Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-06-21) Installing PES v3.2 On W2K12(R2)

Posted by Jorge on 2014-06-21

To download PES see this blog post.

If in addition to migration objects (users, groups, computers, etc.) you also need to migrate passwords, then you also need to install the Password Export Service (PES) on a(ny) writable DC in the source AD domain. PES cannot be installed on a read-only domain controller (RODC). The default behavior of ADMT, when migrating passwords, is to configure every target user account with "change password at next logon", unless "password never expires" (most likely service accounts) or "smartcard is required for interactive logon" on the source user account. After the password migration, it is also possible to revert the setting of "change password at next logon" by using PowerShell, ADMOD or any other LDAP modification tool.

Assuming the OU "OU=Migrated-Users,DC=ADCORP,DC=LAB" contains all migrated user accounts…

  • PowerShell –> Get-ADUser -SearchBase "OU=Migrated-Users,DC=ADCORP,DC=LAB" -Filter * | %{Set-ADUser $_.SamAccountName -ChangePasswordAtLogon $false}
  • ADFIND/ADMOD –> ADFIND -b "OU=Migrated-Users,DC=ADCORP,DC=LAB" -f "(&(objectCategory=person)(objectClass=user))" -adcsv | ADMOD pwdLastSet::-1

PES has a very tight relation with ADMT. Because of that you must first create a so called encryption key on the server where ADMT is installed before even starting the installation of PES!

To create the encryption key on the server with ADMT:

  • Open a command prompt window and navigate to the folder "C:\Windows\ADMT"
  • ADMT key /option:create /sourcedomain:ADCORP.LAB /keyfile:C:\Windows\ADMT\ADMTPESEncryptionKeyFile.pes /keypassword:*


Figure 1: Creating The Encryption File For PES On The Server With ADMT

Securely transfer the encryption file to the RWDC that will host the PES service. You can now start the installation of PES.


Figure 1: Selecting The Encryption File For PES


Figure 2: Specifying The Password Securing The Encryption File

The "Password Export Server (PES)" can be configured to run with a service account. This enhancement removes the dependency on the "pre-Windows 2000 compatible access" group that PREVIOUS should contain the well-known security principals "Everyone" and "Anonymous Logon" (in W2K only "Everyone" as that by default already contained "Anonymous Logon"). THEREFORE, preferably use a service account instead of the Local System account.


Figure 3: Specifying The Service Account That Will Be Used By The Password Export Service

The PES service account will be granted the "logon as a service" user right. After the installing you must reboot the RWDC.

For additional info see the ADMT Migration Guide.

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########

5 Responses to “(2014-06-21) Installing PES v3.2 On W2K12(R2)”

  1. Ludovic said

    I installed the new PES on my new 2012R2 AD controller.
    But when I started the service I got an 1101 event id in the applications events log. Is it normal ?
    My account migrations work but not my password migrations …



    • Jorge said

      password migration is failing because the PES service is not running. Why the service is not starting I do not know. I do not know the event IDs from thw top of my head. Can you post the contents of the event id?


      Liked by 1 person

  2. Ludovic said

    I’m not OK : PES service is running !
    Well running, I don’t know …

    The event log is :

    Log Name: Application
    Source: Password Export Server Service
    Date: 02/07/2014 16:35:14
    Event ID: 1101
    Task Category: (2)
    Level: Information
    Keywords: Classic
    User: N/A
    The description for Event ID 1101 from source Password Export Server Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    the message resource is present but the message is not found in the string/message table

    Event Xml:




    • Jorge said

      using the aervices mmc you can see if the pes service is running or not.
      At this stage I would deinstall PES and reinstall it following all the steps as mentioned in the admt guide


  3. Ludovic said


    Before asking help, I uninstalled and reinstalled !
    The status of the service is well running and the eventid appears when I started it.

    If I do just one migration password I got in the logs :
    2014-07-03 09:52:25 Starting Account Replicator.
    2014-07-03 09:52:27 WRN1:7661 User ‘ZB’ has not been migrated from the source domain.
    2014-07-03 09:52:27 Operation completed.
    Where I had with the old ADMT/PES :
    2014-07-02 15:25:08 Starting Account Replicator.
    2014-07-02 15:25:10 CN=ZB – Password Copied.
    2014-07-02 15:25:10 Operation completed.
    Could you tell me if you got eventid when you start your “Password Eport Server Service” ?

    I try to recreate my key using the DNS Name where I used the first time the NetBIOS name cabinet-besse.
    I get the same problem.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: