RE: SidHistory and password migration with ADMT

From: Joe Wu [MSFT] (joewu_at_online.microsoft.com)
Date: 02/26/04 

Date: Thu, 26 Feb 2004 09:37:18 GMT

Hello Einari,

Thank you for your post.

My name is Joe Wu, and it is my pleasure to work with you on this issue.

May I know how you crated the {SOURCEDOMAIN}$$$ group? Based on my
research, this problem may occur if the {SOURCEDOMAIN}$$$ group on the
source domain was created as a global group instead of as a local group.

Also, please check the permission settings on the
[HKLM\System\CurrentControlSet\Control\LSA\] key to ensure that the SYSTEM
account and the account that runs ADMT have access to it.

I hope this helps. Thanks and have a great day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Einari" <anonymous@discussions.microsoft.com>
|Sender: "Einari" <anonymous@discussions.microsoft.com>
|Subject: SidHistory and password migration with ADMT
|Date: Wed, 25 Feb 2004 01:46:23 -0800
|Lines: 57
|Message-ID: <122001c3fb84$3a77f220$a301280a@phx.gbl>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcP7hDp3nTW4U84cQp61EaarGVXkaA==
|Newsgroups: microsoft.public.windows.server.migration
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.migration:8237
|NNTP-Posting-Host: tk2msftngxa11.phx.gbl 10.40.1.163
|X-Tomcat-NG: microsoft.public.windows.server.migration
|
|I have trouble migrating SidHistory and passwords with
|ADMT2.
|We have old NT4 domain and new Win2003 domain.
|I think I have done all the necessary steps:
|- 128 bit encryption
|- 2 way trust with domains
|- administrators in other domains local admin group
|- auditing (success/failure) in both domains
|- installed password migration dll
|- target domain is Win2000 native mode
|
|To TARGET domain
|- added to registry
|HKLM\System\CurrentControlSet\Control\LSA\RestrictAnonymous
| = 0
|- added to Default Domain Controllers Policy Network
|access container -> Let Everyone permissions apply to
|anonymous users Enable
|- net localgroup "Pre-Windows 2000 Compatible access"
|Everyone /Add
|- net localgroup "Pre-Windows 2000 Compatible access"
|anonymous logon /Add
|
|To SOURCE domain
|- added group %sourcedomain%$$$ (no users in it
|- added to registry
|HKLM\System\CurrentControlSet\Control\LSA\TcpipClientSuppor
|t = 1
|- added to registry
|HKLM\System\CurrentControlSet\Control\LSA\AllowPasswordExpo
|rt = 1
|
|In target domain users are created (but not enabled) and
|passwords are blanks.
|ADMT log says like this:
|
| CN=testipitka - Created
|2004-02-25 10:47:54 E2:7435 SID History cannot be updated
|for testuser. This operation requires the
|TcpipClientSupport registry key to be set on UTANT. rc=6.
|2004-02-25 10:47:54 W1:7392 SIDHistory could not be
|updated due to a configuration or permissions problem.
|The Active Directory Migration Tool will not attempt to
|migrate the remaining objects.
|2004-02-25 10:47:54 Operation Aborted.
|2004-02-25 10:47:54 Operation completed.
|
|This error message is strange because I even let ADMT
|create the needed registry key and it went succesfully.
|
|Passwords are migrated ok without SidHistory.
|
|And if I remember correct all went fine when I tried to
|migrate users from NT4 domain to Win2000 test domain.
|
|Greetings
|Einari
|

Relevant Pages

  • SidHistory and password migration with ADMT
    ... added to registry ... passwords are blanks. ... 2004-02-25 10:47:54 W1:7392 SIDHistory could not be ... The Active Directory Migration Tool will not attempt to ...
    (microsoft.public.windows.server.migration)
  • RE: SidHistory and password migration with ADMT
    ... In target domain there are deafult user rights in registry ... Should I add some user rights somewhere in source domain? ... SidHistory and password migration with ADMT ... >|passwords are blanks. ...
    (microsoft.public.windows.server.migration)
  • Re: default domain display at logon
    ... Microsoft Online Partner Support ... | It does matter when you change the registry. ... |> will be in the admt migration code anyway. ...
    (microsoft.public.windows.server.migration)
  • Re: Securing my app with serial number
    ... The app has two passwords hard-coded into it, we'll call them A and B. ... It then encrypts that string with password A, ... and stores it in the registry as a challenge code. ... I can also insert some extra data into the beginning of unlock code ...
    (microsoft.public.dotnet.languages.vb)
  • RE: ADMT password migration between 2 2003 servers using Version 3
    ... appear to update unless I get all the way through the migration process. ... but did not try to migrate passwords. ... Source Disable Option: Leave source account ... Target Disable Option: ...
    (microsoft.public.windows.server.migration)
Loading