RE: Migration NT4 to W3K AD

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Brian,

I hope you are still out there. :)
I have migrated user groups and users successfully whitout the SID. I still
get the same error message as earlier. How do i get the SID's over? Is there
a Manual way to get the SID's over?
--
Capt_Trigger


"Trigger" wrote:

Hi,

The netdom command is now working also netdom verify. I also had Novell
software loaded on the NT4 server that i have uninstalled. I have not tried
to migrate any user yet. I have only tried migrating UserGroups with SID from
the NT4. I am still getting the error message"Could not verify auditing and
TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is
denied."

I have not tried any users or whitout SID.
--
Capt_Trigger


"Brian Delaney [MSFT]" wrote:

It looks like the netdom command failing is a problem with the syntax... it
should have netdom trust domainA /domain:domainB and in your syntax below
you mention sourceserver which is not part of the syntax.

Have you tried a migration of a user without sid history? This will help
narrow down where the problem is.

Also, is there any Novell software loaded on the NT4 PDC? Specifically, but
not limited to NDS.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Migration NT4 to W3K AD
thread-index: AcbBXrrmZp9QF94pSn+2pZ1KDiJNpw==
X-WBNR-Posting-Host: 213.115.74.158
From: =?Utf-8?B?VHJpZ2dlcg==?= <Trigger@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <35F412E2-04DA-45F1-968A-309F1A422C4A@xxxxxxxxxxxxx>
<6$07JimvGHA.3028@xxxxxxxxxxxxxxxxxxxxx>
<C43866EE-5716-48BD-BDEA-963A530CD298@xxxxxxxxxxxxx>
<Pc7ce1uvGHA.5976@xxxxxxxxxxxxxxxxxxxxx>
<75C45ABC-1D0A-4C95-82A4-06F65710EBEF@xxxxxxxxxxxxx>
<7qs6Iw5vGHA.5696@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Migration NT4 to W3K AD
Date: Wed, 16 Aug 2006 11:06:43 -0700

Hi,

verify the trust from the command line does not work like i wrote earlier.
But when checking the trust from inside "Domains & Trust" and testing the
trust there its all fine. I can also manage the A server from the B server
and vice verse. I don't really see the NetBIOS name resolution problem.

I have wins for both servers setup. Pointing to them self. Also the
lmhosts
file. Checked it all 5 times over.

I verified the 2003 domain Current domain functional level in "Windows
Server 2003"

Please advice.

thx

--
Capt_Trigger


"Brian Delaney [MSFT]" wrote:

Hi,

Based on that error while trying to verify the trust it seems that there
is
a problem with NetBIOS name resoltuion. Since we are establishing the
trust NT4 <--> 2003 we must have NetBIOS name resolution working
correctly
in both directions.

Do you have a WINS server configured for both domains or lmhosts files
setup?

The article http://support.microsoft.com/?kbid=314108 describes how to
setup an lmhosts file and what the cache should look like when it has
been
done correctly. This needs to be done in both directions so that
domainA
can resolve the netbios names for domainB and domainB can resolve
domainA's

In order to verify that the 2000 domain is in 2000 native mode go into
the
Active Directory Domains and Trusts GUI and Right click on your domain
and
click Raise Domain Functional Level. This will display the current
functional level and give you the opportunity to raise it, if it is not
the
highest already.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
Thread-Topic: Migration NT4 to W3K AD
thread-index: Aca+99IKI9gPk1q4Sf2KZeyBQ92dpg==
X-WBNR-Posting-Host: 213.115.74.158
From: =?Utf-8?B?VHJpZ2dlcg==?= <Trigger@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <35F412E2-04DA-45F1-968A-309F1A422C4A@xxxxxxxxxxxxx>
<6$07JimvGHA.3028@xxxxxxxxxxxxxxxxxxxxx>
<C43866EE-5716-48BD-BDEA-963A530CD298@xxxxxxxxxxxxx>
<Pc7ce1uvGHA.5976@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Migration NT4 to W3K AD
Date: Sun, 13 Aug 2006 09:45:01 -0700

Hi Brian,

Double chacked point 1 and 2 and they are in place. I used the Netdom
without the /enablesidhistory. Tried "netdom /verify sourceservername
/Domain:SourceDomain /UserO:administrator /PasswordO:xxxxxxx" the
answer
was
"The specified domain either does not exist or couold not be
contacted."
The
Validate GUI from "...Domain and trusts" should not be used when using
Netdom
or? How do i confirm my W3K server in native mode or higher? It should
be!
But just to confirm. I have not tried to migrate any groups or users
yet.
Since the problem with the SID. If i would do it whitout SID, then what?

Thx
--
Capt_Trigger


"Brian Delaney [MSFT]" wrote:

Hi,

Please verify that the group SouceDom$$$ in the source domain is a
local
group and not a global group as this will cause that error.

Also confirm that auditing has been configured as below:
1. Enable auditing for the success and failure of user and group
management
on the source domain in the Default Domain Controllers policy.
2. Enable auditing for the success and failure of Audit account
management
on the target domain in the Default Domain Controllers policy.

Also, try recreating the trusts without the /enablesidhistory option.

This
is not applicable to an External trust and only functions in a Forest
trust. Once recreated verify the trusts using the /verify option of
netdom.

Ensure that the 2000/2003 target domain is in Windows 2000 native
mode
or
higher.

Have you been able to successfully migrate the users and groups
without
sidHistory?

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
Thread-Topic: Migration NT4 to W3K AD
thread-index: Aca+niKLNmuQRMmGS6ekdxFLc1DTvQ==
X-WBNR-Posting-Host: 82.182.28.76
From: =?Utf-8?B?VHJpZ2dlcg==?= <Trigger@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <35F412E2-04DA-45F1-968A-309F1A422C4A@xxxxxxxxxxxxx>
<6$07JimvGHA.3028@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Migration NT4 to W3K AD
Date: Sat, 12 Aug 2006 23:03:02 -0700

Everything is in place like you write. Sourcedomainname$$$ not
SourceServerName$$$ with the 3 $ sign after and is empty. Domain
admins
from
ServerA in to the admin group in server B and vice verse. The trust
script
i
did “NETDOM TRUST /d:01231 ADXXXXX /quarantine:no
/UD:01231\ADMINISTRATOR
/pd:xxxxxx /uo:ADXXXXX\administrator /Po:xxxxxx /ADD
/EnableSIDHistoryÃ
¢â‚¬Â
“NETDOM TRUST /d:ADXXXXX 01231 /quarantine:no
/UD:ADXXXXX\ADMINISTRATOR
/pd:xxxxxx /uo:01231\administrator /Po:xxxxxx /ADD /EnableSIDHistoryÃ
ƒ
¢â‚¬Â
--
Capt_Trigger


"Brian Delaney [MSFT]" wrote:

Hi,

Please verify the following:

An empty local group exists in the source domain that is named
SourceDomName$$$
The registry key



HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport
has been set to 1 on the source PDC and it has been rebooted
Add the Domain Admins group from DomainA into the Administrators
group
in
DomainB and add the Domain Admins group from DomainB into the
Administrators group in DomainA and ensure you have logged off and
logged
back on and try again.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers
no
rights.
--------------------
Thread-Topic: Migration NT4 to W3K AD
thread-index: Aca+VcVq6P1W2BWSSgSWH1LNOCSuNA==
X-WBNR-Posting-Host: 82.182.28.76
From: =?Utf-8?B?VHJpZ2dlcg==?= <Trigger@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Migration NT4 to W3K AD
Date: Sat, 12 Aug 2006 14:25:02 -0700

I have setup the 2 way trust beetween the NT4 Server and the AD
with
SID
history. All accordingly to the text book(as far as i know).
When I
am
starting to migrate (ADMT v3)the user groups to the AD i recieve
this
error
message "Could not verify auditing and TcpipClientSupport on
domains.
Will
not be able to migrate Sid's. Access is Denied." The answer i can
find
is
"This error typically indicates that the user account that is
used
to
run
ADMT does not have enough permissions to perform the migration in
one
or
both
of the domains." when i did the trust i used the admin user for
both
servers.
I am not sure who to move on from here without loosing the SID
history.
--
Capt_Trigger












.

Relevant Pages

  • RE: Migration NT4 to W3K AD
    ... The netdom command is now working also netdom verify. ... software loaded on the NT4 server that i have uninstalled. ... verify the trust from the command line does not work like i wrote earlier. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Trust Fails and Restored, now ACL has to be reassign
    ... These don't go away unless you remove them, but if you have other admins on your network with that capability, you'll want to verify this. ... If the SIDHistory is still there, then I would want to look at the trust to make sure that SID Filtering is turned off and that the Trust is fully functional. ...
    (microsoft.public.win2000.networking)
  • RE: Migration NT4 to W3K AD
    ... verify the trust from the command line does not work like i wrote earlier. ... I can also manage the A server from the B server ... Based on that error while trying to verify the trust it seems that there is ... Please verify that the group SouceDom$$$ in the source domain is a local ...
    (microsoft.public.windows.server.active_directory)
  • RE: Migration NT4 to W3K AD
    ... It looks like the netdom command failing is a problem with the syntax... ... verify the trust from the command line does not work like i wrote earlier. ... I can also manage the A server from the B server ...
    (microsoft.public.windows.server.active_directory)
  • Re: Trust requirements for TS License Server in a different domain
    ... Licensing Server needs to trust the domain containing the Terminal ... only thinking about the Terminal Server and the TS Licensing ... have to be in trust relationship with License Server Domain ...
    (microsoft.public.windows.terminal_services)