Unable to migrate passwords to Windows 2003 SP1. (NETIQKB52843)

fact
Domain Migration Administrator 7.2

symptom
Unable to migrate passwords to Windows 2003 SP1.

symptom
Password migration fails after upgrading to Windows 2003 service pack 1.

symptom
Error: 'E20410: Password Copy Extension extension returned a Failed result hr=0x80070005'

symptom
Error: 'E20773: The RPC server is unavailable'

symptom
Error: 'Password Copy Extension extension returned a Failed result hr=0x800706ba'

cause

There is a Group Policy in place that disables the ability for any named pipes to be used anonymously. These settings are as follows:

• Network access: Restrict anonymous access to Named Pipes and Shares
• Network access: Named Pipes that can be accessed anonymously

In the original Windows Server 2003 release, there are 6 named pipes that are actually hard-coded into the srv.sys file as being anonymous. 

Those pipes are:

• \pipe\lsarpc
• \pipe\samr
• \pipe\netlogon (\pipe\lsass aliases)
• \pipe\wkssvc
• \pipe\srvsvc
• \pipe\browser (\pipe\ntsvcs aliases)

Those pipes remain anonymous in the original Windows Server 2003 release, regardless of the Group Policy settings.  When you upgrade to service pack 1, the browser, lsaprc, samr, and netlogon pipes are supposed to be added directly into the NullSessionPipes portion of the registry to keep things from breaking.  However, in this case the GPO that makes NullSessionPipes empty clears those 4 entries.

fix
Add the browser, lsaprc, samr, and netlogon named pipes back to the list of named pipes that can be accessed anonymously in the Default Domain Controller Security Policy GPO.

Formerly known as NETIQKB52843