RE: SidHistory and password migration with ADMT

From: Einari (anonymous_at_discussions.microsoft.com)
Date: 02/26/04 

Date: Thu, 26 Feb 2004 04:43:26 -0800

Hello Joe,

and thank you for your reply.

>-----Original Message-----
>Hello Einari,
>
>Thank you for your post.
>
>My name is Joe Wu, and it is my pleasure to work with you
on this issue.
>
>May I know how you crated the {SOURCEDOMAIN}$$$ group?
Based on my
>research, this problem may occur if the {SOURCEDOMAIN}$$$
group on the
>source domain was created as a global group instead of as
a local group.

Yes it is a global group. I let ADMT create it.
>
>Also, please check the permission settings on the
>[HKLM\System\CurrentControlSet\Control\LSA\] key to
ensure that the SYSTEM
>account and the account that runs ADMT have access to it.

In target domain there are deafult user rights in registry
(SYSTEM and administrators have full rights).
Should I add some user rights somewhere in source domain ?
In NT4 domain with User Manager - Policies -User Rights
(some user rights for the target domain) ?

Greetings
Einari
>
>Get Secure! - www.microsoft.com/security
>
>====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>--------------------
>|Content-Class: urn:content-classes:message
>|From: "Einari" <anonymous@discussions.microsoft.com>
>|Sender: "Einari" <anonymous@discussions.microsoft.com>
>|Subject: SidHistory and password migration with ADMT
>|Date: Wed, 25 Feb 2004 01:46:23 -0800
>|Lines: 57
>|Message-ID: <122001c3fb84$3a77f220$a301280a@phx.gbl>
>|MIME-Version: 1.0
>|Content-Type: text/plain;
>| charset="iso-8859-1"
>|Content-Transfer-Encoding: 7bit
>|X-Newsreader: Microsoft CDO for Windows 2000
>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>|Thread-Index: AcP7hDp3nTW4U84cQp61EaarGVXkaA==
>|Newsgroups: microsoft.public.windows.server.migration
>|Path: cpmsftngxa06.phx.gbl
>|Xref: cpmsftngxa06.phx.gbl
microsoft.public.windows.server.migration:8237
>|NNTP-Posting-Host: tk2msftngxa11.phx.gbl 10.40.1.163
>|X-Tomcat-NG: microsoft.public.windows.server.migration
>|
>|I have trouble migrating SidHistory and passwords with
>|ADMT2.
>|We have old NT4 domain and new Win2003 domain.
>|I think I have done all the necessary steps:
>|- 128 bit encryption
>|- 2 way trust with domains
>|- administrators in other domains local admin group
>|- auditing (success/failure) in both domains
>|- installed password migration dll
>|- target domain is Win2000 native mode
>|
>|To TARGET domain
>|- added to registry
>|HKLM\System\CurrentControlSet\Control\LSA\RestrictAnonymo
us
>| = 0
>|- added to Default Domain Controllers Policy Network
>|access container -> Let Everyone permissions apply to
>|anonymous users Enable
>|- net localgroup "Pre-Windows 2000 Compatible access"
>|Everyone /Add
>|- net localgroup "Pre-Windows 2000 Compatible access"
>|anonymous logon /Add
>|
>|To SOURCE domain
>|- added group %sourcedomain%$$$ (no users in it
>|- added to registry
>|HKLM\System\CurrentControlSet\Control\LSA\TcpipClientSupp
or
>|t = 1
>|- added to registry
>|HKLM\System\CurrentControlSet\Control\LSA\AllowPasswordEx
po
>|rt = 1
>|
>|In target domain users are created (but not enabled) and
>|passwords are blanks.
>|ADMT log says like this:
>|
>| CN=testipitka - Created
>|2004-02-25 10:47:54 E2:7435 SID History cannot be
updated
>|for testuser. This operation requires the
>|TcpipClientSupport registry key to be set on UTANT.
rc=6.
>|2004-02-25 10:47:54 W1:7392 SIDHistory could not be
>|updated due to a configuration or permissions problem.
>|The Active Directory Migration Tool will not attempt to
>|migrate the remaining objects.
>|2004-02-25 10:47:54 Operation Aborted.
>|2004-02-25 10:47:54 Operation completed.
>|
>|This error message is strange because I even let ADMT
>|create the needed registry key and it went succesfully.
>|
>|Passwords are migrated ok without SidHistory.
>|
>|And if I remember correct all went fine when I tried to
>|migrate users from NT4 domain to Win2000 test domain.
>|
>|Greetings
>|Einari
>|
>
>.
>

Relevant Pages

  • RE: SidHistory and password migration with ADMT
    ... SidHistory and password migration with ADMT ... |- added to registry ... |passwords are blanks. ...
    (microsoft.public.windows.server.migration)
  • SidHistory and password migration with ADMT
    ... added to registry ... passwords are blanks. ... 2004-02-25 10:47:54 W1:7392 SIDHistory could not be ... The Active Directory Migration Tool will not attempt to ...
    (microsoft.public.windows.server.migration)
  • Re: Allow Registry Access but NOT install programs
    ... >access the registry when it is launched. ... REGMON and FILEMON are tools downloadable at www.sysinternals.com. ... Open the application from the menu or explorer (under user rights) ... network using a second client logged in with dom admin rights. ...
    (microsoft.public.win2000.security)
  • Re: default domain display at logon
    ... Microsoft Online Partner Support ... | It does matter when you change the registry. ... |> will be in the admt migration code anyway. ...
    (microsoft.public.windows.server.migration)
  • Re: Securing my app with serial number
    ... The app has two passwords hard-coded into it, we'll call them A and B. ... It then encrypts that string with password A, ... and stores it in the registry as a challenge code. ... I can also insert some extra data into the beginning of unlock code ...
    (microsoft.public.dotnet.languages.vb)
Loading