Re: ADMT v3 - can't migrate SID history
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Fri, 6 Jan 2006 15:00:08 -0600
"TimS" <TimS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:788836C4-BB58-4A1C-A72D-1AC66D3112B2@xxxxxxxxxxxxxxxx
> Thanks for the responses. I should have noted that I am running ADMT
> under
> the administrator account in the target domain, and that I have added the
> target domain's Domain Admins group to the builtin administrators group in
> the source domain.
That is what I meant for you to do but (incorrectly) implied the global
group.
> The source domain has had some restrictions put in place
> for a DOD contract, so I'm suspecting the problem may be related to one of
> these restrictions. Does anyone know a way to test what's blocking the
> SID
> history migration?
DS Object Logging can be a help. Perhaps use of Rights (which
I almost never recommend) would help HERE as well.
You could enable these on the source domain and set DC
Auditing on the (trees of) objects to be migrated.
Build a group specifically for the auditing so that it will be
easy to clear the ACL if it becomes obtrusive OR when you
finish.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
> "Jorge de Almeida Pinto" wrote:
>
>> it is not possible to make a user of domain A a member of a global group
>> of
>> domain B
>>
>> add target domain admins to source administrators
>>
>> use an account in the target that is a member of domain admins in the
>> target.
>>
>> in the target these are full permissions, but depending on the task
>> possibilties exist to delegate and minimize permissions as needed
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> # Jorge de Almeida Pinto #
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
>> news:uPkMgumEGHA.336@xxxxxxxxxxxxxxxxxxxxxxx
>> > "TimS" <TimS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:1FF4B74D-D75A-48DE-87E7-320F1C480D4A@xxxxxxxxxxxxxxxx
>> >>I am doing an inter-forest migration - Both the source and destination
>> >> domains are Windows 2003 running in 2000 native mode. I have a two-way
>> >> trust
>> >> established. I am attempting to test-migrate a few groups, and I'm
>> >> selecting
>> >> to migrate the SID History. It prompts me for a user with
>> >> administrative
>> >> permissions in the source domain, and I enter an account that is a
>> >> member
>> >> of
>> >> the source domain's Domain Admins group. I have tried this with a
>> >> couple
>> >> different domain admin accounts, and I keep getting the following
>> >> error:
>> >> ERR2:7447 SID History cannot be updated for test-jax2. The
>> >> credentials
>> >> entered (VOJAX\\jaxadmin) must have Administrator privileges on the
>> >> source
>> >> domain.
>> >
>> > Are there really two backslashes there?
>> >
>> > NetBIOS domain\user names use one backslash: DomainName\UserName
>> >
>> >> What could be wrong here? What permissions are needed to bring over
>> >> the
>> >> SID
>> >> history?
>> >
>> > You have a trust, why not just make the admin for target a member of
>> > Domain Admins on the source?
>> >
>> >
>> > --
>> > Herb Martin, MCSE, MVP
>> > Accelerated MCSE
>> > http://www.LearnQuick.Com
>> > [phone number on web site]
>> >
>> > "TimS" <TimS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:1FF4B74D-D75A-48DE-87E7-320F1C480D4A@xxxxxxxxxxxxxxxx
>> >>I am doing an inter-forest migration - Both the source and destination
>> >> domains are Windows 2003 running in 2000 native mode. I have a two-way
>> >> trust
>> >> established. I am attempting to test-migrate a few groups, and I'm
>> >> selecting
>> >> to migrate the SID History. It prompts me for a user with
>> >> administrative
>> >> permissions in the source domain, and I enter an account that is a
>> >> member
>> >> of
>> >> the source domain's Domain Admins group. I have tried this with a
>> >> couple
>> >> different domain admin accounts, and I keep getting the following
>> >> error:
>> >> ERR2:7447 SID History cannot be updated for test-jax2. The
>> >> credentials
>> >> entered (VOJAX\\jaxadmin) must have Administrator privileges on the
>> >> source
>> >> domain.
>> >>
>> >> What could be wrong here? What permissions are needed to bring over
>> >> the
>> >> SID
>> >> history?
>> >>
>> >> Thanks,
>> >> Tim
>> >
>> >
>>
>>
>>
.
- Follow-Ups:
- Re: ADMT v3 - can't migrate SID history
- From: TimS
- Re: ADMT v3 - can't migrate SID history
- References:
- Re: ADMT v3 - can't migrate SID history
- From: Herb Martin
- Re: ADMT v3 - can't migrate SID history
- From: Jorge de Almeida Pinto
- Re: ADMT v3 - can't migrate SID history
- From: TimS
- Re: ADMT v3 - can't migrate SID history
- Prev by Date: Re: AD design for remote sites
- Next by Date: Re: joining the domain
- Previous by thread: Re: ADMT v3 - can't migrate SID history
- Next by thread: Re: ADMT v3 - can't migrate SID history
- Index(es):
Relevant Pages
|
Loading
