Windows Thread, SID Migration W2k3 -> W2k3 in Technical; We are about to start a pretty major restructuring of our active directory by migrating to a new forest with ...
6th April 2008, 04:12 PM #1
SID Migration W2k3 -> W2k3
We are about to start a pretty major restructuring of our active directory by migrating to a new forest with 2 child domains. In testing we've managed to migrate everything sucessfully. I thought i'd get a head start and migrate 1800 pupils accounts and various groups over the weekend using ADMT v3. I've setup a two-way trust and everything is communicating correctly, but when I come to migrate a group I can't migrate the SIDs to the target domain.
I've got the two-way trust in place, made the registry change (TcpipClientSupport) on the source DC, created a domain local group (CURRICULUM$$$) on the source DC, the administrator account for the target domain is a member of the local administrators group in the source domain, the auditing of account managment (both sucess and failure) is enabled on both domains.
What am I missing?
The specific error I am getting is: Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. The specified domain either does not exist or could not be contacted.
If I choose not to migrate SIDs it works perfectly.
6th April 2008, 04:37 PM #2
I think i've fixed it!
When creating the trust, I created a Forest Trust instead of an External Trust. Recreating the trust as an External Trust seems to have fixed the problem.
19th June 2008, 02:38 PM #3
I have the same problem
I am also getting the error above but the trusts are already external.
Apparently it is to do with the Administrator on the new 2003 Target domain does not have permissions on the NT4 target domain.
How can I add the 2003 Administrator to the nt4 domain admin groups?
- I'm just testing at the mo but am meant to be using for real at the weekend
- I am using Microsoft Virtual PC to create a test environment
- I have an NT4 (sp6a) PDC called NT4PDC in a domain called OLDDOMAIN
- I have an 2003 DC called NEWDC in a domain called NEWDOMAIN
- I have been following the ADMT v3 guide and have already esablished a 2 way external trust, done the TCPIP reg-hack and created the SOURCE$$$ group for auditing
Thanks very much in advance guys
19th June 2008, 04:51 PM #4
I found my own solution
I decided to engage my brain power and figure out my own solution
This is what you need to do
- On NT4PDC in OLDDOMAIN open User Manager
- Create a new user called ntmigrator
- Add ntmigrator to the Domain Admins group
You can now log on to the new DC as ntmigrator and sucessfully run ADMT (Make sure you select OLDDOMAIN in the logon box)
- On the DC of target domain (e.g. NEWDC in NEWDOMAIN) open AD Users & Computers
- Open the Users OU and double click the Administrators group
- Add OLDDOMAIN\ntmigrator as a member
- Note - it will not work with the Builtin\domain admins group
- Click Start > Control Panel > Administrative Tools > Domain Controller Security Policy
- Double click on Local Policies and choose User Rights Assignment
- Double click on the Allow log on locally policy.
- Add the user account (OLDDOMAIN\ntmigrator)
- Reboot NEWDC
By skunk in forum MIS Systems
Last Post: 18th August 2008, 11:35 AM
By SimpleSi in forum *nix
Last Post: 18th January 2008, 01:14 PM
By Geoff in forum Windows
Last Post: 29th March 2007, 12:03 PM
By Geoff in forum Windows
Last Post: 21st March 2007, 11:26 PM
By GrumbleDook in forum Windows Vista
Last Post: 1st December 2006, 10:06 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread