ADMT siD history mirgration
jcon
into 1 forest 1 domain. In my test environment using ADMT to move accounts
and SID history worked fine. Now i am testing the move of production child
domain accounts to test forest domain.
i created the forest to forest trust
used NETDOM commands on both domains, gave the Target ADMT account admin
rights on child domain. I can migrate the accounts to the target along with
sid without errors or problems. However when i try to access shares and
mailboxes on the source domain i get access denied.
Any ideas what i am oding wrong?
!["Frank Röder [MVP]"'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjUCpYTJXLmS_ca_bt-Ml6tbMaD1ky55LRp9fy2424OJFjNjDQ=s40-c)
"Frank Röder [MVP]"
have you disabled SID-Filtering on the Trust?
--
Viele Grüße
Frank Röder
MVP Windows Server System - Directory Services
"Ex oriente lux"
jcon
I don't get any errors on the ADMT of the accout.
jcon
Task: User Migration (16)
ADMT Console
User: NEWDEV\administrator
Computer: NEWDEV-01.NEWDEV.LOCAL (NEWDEV-01)
Domain: NEWDEV.LOCAL (NEWDEV)
OS: Microsoft Windows Server 2003 5.2 (3790) Service Pack 1
Source Domain
Name: dev-env.local (DEV-ENV)
DC: DEV-DC01.dev-env.local (DEV-DC01)
OS: Windows Server 2003 5.2 (3790) Service Pack 1
OU:
Target Domain
Name: NEWDEV.LOCAL (NEWDEV)
DC: NEWDEV-01.NEWDEV.LOCAL (NEWDEV-01)
OS: Windows Server 2003 5.2 (3790) Service Pack 1
OU: LDAP://NEWDEV.LOCAL/OU=Domain Users,OU=Security,DC=NEWDEV,DC=LOCAL
Intra-Forest: No
Password Option: Generate passwords, only for new objects = No
Password File: 'C:\WINDOWS\ADMT\Logs\passwords.txt'
Migrate Security Identifiers: Yes
Update Rights: Yes
Translate Roaming Profiles: Yes
Fix group membership: Yes
Conflict Option: Ignore
Source Disable Option: Leave source account
Source Expiration: Do not expire source account
Target Disable Option: Set target same as source
Migrate groups: Yes
Update Migrated Objects: No
Migrate service accounts: Yes
[Object Migration Section]
2006-07-28 15:31:14 Starting Account Replicator.
2006-07-28 15:31:14 CN=big Boy - Created
2006-07-28 15:31:15 SID for DEV-ENV\bboy added to the SID History of
NEWDEV\bboy
2006-07-28 15:31:15 WRN1:7561 ADMT could not migrate some properties for
this object type (user) due to schema mismatches. Please refer to the Schema
Section in the migration log for a complete listing. The Schema Section will
be available once object migration is complete.
2006-07-28 15:31:15 WRN1:7857 Could not copy following properties for
'CN=big Boy'.
2006-07-28 15:31:15 showInAddressBook = CN=Default Global Address
List,CN=All Global Address Lists,CN=Address Lists
Container,CN=DEV-ENV,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=dev-env,DC=local, ... A constraint
violation occurred.
2006-07-28 15:31:15 lastLogonTimestamp = 127985124166093750 The server is
unwilling to process the request.
2006-07-28 15:31:15 WRN1:7651 Unable to retrieve operating system version of
password export server 'aethouexch01.aethou.eagletanker.com'. The referenced
account is currently locked out and may not be logged on to.
2006-07-28 15:31:15 CN=big Boy - Strong password generated.
2006-07-28 15:31:15 WRN1:7874 Disabled the "password never expires" account
option for account 'CN=big Boy'.
2006-07-28 15:31:15 Updated user rights for CN=big Boy
2006-07-28 15:31:15 Operation completed.
jcon
The issue was the NETDOM command listed in Microsoft documentation for AMDT
is for DOMAIN to DOMAIN migrations ONLY.
Example of Syntax for Domain to Domain trust sid filtering:
Netdom trust TrustingDomainName /domain:TrustedDomainName
/quarantine:No /usero:domainadministratorAcct
/passwordo:domainadminpwd
*******************************************************************
Forest to forest trust requires different Syntax and is not on any
documentation that I found.
Example of the syntax for forest to forest trust sid filtering:
Netdom trust TrustingDomainName /domain:TrustedDomainName
/EnableSIDHistory:yes /usero:domainadministratorAcct
/passwordo:domainadminpwd