Re: ADMT v3 - can't migrate SID history

"TimS" <TimS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1FF4B74D-D75A-48DE-87E7-320F1C480D4A@xxxxxxxxxxxxxxxx
>I am doing an inter-forest migration - Both the source and destination
> domains are Windows 2003 running in 2000 native mode. I have a two-way
> trust
> established. I am attempting to test-migrate a few groups, and I'm
> selecting
> to migrate the SID History. It prompts me for a user with administrative
> permissions in the source domain, and I enter an account that is a member
> of
> the source domain's Domain Admins group. I have tried this with a couple
> different domain admin accounts, and I keep getting the following error:
> ERR2:7447 SID History cannot be updated for test-jax2. The credentials
> entered (VOJAX\\jaxadmin) must have Administrator privileges on the source
> domain.

Are there really two backslashes there?

NetBIOS domain\user names use one backslash: DomainName\UserName

> What could be wrong here? What permissions are needed to bring over the
> SID
> history?

You have a trust, why not just make the admin for target a member of
Domain Admins on the source?


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"TimS" <TimS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1FF4B74D-D75A-48DE-87E7-320F1C480D4A@xxxxxxxxxxxxxxxx
>I am doing an inter-forest migration - Both the source and destination
> domains are Windows 2003 running in 2000 native mode. I have a two-way
> trust
> established. I am attempting to test-migrate a few groups, and I'm
> selecting
> to migrate the SID History. It prompts me for a user with administrative
> permissions in the source domain, and I enter an account that is a member
> of
> the source domain's Domain Admins group. I have tried this with a couple
> different domain admin accounts, and I keep getting the following error:
> ERR2:7447 SID History cannot be updated for test-jax2. The credentials
> entered (VOJAX\\jaxadmin) must have Administrator privileges on the source
> domain.
>
> What could be wrong here? What permissions are needed to bring over the
> SID
> history?
>
> Thanks,
> Tim


.

Relevant Pages

  • RE: ADMT - FILE ACLing with 2 domains
    ... permissions" and "directory based permissions"? ... SID history is used for migrated users to access the ... resources in the source domain. ... SID history is only a temporary workaround in the migration ...
    (microsoft.public.windows.server.migration)
  • Re: Grant Administrative Access to a Domain Controller
    ... Create an account and allow them full ... Remember that objects ALSO have explicit defined permissions. ... you did not mention the domain administrators group (not Domain Admins). ... Objects protected by the AdminSDHolder only have explicit defined permissions which are the same as the AdminSDHolder object itself. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricting Access to User Mailboxes by Domain Admins
    ... What permissions do domain admins have now. ... configuration do not have full mailbox rights. ... If you use Registry Editor incorrectly, ...
    (microsoft.public.exchange.admin)
  • RE: ADMT - FILE ACLing with 2 domains
    ... cn's) and reapplying both sets of permissions ... It is an interim method in the migration ... > to Windom with SID history, ...
    (microsoft.public.windows.server.migration)
  • Re: Grant Administrative Access to a Domain Controller
    ... EVEN if you remove the permissions or set DENY ACEs or whatever you do, ... * This posting is provided "AS IS" with no warranties and confers no rights! ... If you remove domain admins group from perms in AD you remove there ... have no way to change the set of ownership. ...
    (microsoft.public.windows.server.active_directory)
Loading