ADMT Version 2 does not migrate a computer if an account with an identical NetBIOS name exists

If you use the Active Directory Migration Tool (ADMT) version 2 to migrate a computer account from one Windows 2000-based domain to another, the migration may not succeed and an "Access Denied" message may be returned when you dispatch a migration agent to the computer. This behavior can occur if a computer account with the same NetBIOS name already exists in the target domain. This is often the result of a computer having been migrated previously and then manually rejoined to the source domain.

When ADMT version 2 is running in the target domain, it passes the NetBIOS name instead of the DNS name for the computer accounts that are to be migrated. Therefore, an invalid Kerberos service ticket that cannot be interpreted by the computer that is being migrated may be constructed. This issue can occur whether or not you specify the Replace conflicting accounts option.

To work around this issue, delete the identical machine accounts in the target domain.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

The error code that is returned by this condition is AP_ERR_MODIFIED. If the machine account in the target domain has been disabled, the error code is STATUS_ACCOUNT_DISABLED.

The Dispatch.log file that is created contains entries that are similar to: