Solved

ADMT - migrating users from old to new domain. Groups not being associated when on new domain

Posted on 2015-01-24
9
513 Views
Last Modified: 2015-01-30
hi guys,

I've set up an ADMT server and have done the following:

1. Set up trust between source and target.
2. set up auditing on both source and target
3. Disabled sid history filtering.

I have migrated groups from the source to the target and ensured I selected the 'migrate SID'...option also.

When I migrate a user from the source, it goes to the target. However, it doesn't have any of the groups associated to it on the source in the target. I've attached the ADMT log file also.

Thanks for helping

Yashy
log-from-ADMT.txt
0
Comment
Question by:Yashy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40568185
When you were going through the User Migration Wizard did you make sure to check "fix Users Group Membership"?

Take a look at the below link to ensure that all of the steps are similar and that you have not missed anything.

Migrating User with ADMT

Will.
0
 
LVL 1

Author Comment

by:Yashy
ID: 40568248
Yes I have done all of that also.

It is strange though why it migrates groups, users separately, but it won't migrate the actual groups associated to that user.

Could it be permissions related at all?
0
 
LVL 1

Author Comment

by:Yashy
ID: 40568292
Okay, one issue that I do see. When I go to the built-in Administrators on the source domain, I added the target_domain\administrator account and it only shows it as a SID rather than a normal logo.

And I get the following:

"Some of the objects names cannot be shown in their user-friendly form.
This can happen if the object is from an external domain and that domain is
not available to translate the object's name"
Administrators.jpg
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40568388
From logs it seems that you are using windows 2000 source domain which is not supported scenario

The source and target domains must be at Windows Server 2003 domain functional level or higher to run ADMT 3.2
https://technet.microsoft.com/en-us/library/active-directory-migration-tool-versions-and-supported-environments(v=ws.10).aspx
http://www.microsoft.com/en-in/download/confirmation.aspx?id=19188

Also I have checked that "fix group membership" is also selected, however it is not working as expected

Either you introduce 2003 \ 2008 \ 2008 R2 ADC in existing source domain (you might have) and demote windows 2000 DC, then raise domain functional level to windows 2003 at least
OR
If you already have windows 2003 DC in target domain, you can download ADMT 3.0 (deprecated version) and then migrate accounts
You will not get ADMT 3.0 from official MS source, you need to google to download older version
0
 
LVL 1

Author Comment

by:Yashy
ID: 40568416
Thank you for writing back.

We literally migrated all of the company with a Windows 2000 source domain to a Windows 2008 R2 target, but using ADMT 3.1.

If I did do that, can I just uninstall 3.2 and install it on the same server without having to reconfigure anything?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40568428
ADMT 3.1 will work, however you need to install it on 2008 member server (non R2)

The PES tool version is not changed (3.1), so you can just generate new PES file from 2008 server and install it on 2000 source DC

Check below article for more info
http://blogs.technet.com/b/askds/archive/2009/10/26/using-admt-3-1-to-migrate-to-windows-server-2008-r2-domains.aspx
0
 
LVL 1

Author Comment

by:Yashy
ID: 40568725
I did it again and even though the PES etc and user migration itself works. the groups are not becoming associated to the user on the target domain.

This is using version 3.1 of ADMT.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40568903
I hope you installed ADMT 3.1 on 2008 server only
After you install new ADMT, you need to remigrate all groups again because this new database is empty and it do not contain previous ADMT group migration data
remigrate all groups in merge mode
Ensure you will remigrate them with sid history as well
Then try to migrate users with "Fix users group membership" along with sid history, it will work
0
 
LVL 1

Author Comment

by:Yashy
ID: 40579418
It worked after I installed 3.1:)

Thanks again
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question