I am trying to migrate a windows 2003 domain to a windows 2008 domain. I have created the trust relationship
and can successfully migrate user accounts, however when i try to migrate the sid history it always fails with the following
Could not verify auditing and tcpip client support on domains, Will not be able to migrate the SID's
..Access is Denied
I have done the follwoing:
1. Added the tcpipclient support=1 option into the registry of the source domain controller
2. Enabled Management auditing in the on the dc's gpos (both domains)
Yet, still i get the same problem. I have these directions that i am not sure if i understand correctly:
To delegate the MigrateSidHistory extended right on a Microsoft Windows Server domain controller or on a computer that has the Windows Server 2003 Administration Tools pack installed, follow these steps:
Click Start, click Administrative Tools, and then clickActive Directory Users and Computers.
Right-click the name of the domain that you want to delegate the MigrateSidHistory extended right from, and then click Delegate Control to open the Delegation of Control Wizard window.
Click Next, click Add, enter the name of the user or group that you wish to add in the Select Users, Computers, or Groups dialog box, click OK, and then click Next.
Click to select theCreate a custom task to delegateoption, and then click Next.
Make sure that the This folder, existing objects in this folder, and creation of new objects in this folder option is selected, and then click Next.
Make sure that the Generaloption is selected, click Migrate SID History in the Permissions list, and then click Next.
Verify that the information is correct, and then click Finish.
If the target domain is a Windows Server 2003 domain, Windows security requires user credentials with the delegated MigratesIDHistory extended right or administrator rights in the target domain.
No sID to be migrated may exist in the target forest, either as a primary sID or as an sIDHistory attribute of another object.
I got this from: http://support.microsoft.com/kb/322970
I dont think i understand how to setup the delegation? Do i delegate "SID HIstory" to the administrator account? on both domains?