Re: 2003 to 2003 Cross Forest migration

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi,

Sorry, I mean, admt needs Administrator rights in the source domain.

As well as,
Administrator rights on each computer that you migrate.
Administrator rights on each computer on which you translate security.



Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Reply-To: "Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
From: "Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
References: <24FF770F-FFEE-48AA-B8DC-6117FC940726@xxxxxxxxxxxxx>
<FjsmZJ3jGHA.4688@xxxxxxxxxxxxxxxxxxxxx>
<C0289328-DAB8-47A1-B091-F8CC3C88B86B@xxxxxxxxxxxxx>
<WTmwopEkGHA.4688@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: 2003 to 2003 Cross Forest migration
Date: Thu, 15 Jun 2006 23:21:44 +0200
Lines: 215
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <Ooek0GMkGHA.1264@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: systemsathome.demon.nl 82.161.175.166
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24101
X-Tomcat-NG: microsoft.public.windows.server.migration

You definitely have to run ADMT on target DC to migrate objects from
source
domain. You also have to add the operation usrer account into the domain
admins group of both target domain & source domain.

a user from domain A can be added to the domain admins from domain A but
not
to the domain admins from domain B. Domain Admins is a global group and
can
only contain users from the same domain!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
--------------------------------------------------------------------------
----------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
--------------------------------------------------------------------------
----------------
#################################################
#################################################
--------------------------------------------------------------------------
----------------
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:WTmwopEkGHA.4688@xxxxxxxxxxxxxxxxxxxxxxxx
Hi,

You definitely have to run ADMT on target DC to migrate objects from
source
domain. You also have to add the operation usrer account into the domain
admins group of both target domain & source domain.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
Thread-Topic: 2003 to 2003 Cross Forest migration
thread-index: AcaPwhg9gRUi/kJ0Rg6grH9WHN+nfQ==
X-WBNR-Posting-Host: 66.162.54.194
From: =?Utf-8?B?UGxheno=?= <Plazz@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <24FF770F-FFEE-48AA-B8DC-6117FC940726@xxxxxxxxxxxxx>
<FjsmZJ3jGHA.4688@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: 2003 to 2003 Cross Forest migration
Date: Wed, 14 Jun 2006 07:52:01 -0700
Lines: 107
Message-ID: <C0289328-DAB8-47A1-B091-F8CC3C88B86B@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24061
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Hi,

Thanks for the assistance! Ok I have enabled the SID history on the
source DC and still get the error SID History couldn't be Updated
credentials
entered must have Admin privledges which it does on the source DC??
Couple
of more questions? Can you run ADMT from the source DC to the Target?
This is
what I'm currently attempting. Tried to run ADMT tool from a Member DC
in
target domain but can't get permisions to setup any Domain admins from
the
source? Any and all help is extremely appreciated. TIA

Plazz

"Vincent Xu [MSFT]" wrote:

Hi,

Yes, you have to disable SID filtering and enable SID history by
using:

Enable SID history by running :
netdom trust trusted_domain /domain:trusting_domain
/enablesidhistory:yes

SID filtering is enabled automatically on any trust relationships
created
by domain controllers running Windows 2000 Service Pack 4 or Windows
Server
2003. Or, you can manually enable it by using the Netdom trust
command
line
utility with the /EnableSIDHistory:no command line switch. To disable
SID
filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
switch.

More information:

If even this level of SIDHistory accessibility is too much, you can
impose
even stricter limits on your trust relationships by enabling the
Quarantine
feature. (In this context, the Quarantine feature controls SID
processing
over trust relationships and shouldn't be confused with the Network
Access
Protection or Network Access Quarantine Control technologies that are
used
to control local and remote access connections.) By enabling
Quarantine
for
a trust relationship, you are specifying that only SIDs from the
exact
domain on the other side of the trust are to be honored.In effect,
enabling
Quarantine on a trust relationship will break the transitivity of
that
trust, so that only the specific domains on either side of the trust
are
considered participants in the trust. Quarantine is disabled by
default
on
all trust relationships; you can manually enable it by using the
Netdom
trust command line utility with the /quarantine:yes command line
switch.
Use the /quarantine:no switch to disable Quarantine on a trust
relationship
where it has already been enabled.

Hope this helps.




Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
Thread-Topic: 2003 to 2003 Cross Forest migration
thread-index: AcaPIke4qqMuhidfRZ+7vpQsB8yB0g==
X-WBNR-Posting-Host: 66.162.54.194
From: =?Utf-8?B?UGxheno=?= <Plazz@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: 2003 to 2003 Cross Forest migration
Date: Tue, 13 Jun 2006 12:48:02 -0700
Lines: 8
Message-ID: <24FF770F-FFEE-48AA-B8DC-6117FC940726@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24049
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Using ADMT Version 3 tool. Have 2 way trust setup. Can move the
user
or
group
account but can not update SID History. Tool is being run from
Source DC
recieving
SIDHistory cannot be updated. The credentials entered must have
Admin
privlidges on the source domain which it does. My question is I
believe
do
you have to enable/disable SID filtering on the Domain trust for
SID
history
to migrate?










.

Relevant Pages

  • RE: ADMT ver 3: ERR2:7816
    ... I was originally logging into the target server (with ADMT on it) using the ... source domain admin account, and this user account was a member of the local ... Although this source domain admin had ...
    (microsoft.public.windows.server.migration)
  • RE: ADMT Security Translation Requirements
    ... you can use ADMT with security translation for changing the ... You want to know if you can use sid mapping file to remove the sids from ... >Thread-Topic: ADMT Security Translation Requirements ... >> before you can run ADMT security translation without source domain no ...
    (microsoft.public.windows.server.migration)
  • Re: Questions about ADMT
    ... The lingering effects of ADMT are miniscual. ... In your source domain, you have ... the Domain Admin account, the Local Domain Group named yourdomain$$$, and ... > domain's admin account from the administrator group on the existing ...
    (microsoft.public.win2000.active_directory)
  • Re: ADMT trouble: "Could not contact PDC" while migrating user acc
    ... I am not sure where the sid history is meant for, ... > DHCP & WINS not running on source Server, ... WINS manager (on Target) ... > ADMT seems to be able to browse Source Domain AD to show users, ...
    (microsoft.public.windows.server.sbs)
  • Re: problem migrating security settings via ADMT
    ... After migrating a single computer that's a member server of the ... > source domain and shutting the source domain controller down, ... > Does anybody know if this is the way ADMT works or is it a bug? ... adding them to the builtin groups on a member server, ...
    (microsoft.public.win2000.active_directory)