back up your Registry prior to making any changes.

      • To install the PES:
        1. Log on to a domain controller in the source domain as a member of an administrator group.
        2. Ensure the Microsoft 128-bit high encryption pack is installed on the domain controller.
        3. Copy the following files from the DMA computer. By default, the files are located in the Program Files\NetIQ\PES folder.:
          • pwdmig.exe
          • pwdmig.ini
          • pwdmig.msi
        4. Run the pwdmig.msi program. The pwdmig program will prompt you for the PES encryption key file you created for the source domain and the DMA computer. When prompted, insert the removable media containing the key file.
        5. Follow the instructions until you have finished installing the PES.
        6. Set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Con.
          trol\Lsa\ AllowPasswordExport
          registry value to 1. Setting this value to 1 enables the PES to accept password migration requests. To disable the PES, set this registry value to 0.
  3. Configure permissions and group policy.
    • Using the PES to copy passwords when migrating from a Windows 2000 or later native-mode domain to a Windows 2000 or later domain in a different forest requires specific permissions and group policy settings on the target domain.  For more information about changing the settings, see the Windows Help.

      • Configure the following permissions and group policy settings on the target domain.:

        1. Allow Anonymous access group policy on the target domain controllers.
          • On a Windows 2000 target domain, set the Additional restrictions for anonymous connections group policy to None or undefined.
          • On a Windows 2003 target domain, set all of the Security Options group policies that restrict anonymous access to allow access. For example, set the Network access: Do not allow anonymous enumeration of SAM accounts and Network access: Restrict anonymous access to Named Pipes and Shares to allow access.
        2. Grant the Pre-Windows 2000 Compatible Access group Read permissions to the CN=Server,CN=System,DC=targetdom,DC=tld object. Where DC=targetdom,DC=tld is the distinguishedName of the target domain.
        3. Make the Everyone group a member of the Pre-Windows 2000 Compatible Access group. The Active Directory Users and Computers application blocks this action. To add the Everyone group to the Pre-Windows 2000 Compatible Access group, run the following command:
          NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE ACCESS" EVERYONE /ADD
        4. On a Windows 2003 target domain, make the ANONYMOUS LOGON user account a member of the Pre-Windows 2000 Compatible Access group.      
           Migrate user accounts.
  4.  Migrate user accounts. For more information, see the DMA & SC User Guide.

Additional Information

Formerly known as NETIQKB44293

This information is also available in Appendix F,  Native-Mode Source Domain Password Migration, of the DMA & SC User Guide or the online Help.

NetIQ's version of PES does not run as a service on the source domain controller, however, ADMT's version does.