Re: ADMT v3 - can't migrate SID history

Thanks for the responses. I should have noted that I am running ADMT under
the administrator account in the target domain, and that I have added the
target domain's Domain Admins group to the builtin administrators group in
the source domain. The source domain has had some restrictions put in place
for a DOD contract, so I'm suspecting the problem may be related to one of
these restrictions. Does anyone know a way to test what's blocking the SID
history migration?

"Jorge de Almeida Pinto" wrote:

> it is not possible to make a user of domain A a member of a global group of
> domain B
>
> add target domain admins to source administrators
>
> use an account in the target that is a member of domain admins in the
> target.
>
> in the target these are full permissions, but depending on the task
> possibilties exist to delegate and minimize permissions as needed
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
> # Jorge de Almeida Pinto #
> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> -----------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test before implementing!
> -----------------------------------------------------------------------------
>
>
> -----------------------------------------------------------------------------
> "Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
> news:uPkMgumEGHA.336@xxxxxxxxxxxxxxxxxxxxxxx
> > "TimS" <TimS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:1FF4B74D-D75A-48DE-87E7-320F1C480D4A@xxxxxxxxxxxxxxxx
> >>I am doing an inter-forest migration - Both the source and destination
> >> domains are Windows 2003 running in 2000 native mode. I have a two-way
> >> trust
> >> established. I am attempting to test-migrate a few groups, and I'm
> >> selecting
> >> to migrate the SID History. It prompts me for a user with administrative
> >> permissions in the source domain, and I enter an account that is a member
> >> of
> >> the source domain's Domain Admins group. I have tried this with a couple
> >> different domain admin accounts, and I keep getting the following error:
> >> ERR2:7447 SID History cannot be updated for test-jax2. The credentials
> >> entered (VOJAX\\jaxadmin) must have Administrator privileges on the
> >> source
> >> domain.
> >
> > Are there really two backslashes there?
> >
> > NetBIOS domain\user names use one backslash: DomainName\UserName
> >
> >> What could be wrong here? What permissions are needed to bring over the
> >> SID
> >> history?
> >
> > You have a trust, why not just make the admin for target a member of
> > Domain Admins on the source?
> >
> >
> > --
> > Herb Martin, MCSE, MVP
> > Accelerated MCSE
> > http://www.LearnQuick.Com
> > [phone number on web site]
> >
> > "TimS" <TimS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:1FF4B74D-D75A-48DE-87E7-320F1C480D4A@xxxxxxxxxxxxxxxx
> >>I am doing an inter-forest migration - Both the source and destination
> >> domains are Windows 2003 running in 2000 native mode. I have a two-way
> >> trust
> >> established. I am attempting to test-migrate a few groups, and I'm
> >> selecting
> >> to migrate the SID History. It prompts me for a user with administrative
> >> permissions in the source domain, and I enter an account that is a member
> >> of
> >> the source domain's Domain Admins group. I have tried this with a couple
> >> different domain admin accounts, and I keep getting the following error:
> >> ERR2:7447 SID History cannot be updated for test-jax2. The credentials
> >> entered (VOJAX\\jaxadmin) must have Administrator privileges on the
> >> source
> >> domain.
> >>
> >> What could be wrong here? What permissions are needed to bring over the
> >> SID
> >> history?
> >>
> >> Thanks,
> >> Tim
> >
> >
>
>
>
.

Relevant Pages

  • Re: Administrator account / Domian Addmin rights
    ... There is no difference between one Domain Admins member ... sharing an empowered account between people, ... The best thing however is to not provide Domain Admins membership, ... Finally - every administrator should know that changing the password ...
    (microsoft.public.win2000.security)
  • Administrator and Domain Administrator
    ... We have 10,000+ users and have only two Domain Admins, ... with the domain administrator accounts password locked ... Having multiple people with access to this account ... when I go to enforce strong passwords across the domain. ...
    (microsoft.public.win2000.security)
  • Re: Local admin versus domain admin on windows 2008
    ... with UAC there is a big difference between a user with administrator privilege and "the" administrator account. ... automaticaly becomes member of local administrators group, therefore giving local admin privileges to domain admins. ...
    (microsoft.public.windows.server.general)
  • Re: Security Event Id 552
    ... Also search the registry for the GUID in event log ... Administrator account doesn't appear in the SBSUsers folder since we renamed ... Target User Name: Guest ...
    (microsoft.public.windows.server.sbs)
  • Re: ADMT v3 - cant migrate SID history
    ... use an account in the target that is a member of domain admins in the ... >> entered must have Administrator privileges on the ...
    (microsoft.public.windows.server.active_directory)