Sharepoint 2010 Migration Nightmares

Question

I am hoping this is the proper forum to ask this question.

We are in the middle of a huge domain migration, I have a sharepoint farm in the old domain, which I need to migrate over to the new domain. I created a new farm in the new domain, and to the best of my knowledge, have it setup as close to old domain farm as possible.

I backed up all the content databases from the old farm, and restored them to the new farm. I went ahead and created all the web applications as they exist in the old farm, and attached all the proper content databases to the correct web application.

I have a total of four web applications, and after everything I have done, I can only connect to all the sites in only one web application, all other sites, under the three other web applications, try to connect, but then prompt me for credentials. I supply the credentials that work, in the current environment (old farm), but they will not work in the new farm. I am at a loss and can not figure out why, any help is greatly appreciated, and if you need any more info, please let me know.

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 1

Hi clayman2

If you are migrating to a completely new domain, then all users that were in the previous domain will no longer work.  So you would need to go into Central Admin and reset the site collection administrator for each of the web applications that are not working to start with.

Anand

Answer 2

We actually migrated the sharepoint farm account over to the new domain, and added it to all the site collections, so I can access all sites on the old farm with both accounts. I will look into this just in case, but also, why would only one web application work and not the others if that is the case?

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 3

I found similar threads which might help you

http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/0b6d82e6-e804-4f5b-a493-c62d51530007

http://www.cmswire.com/cms/enterprise-20/5-tips-on-effectively-planning-for-sharepoint-2010-migration-007305.php

You can use Move-SPUser to migrate users from old domain to the new one

---

Hrishi Deshpande – Senior Consultant DeltaBahn
Blog | < | LinkedIn
Please click Mark As Answer; if a post solves your problem or Vote As Helpful; if a post has been useful to you

Answer 4

I would recommend using stsadm -o migrateuser instead of Move-SPUser.  Unfortunately with Move-SPUser, you have to know where the user exists somewhere on SharePoint (as you have to do a Get-SPUser).  With stsadm -o migrateuser, you can simply script the changes out and it will migrate the user farm-wide.

---

http://sharepoint.nauplius.net

Answer 5

Make sure each of application pool identity of each web application has right access on corresponding content databases. This check can be done via SQL Server Management Studio.

---

Thuan Soldier
SharePoint Vietnam | Blog | Twitter

Answer 6

Hi,

To migrate to the new domain, you could use stsadm command to migrate the users.  The 'Stsadm -o migrategroup' command which is the same as the 'Stsadm -o migrateuser' command except that it migrates the AD security groups and hence retains the SharePoint permissions after a domian migration.

You could refer to the article below.

Move SharePoint 2010 server to another domain

http://blog.bugrapostaci.com/2011/09/23/move-sharepoint-2010-server-to-another-domain/

---

Ivan-Liu

TechNet Community Support

Answer 7

Hi Clayman,

Check the User Policy associated with Web Application. May be NT Authenticated users would not be provided appropriate rights.

---

Thanks, Sumit Gupta SharePoint Consultant MCP, MCTS, CCNA

Answer 8

Thanks for everyones suggestions, I will take a look once I get into the office. For the stsadm -o migrateuser or migrategroup command, will it matter if not all users have been migrated yet, if I ran the command before hand, also, if we use both groups and users, will I need to run both the migrateuser and migrategroup?

Also will there be any side affects if users from the new domain already had access to our sharepoint on the old domain?

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 9

You just need to run it as users are migrated.  There won't be any side effects as you'll be running it only on your new farm, not the old farm.

---

http://sharepoint.nauplius.net

Answer 10

You just need to run it as users are migrated.  There won't be any side effects as you'll be running it only on your new farm, not the old farm.

---

http://sharepoint.nauplius.net

Trevor,

Thanks for the input, one other thing, looking into the stsadm -o migrateuser command, it looks like I have to run it everytime, for each user individually, so could I just enumerate all my AD users in my old domain, then pass the sAMAccount name over to stsadm and supply the new domain name?

Something like so:

$users = Get-ADUsers -Filter {Enabled -eq "True"} -SearchBase "OU=someOU,DC=my,DC=domain" | Select-Object -ExpandProperty sAMAccountName

ForEach ($user in $users)
{
  & stsadm -o migrateuser -oldlogin "domain\$user" -newlogin "newdomain\$user"
}

Also, if I did something like that, would there be issues, if an account existed in the domain, but didn't in sharepoint?

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 11

That should be fine.  You may run into an error if the user doesn't exist in SharePoint, but again that won't be an issue (it'll just move onto the next user).

---

http://sharepoint.nauplius.net

Answer 12

OK, well I tried the stsadm command on an account that has access to everything in the farm, and I still have the problem, that when I go to browse any site within a site collection of the three web apps that give me issues, and it continues to prompt for credentials, but the one last web app, doesnt seem to have issues at all.

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 13

The credential prompt sounds like the BackConnectionHostNames issue (this will be the case if the hostnames for these webapps differ from the server name).

See KB 896861, method 1 to resolve:

1. Set the
   <samp>DisableStrictNameChecking</samp>
   registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
   281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key:
   <samp>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0</samp>
4. Right-click MSV1_0, point to New, and then click Multi-String Value.
5. Type BackConnectionHostNames, and then press ENTER.
6. Right-click BackConnectionHostNames, and then click Modify.
7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
8. Quit Registry Editor, and then restart the IISAdmin service.

---

Jason Warren

Infrastructure Architect

Habanero Consulting Group

habaneroconsulting.com/blog

Answer 14

That did not work Jason, still the same thing.

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 15

What are the HTTP errors in the IIS log during these connection attempts?

---

Jason Warren

Infrastructure Architect

Habanero Consulting Group

habaneroconsulting.com/blog

Answer 16

And to clarify, you entered the hostnames of the web applications?

That is, say your web apps have the URLs of http://www.example.com, http://extranet.example.com, and https://payment.example.com you entered the following lines in the BackConnectionHostNames key:

www.example.com
extranet.example.com
payment.example.com

---

Jason Warren

Infrastructure Architect

Habanero Consulting Group

habaneroconsulting.com/blog

Answer 17

Instead of Method 1 try Method 2, I always use this options, everytime solves prompt issue

To set the DisableLoopbackCheck registry key, follow these steps:

1. Set the
   <samp>DisableStrictNameChecking</samp>
   registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
   281308

   (http://support.microsoft.com/kb/281308/ )

   Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key:
   <samp>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</samp>
4. Right-click Lsa, point to New, and then click DWORD Value.
5. Type DisableLoopbackCheck, and then press ENTER.
6. Right-click DisableLoopbackCheck, and then click Modify.
7. In the Value data box, type 1, and then click OK.
8. Quit Registry Editor, and then restart your computer.

---

Hrishi Deshpande – Senior Consultant DeltaBahn
Blog | < | LinkedIn
Please click Mark As Answer; if a post solves your problem or Vote As Helpful; if a post has been useful to you

Answer 18

I do not see any errors in the log file. For the BackConnectionHostNames, I entered them with just the name I used for the CNAME record. This is a intranet facing infrastructure only, so will that make a difference?

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 19

Sorry, I meant HTTP status codes. What are the status codes when you are attempting to access the site. Credential prompts will normally generate something other than HTTP 200.

Has SharePoint been configured to handle these CNAMEs for the web applications?

---

Jason Warren

Infrastructure Architect

Habanero Consulting Group

habaneroconsulting.com/blog

Answer 20

Sorry, I meant HTTP status codes. What are the status codes when you are attempting to access the site. Credential prompts will normally generate something other than HTTP 200.

Has SharePoint been configured to handle these CNAMEs for the web applications?

---

Jason Warren

Infrastructure Architect

Habanero Consulting Group

habaneroconsulting.com/blog

Im getting ready to leave so I'll have to check the logs tomorrow. As for configuring sharepoint to handle these CNAME's, I really do not know lol.

If I create a new web application, I will have a CNAME created before hand, and then when creating the webapp, I just use the CNAME name for everything, so for instance, the default url I will set to http://CNAME and the IIS host headers I'll set to CNAME, and it has always worked. Well actually I never pointed to a CNAME, only in the environment, I had to because right now everything is virtual until I can get my physical servers migrated, then the CNAME records will be changed to A Records.

But it still doesn't explain why three webapps do not work, yet one does, when as of right now all are pointing to CNAME records

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 21

Looks like the status code is 401

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 22

HTTP 401 sounds like the BackConnectionHostNames/DisableLoopBackCheck.

You can disable the whole checking as Hrishi suggests which should immediately allow this to work (or at least remove the IIS checking as part of the issue). To answer your earlier question about BackConnectionHostNames, you would enter into the key:

CNAME1

CNAME2

CNAME3

etc. You don't need the http:// or https://, port numbers. One hostname/cname per line.

---

Jason Warren

Infrastructure Architect

Habanero Consulting Group

habaneroconsulting.com/blog

Answer 23

401s are always normal responses prior to the client authenticating.

---

http://sharepoint.nauplius.net

Answer 24

 To answer your earlier question about BackConnectionHostNames, you would enter into the key:

CNAME1

CNAME2

CNAME3

etc. You don't need the http:// or https://, port numbers. One hostname/cname per line.

---

Jason Warren

Infrastructure Architect

Habanero Consulting Group

habaneroconsulting.com/blog

That is how I entered them in. I will Hrishi's fix and we will see.

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 25

Hrishi's fix for DisableLoopbackChecking, is what seemed to fix the issue. Seeing I made the previous registry changes per Jason's request, I wasn't sure if it was a combination of the two, so I deleted the previous registry changes, restarted and everything looks to be working now.

Jason, even though I deleted the registry fixes you supplied, and things are working. Is there any benefits to redoing them and keeping those changes?

Also, internally it works (just using hostname), but if I try to access it from a machine on the old domain, using the FQDN, I get a 404, any ideas?

Thank you all, for your help and assistance the last couple of days.

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

Answer 26

BackConnectionHostName is more secure than DisableLoopbackCheck.

---

http://sharepoint.nauplius.net

Answer 27

BackConnectionHostName is more secure than DisableLoopbackCheck.

---

http://sharepoint.nauplius.net

But it doesn't allow me to access my site without the DisableLoopbackCheck

---

If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.