RE: 2003 to 2003 Cross Forest migration

Hi,

You definitely have to run ADMT on target DC to migrate objects from source
domain. You also have to add the operation usrer account into the domain
admins group of both target domain & source domain.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Thread-Topic: 2003 to 2003 Cross Forest migration
thread-index: AcaPwhg9gRUi/kJ0Rg6grH9WHN+nfQ==
X-WBNR-Posting-Host: 66.162.54.194
From: =?Utf-8?B?UGxheno=?= <Plazz@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <24FF770F-FFEE-48AA-B8DC-6117FC940726@xxxxxxxxxxxxx>
<FjsmZJ3jGHA.4688@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: 2003 to 2003 Cross Forest migration
Date: Wed, 14 Jun 2006 07:52:01 -0700
Lines: 107
Message-ID: <C0289328-DAB8-47A1-B091-F8CC3C88B86B@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24061
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Hi,

Thanks for the assistance! Ok I have enabled the SID history on the
source DC and still get the error SID History couldn't be Updated
credentials
entered must have Admin privledges which it does on the source DC??
Couple
of more questions? Can you run ADMT from the source DC to the Target?
This is
what I'm currently attempting. Tried to run ADMT tool from a Member DC in
target domain but can't get permisions to setup any Domain admins from
the
source? Any and all help is extremely appreciated. TIA

Plazz

"Vincent Xu [MSFT]" wrote:

Hi,

Yes, you have to disable SID filtering and enable SID history by using:

Enable SID history by running :
netdom trust trusted_domain /domain:trusting_domain
/enablesidhistory:yes

SID filtering is enabled automatically on any trust relationships
created
by domain controllers running Windows 2000 Service Pack 4 or Windows
Server
2003. Or, you can manually enable it by using the Netdom trust command
line
utility with the /EnableSIDHistory:no command line switch. To disable
SID
filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
switch.

More information:

If even this level of SIDHistory accessibility is too much, you can
impose
even stricter limits on your trust relationships by enabling the
Quarantine
feature. (In this context, the Quarantine feature controls SID
processing
over trust relationships and shouldn't be confused with the Network
Access
Protection or Network Access Quarantine Control technologies that are
used
to control local and remote access connections.) By enabling Quarantine
for
a trust relationship, you are specifying that only SIDs from the exact
domain on the other side of the trust are to be honored.In effect,
enabling
Quarantine on a trust relationship will break the transitivity of that
trust, so that only the specific domains on either side of the trust
are
considered participants in the trust. Quarantine is disabled by default
on
all trust relationships; you can manually enable it by using the Netdom
trust command line utility with the /quarantine:yes command line
switch.
Use the /quarantine:no switch to disable Quarantine on a trust
relationship
where it has already been enabled.

Hope this helps.




Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
Thread-Topic: 2003 to 2003 Cross Forest migration
thread-index: AcaPIke4qqMuhidfRZ+7vpQsB8yB0g==
X-WBNR-Posting-Host: 66.162.54.194
From: =?Utf-8?B?UGxheno=?= <Plazz@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: 2003 to 2003 Cross Forest migration
Date: Tue, 13 Jun 2006 12:48:02 -0700
Lines: 8
Message-ID: <24FF770F-FFEE-48AA-B8DC-6117FC940726@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24049
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Using ADMT Version 3 tool. Have 2 way trust setup. Can move the user
or
group
account but can not update SID History. Tool is being run from
Source DC
recieving
SIDHistory cannot be updated. The credentials entered must have Admin
privlidges on the source domain which it does. My question is I
believe
do
you have to enable/disable SID filtering on the Domain trust for SID
history
to migrate?






.

Relevant Pages

  • RE: 2003 to 2003 Cross Forest migration
    ... You definitely have to run ADMT on target DC to migrate objects from source ... source DC and still get the error SID History couldn't be Updated ... you have to disable SID filtering and enable SID history by using: ... SID filtering is enabled automatically on any trust relationships ...
    (microsoft.public.windows.server.migration)
  • Re: ADMT trouble: "Could not contact PDC" while migrating user acc
    ... I am not sure where the sid history is meant for, ... > DHCP & WINS not running on source Server, ... WINS manager (on Target) ... > ADMT seems to be able to browse Source Domain AD to show users, ...
    (microsoft.public.windows.server.sbs)
  • Re: Not able to establish trust with another window 2003 domain
    ... Source and my Target using command prompt, net use command, I can create ... But I fail to verify the Trust and its give the same error, ... Which mean, on Source DNS, I created the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Not able to establish trust with another window 2003 domain
    ... Source and my Target using command prompt, net use command, I can create ... But I fail to verify the Trust and its give the same error, ... Which mean, on Source DNS, I created the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Global Catalog server error
    ... to create a trust, but just wanted to verify that. ... I would actually run it from the target domain. ... Then I would use the ADMT tool. ... and it will preserve the local profiles and move them with the new account ...
    (microsoft.public.windows.server.active_directory)
Loading