Windows 2003 >> Windows 2008 R2 - ADMT Domain Migration, SID History

Posted on 2010-03-25
Medium Priority
Last Modified: 2012-05-09
I am trying to migrate a windows 2003 domain to a windows 2008 domain. I have created the trust relationship
and can successfully migrate user accounts, however when i try to migrate the sid history it always fails with the following
error message:

Could not verify auditing and tcpip client support on domains, Will not be able to migrate the SID's
..Access is Denied

I have done the follwoing:

1. Added the tcpipclient support=1 option into the registry of the source domain controller

2. Enabled Management auditing in the on the dc's gpos (both domains)

Yet, still i get the same problem. I have these directions that i am not sure if i understand correctly:

To delegate the MigrateSidHistory extended right on a Microsoft Windows Server domain controller or on a computer that has the Windows Server 2003 Administration Tools pack installed, follow these steps:

Click Start, click Administrative Tools, and then clickActive Directory Users and Computers.

Right-click the name of the domain that you want to delegate the MigrateSidHistory extended right from, and then click Delegate Control to open the Delegation of Control Wizard window.

Click Next, click Add, enter the name of the user or group that you wish to add in the Select Users, Computers, or Groups dialog box, click OK, and then click Next.

Click to select theCreate a custom task to delegateoption, and then click Next.

Make sure that the This folder, existing objects in this folder, and creation of new objects in this folder option is selected, and then click Next.
Make sure that the Generaloption is selected, click Migrate SID History in the Permissions list, and then click Next.
Verify that the information is correct, and then click Finish.

If the target domain is a Windows Server 2003 domain, Windows security requires user credentials with the delegated MigratesIDHistory extended right or administrator rights in the target domain.
No sID to be migrated may exist in the target forest, either as a primary sID or as an sIDHistory attribute of another object.

I got this from: http://support.microsoft.com/kb/322970

I dont think i understand how to setup the delegation? Do i delegate "SID HIstory" to the administrator account? on both domains?
Question by:castellansolutions
  • 3
LVL 24

Accepted Solution

Awinish earned 2000 total points
ID: 28658011
The error is mostly permission error.
The ID you are using must be member of administrators,enterprise admin & domain admin group in both the domains.
I hope you are using ADMT V3.1
LVL 24

Expert Comment

ID: 28658268
LVL 24

Expert Comment

ID: 28658563

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question