ADMT error "You must be a domain administrator in the target domain. SID migration will be disabled.

M

Mike

Is it even possible to add a user from another domain to another domain's
Domain Admins group?

I'm getting this ADMT error during my tests in the lab, "You must be a
domain administrator in the target domain. SID migration will be disabled.".
The migration turns out fine except that SIDHistory is not carried over
becuase of the error.

All the searches in Google say that it is not necessary to do this and by
adding the Administrator account to the other domain DCs builtin
Administrators group is suficient.

My lab is 2 forests, all Windows 2000 AD domain. The first forest has two
domains, DomainA and a child domain DomainB. The second forest is DomainC. I
want to migrate from DomainB to DomainC.

These are all Virtual PCs and they are all Win2K Advanced Server SP4 and I
am using latest ADMT2 from microsoft download site.

Mike
 
D

diasmith [MSFT]

Hello Mike,

You will have to add the domain admins group to the local administrators
group in both domains source and target.

Add the domain admins group from the target domain to the administrators
group on the machine being used to perform the migration.

Logon as the administrator from the target domain on the this machine.

PS. Yes you can ask users from different domains to other domains, as long
as you have a trust set up between the two domains [here are steps from
Q260871]:

Trusts
--------

1. Configure the source domain to trust the target domain.

2. Configure the target domain to trust the source domain.

Groups
-----------

1. Add the Domain Admins global group from the source domain to the
Administrators local group in the target domain.

2. Add the Domain Admins global group from the target domain to the
Administrators local group in the source domain.

3. Create a new local group in the source domain called <Source Domain>$$$
(this group should have no members).

260871 HOW TO: Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration
http://support.microsoft.com/?id=260871

325851 HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003
Migration
http://support.microsoft.com/?id=325851

322970 How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2
http://support.microsoft.com/?id=322970

Thank You.

Diana.

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Mike

I've done that, added the Domain Admins to the other domain's builtin
Administrators and vice-versa. Trusts are verfified all around the different
domains from NetDom and from AD Domains and Trust console. More importantly,
ADMT works. I can migrate users, groups, shares, etc. without errors except
for the above message which prevents creation of SIDHistory.

Mike
 
D

diasmith [MSFT]

Hi Mike,

I have doublechecked with our migration team and the fix for this problem
is --> The user must be domain admin in both domains to migrate sidhistory

Please try logging onto both domains, using the adminstrative credentials
from the other domain.

ex. log into Domain A, using credentials for Domain B vice versa.

Thank you.

Diana.

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

diasmith [MSFT]

Hello Mike,

You must have Administrator privileges in the source domain.

If the target is Windows 2000, you must have Domain Admins privileges in
the target domain

If the target is Windows Server 2003, you must have either Domain Admins
privileges or the delegated extended right “Migrate sIDHistory” in the
target domain

Built-in and well-known groups are not migrated by ADMT.

If necessary, you can add the sID from a source principal to the
sIDHistory of a target principal if you meet the same prerequisites as
above by using sidhist.vbs.

Please note that sIDHistory carries with it the potential for complicating
resource administration & exploit by nefarious administrators and is not
intended to be a long-term strategy for managing resource access. See
289243 MS02-001: Forged SID Could Result in Elevated Privileges in Windows
2000 for more information.

Rather than relying long term on sIDHistory, you should be encouraged to
follow Best Practices suggestions for configuring resource permissions &
group memberships.

Thank You.

Diana.


(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Mike

Hi Diana, how do you do that exactly? When I login to DomainA DC as
DomainB\Administrator and bring up ADUC, ADUC shows DomainB and I still
cannot add anyone outside DomainB to the DomainB\Domain Admins group.

Let me try to use ADUC to connect to DomainA and see if I can add myself to
DomainA\Domain Admins. Let you know how it turns out.

Mike


diasmith said:
Hi Mike,

I have doublechecked with our migration team and the fix for this problem
is --> The user must be domain admin in both domains to migrate sidhistory

Please try logging onto both domains, using the adminstrative credentials
from the other domain.

ex. log into Domain A, using credentials for Domain B vice versa.

Thank you.

Diana.

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no
rights.
 
M

Mike

It still wont let me add a different domain administrator to the Domain
Admins.

How do you do this exactly? Command prompt? ADSI Edit?

Mike
 
D

diasmith [MSFT]

Hello,

If there is a trust in place between each domain, you should be able to add
the "domain admin" from Domain A to the other "local admin" group on
Domain B and vice versa.

263956 Unable to Browse Users in Trusted Domain
http://support.microsoft.com/?id=263956

Thank You.

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Mike

Yes, I am able to add to the local admin group but i am unable to add to the
Domain Admins group.

Anyway, have completed the migration tonight and the SIDs did migrate over
too without adding to the Domain Admins group. Where in the lab it failed,
in production it worked. Had some other ADMT issues but was able to force my
way around it.

Mike
 
D

diasmith [MSFT]

Hi Mike,

I'm glad that this worked out for you.

Diana

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top