Active Directory Processing

Does ADMT:
1. Process the DACLS on the source domain objects during the migration e.g.
assume that an OU (US Accounts) in the source domain was delegated to US
Admins group, so the DACL of all the objects under US Accounts OU will have
US Admins group in their DACL. Now when you migrate users/groups/computers
from US Accounts OU in source domain to the target domain...what will be the
changed made to the DACL on the migrated objects in the target domain

2.Is ownership, auditing information etc updated using ADMT?

3.Can SID History be cleaned using ADMT?

Regards

Hi,

Thanks for posting here.

<what will be the changed made to the DACL on the migrated objects in the
target domain>

{Morgan}:

Considering convenience , I'd suggest you grand user account performing
migration task the following permissions:

a. local Administrator on the computer on which ADMT is installed.

b. To migrate users, groups and computers, we need to add it as a member of
the Built-in\Administrators group in both the source and target domain.

<Is ownership, auditing information etc updated using ADMT?>

{Morgan}:

ADMT does not update auditing information automatically. We should manually
enable it before real migration task. I list some necessary steps we should
prepare before running ADMT tool for your reference.

<1> Enable "TcpipClientSupport", please do the following:

1). While you are logged on to the PDC in the source domain, click Start,
and then
click Run.

2). In Open, type regedit, and then click OK.

3). In Registry Editor, navigate to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA

4). On the Edit menu, point to New, and then click DWORD Value.

5). Type TcpipClientSupport in the name field, and then press ENTER.

6). Double-click TcpipClientSupport.

7). In Value data, type 1, and then click OK.

8). Close Registry Editor, and then restart the computer.

<2> Enable Audit on both DCs, please modify the Default domain Controller
Policy as below:

1). Log on as an administrator to any computer in the target domain.

2). Click Start, point to All Programs, point to Administrative Tools, and
then
Click Active Directory Users and Computers.

3). In the console tree, double-click the domain, right-click the Domain
Controllers OU, and then click Properties.

4). On the Group Policy tab, click Default Domain Controllers Policy, and
then
click Edit.

5). Double-click Computer Configuration, double-click Windows Settings,
double-click Security Settings, double-click Local Policies, and then click
Audit Policy.

6). Double-click Audit account management, and then select both the Success
and
Failure check boxes.

7). Click Apply, and then click OK.

8). Wait till the policy replicated to all DCs, then on DCs, run 'gpupdate
/force' on the DCs to apply the policy.

<3> Create the domain$$$ (use your real target domain name to replace
domain) local group in source domain and ensure there is no member residing
in this group.

For more information, please refer to:
=======================
ADMT v3 Migration Guide
http://www.microsoft.com/downloads/d...770-3BBB-4B9E-
A8BC-01E9F7EF7342&displaylang=en

Support WebCast: Domain Migration Using the Microsoft Active Directory
Migration Tool
http://support.microsoft.com/kb/325393

<Can SID History be cleaned using ADMT?>

{Morgan}:

Yes, you can choose not to migrate SID history by unchecking 'Sid history'
box during migrating process. However, typically, we need to migrate Sid
history for rollback plan. If migration task failed or we hadn't timely
migrated all resources , such as files , folders, printers etc, to target
domain, the migrated users and groups could still access these resources on
source domain. So, I suggest you migrate Sid history along with users and
groups migration.

More information, please refer to the rollback plan section of ADMT v3
Migration Guide
Above.

Hope this helps.


Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Reply-To: "Venkat" <>
--->From: "Venkat" <>
--->Subject: Active Directory Processing
--->Date: Mon, 4 Aug 2008 23:33:06 +0530
--->Lines: 15
--->X-Priority: 3
--->X-MSMail-Priority: Normal
--->X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
--->X-RFC2646: Format=Flowed; Original
--->Message-ID: <>
--->Newsgroups: microsoft.public.windows.server.migration
--->NNTP-Posting-Host: abts-ap-dynamic-252.130.169.122.airtelbroadband.in
122.169.130.252
--->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.migration:4183
--->X-Tomcat-NG: microsoft.public.windows.server.migration
--->
--->Does ADMT:
--->1. Process the DACLS on the source domain objects during the migration
e.g.
--->assume that an OU (US Accounts) in the source domain was delegated to
US
--->Admins group, so the DACL of all the objects under US Accounts OU will
have
--->US Admins group in their DACL. Now when you migrate
users/groups/computers
--->from US Accounts OU in source domain to the target domain...what will
be the
--->changed made to the DACL on the migrated objects in the target domain
--->
--->2.Is ownership, auditing information etc updated using ADMT?
--->
--->3.Can SID History be cleaned using ADMT?
--->
--->Regards
--->
--->
--->

Thanks Morgan for the response.
With respect to the my query 1, here is some clarification. I would like to
know if the ACL on the directory objects itself (for e.g. user object) will
be updated when they are migrated from source to traget domain?

OK..let me give an example here:

"Source\User1" ACL shows that "UserAdmin" group has Full Controll permission
on that object, now when i migrate source user 1 will that ACL be
updated/copied by ADMT?

Likewise on the Auditing and Ownership, some more clarification:

When you open the ACl of the source\user1 and click Advanced, you have two
tabs Auditing and Ownership....i want to know if entries under these are
updated as well using ADMT, if so which process does this?

Thanks

"Morgan che(MSFT)" wrote:

> Hi,
>
> Thanks for posting here.
>
> <what will be the changed made to the DACL on the migrated objects in the
> target domain>
>
> {Morgan}:
>
> Considering convenience , I'd suggest you grand user account performing
> migration task the following permissions:
>
> a. local Administrator on the computer on which ADMT is installed.
>
> b. To migrate users, groups and computers, we need to add it as a member of
> the Built-in\Administrators group in both the source and target domain.
>
> <Is ownership, auditing information etc updated using ADMT?>
>
> {Morgan}:
>
> ADMT does not update auditing information automatically. We should manually
> enable it before real migration task. I list some necessary steps we should
> prepare before running ADMT tool for your reference.
>
> <1> Enable "TcpipClientSupport", please do the following:
>
> 1). While you are logged on to the PDC in the source domain, click Start,
> and then
> click Run.
>
> 2). In Open, type regedit, and then click OK.
>
> 3). In Registry Editor, navigate to the following registry subkey:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA
>
> 4). On the Edit menu, point to New, and then click DWORD Value.
>
> 5). Type TcpipClientSupport in the name field, and then press ENTER.
>
> 6). Double-click TcpipClientSupport.
>
> 7). In Value data, type 1, and then click OK.
>
> 8). Close Registry Editor, and then restart the computer.
>
> <2> Enable Audit on both DCs, please modify the Default domain Controller
> Policy as below:
>
> 1). Log on as an administrator to any computer in the target domain.
>
> 2). Click Start, point to All Programs, point to Administrative Tools, and
> then
> Click Active Directory Users and Computers.
>
> 3). In the console tree, double-click the domain, right-click the Domain
> Controllers OU, and then click Properties.
>
> 4). On the Group Policy tab, click Default Domain Controllers Policy, and
> then
> click Edit.
>
> 5). Double-click Computer Configuration, double-click Windows Settings,
> double-click Security Settings, double-click Local Policies, and then click
> Audit Policy.
>
> 6). Double-click Audit account management, and then select both the Success
> and
> Failure check boxes.
>
> 7). Click Apply, and then click OK.
>
> 8). Wait till the policy replicated to all DCs, then on DCs, run 'gpupdate
> /force' on the DCs to apply the policy.
>
> <3> Create the domain$$$ (use your real target domain name to replace
> domain) local group in source domain and ensure there is no member residing
> in this group.
>
> For more information, please refer to:
> =======================
> ADMT v3 Migration Guide
> http://www.microsoft.com/downloads/d...770-3BBB-4B9E-
> A8BC-01E9F7EF7342&displaylang=en
>
> Support WebCast: Domain Migration Using the Microsoft Active Directory
> Migration Tool
> http://support.microsoft.com/kb/325393
>
> <Can SID History be cleaned using ADMT?>
>
> {Morgan}:
>
> Yes, you can choose not to migrate SID history by unchecking 'Sid history'
> box during migrating process. However, typically, we need to migrate Sid
> history for rollback plan. If migration task failed or we hadn't timely
> migrated all resources , such as files , folders, printers etc, to target
> domain, the migrated users and groups could still access these resources on
> source domain. So, I suggest you migrate Sid history along with users and
> groups migration.
>
> More information, please refer to the rollback plan section of ADMT v3
> Migration Guide
> Above.
>
> Hope this helps.
>
>
> Sincerely
> Morgan Che
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> --->Reply-To: "Venkat" <>
> --->From: "Venkat" <>
> --->Subject: Active Directory Processing
> --->Date: Mon, 4 Aug 2008 23:33:06 +0530
> --->Lines: 15
> --->X-Priority: 3
> --->X-MSMail-Priority: Normal
> --->X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> --->X-RFC2646: Format=Flowed; Original
> --->Message-ID: <>
> --->Newsgroups: microsoft.public.windows.server.migration
> --->NNTP-Posting-Host: abts-ap-dynamic-252.130.169.122.airtelbroadband.in
> 122.169.130.252
> --->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
> --->Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.server.migration:4183
> --->X-Tomcat-NG: microsoft.public.windows.server.migration
> --->
> --->Does ADMT:
> --->1. Process the DACLS on the source domain objects during the migration
> e.g.
> --->assume that an OU (US Accounts) in the source domain was delegated to
> US
> --->Admins group, so the DACL of all the objects under US Accounts OU will
> have
> --->US Admins group in their DACL. Now when you migrate
> users/groups/computers
> --->from US Accounts OU in source domain to the target domain...what will
> be the
> --->changed made to the DACL on the migrated objects in the target domain
> --->
> --->2.Is ownership, auditing information etc updated using ADMT?
> --->
> --->3.Can SID History be cleaned using ADMT?
> --->
> --->Regards
> --->
> --->
> --->
>
>

Also on the SID History part, my question was:

If i have migrated source domain SID's to the target domain, can i use ADMT
to clean them up as a post migration task?

Regards
venkat

"Viswanath" <> wrote in message
news:817A9018-571B-4D5C-989F-...
> Thanks Morgan for the response.
> With respect to the my query 1, here is some clarification. I would like
> to
> know if the ACL on the directory objects itself (for e.g. user object)
> will
> be updated when they are migrated from source to traget domain?
>
> OK..let me give an example here:
>
> "Source\User1" ACL shows that "UserAdmin" group has Full Controll
> permission
> on that object, now when i migrate source user 1 will that ACL be
> updated/copied by ADMT?
>
> Likewise on the Auditing and Ownership, some more clarification:
>
> When you open the ACl of the source\user1 and click Advanced, you have two
> tabs Auditing and Ownership....i want to know if entries under these are
> updated as well using ADMT, if so which process does this?
>
> Thanks
>
> "Morgan che(MSFT)" wrote:
>
>> Hi,
>>
>> Thanks for posting here.
>>
>> <what will be the changed made to the DACL on the migrated objects in the
>> target domain>
>>
>> {Morgan}:
>>
>> Considering convenience , I'd suggest you grand user account performing
>> migration task the following permissions:
>>
>> a. local Administrator on the computer on which ADMT is installed.
>>
>> b. To migrate users, groups and computers, we need to add it as a member
>> of
>> the Built-in\Administrators group in both the source and target domain.
>>
>> <Is ownership, auditing information etc updated using ADMT?>
>>
>> {Morgan}:
>>
>> ADMT does not update auditing information automatically. We should
>> manually
>> enable it before real migration task. I list some necessary steps we
>> should
>> prepare before running ADMT tool for your reference.
>>
>> <1> Enable "TcpipClientSupport", please do the following:
>>
>> 1). While you are logged on to the PDC in the source domain, click Start,
>> and then
>> click Run.
>>
>> 2). In Open, type regedit, and then click OK.
>>
>> 3). In Registry Editor, navigate to the following registry subkey:
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA
>>
>> 4). On the Edit menu, point to New, and then click DWORD Value.
>>
>> 5). Type TcpipClientSupport in the name field, and then press ENTER.
>>
>> 6). Double-click TcpipClientSupport.
>>
>> 7). In Value data, type 1, and then click OK.
>>
>> 8). Close Registry Editor, and then restart the computer.
>>
>> <2> Enable Audit on both DCs, please modify the Default domain Controller
>> Policy as below:
>>
>> 1). Log on as an administrator to any computer in the target domain.
>>
>> 2). Click Start, point to All Programs, point to Administrative Tools,
>> and
>> then
>> Click Active Directory Users and Computers.
>>
>> 3). In the console tree, double-click the domain, right-click the Domain
>> Controllers OU, and then click Properties.
>>
>> 4). On the Group Policy tab, click Default Domain Controllers Policy, and
>> then
>> click Edit.
>>
>> 5). Double-click Computer Configuration, double-click Windows Settings,
>> double-click Security Settings, double-click Local Policies, and then
>> click
>> Audit Policy.
>>
>> 6). Double-click Audit account management, and then select both the
>> Success
>> and
>> Failure check boxes.
>>
>> 7). Click Apply, and then click OK.
>>
>> 8). Wait till the policy replicated to all DCs, then on DCs, run
>> 'gpupdate
>> /force' on the DCs to apply the policy.
>>
>> <3> Create the domain$$$ (use your real target domain name to replace
>> domain) local group in source domain and ensure there is no member
>> residing
>> in this group.
>>
>> For more information, please refer to:
>> =======================
>> ADMT v3 Migration Guide
>> http://www.microsoft.com/downloads/d...770-3BBB-4B9E-
>> A8BC-01E9F7EF7342&displaylang=en
>>
>> Support WebCast: Domain Migration Using the Microsoft Active Directory
>> Migration Tool
>> http://support.microsoft.com/kb/325393
>>
>> <Can SID History be cleaned using ADMT?>
>>
>> {Morgan}:
>>
>> Yes, you can choose not to migrate SID history by unchecking 'Sid
>> history'
>> box during migrating process. However, typically, we need to migrate Sid
>> history for rollback plan. If migration task failed or we hadn't timely
>> migrated all resources , such as files , folders, printers etc, to target
>> domain, the migrated users and groups could still access these resources
>> on
>> source domain. So, I suggest you migrate Sid history along with users and
>> groups migration.
>>
>> More information, please refer to the rollback plan section of ADMT v3
>> Migration Guide
>> Above.
>>
>> Hope this helps.
>>
>>
>> Sincerely
>> Morgan Che
>> Microsoft Online Support
>> Microsoft Global Technical Support Center
>>
>> Get Secure! - www.microsoft.com/security
>> ================================================== ===
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> ================================================== ===
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> --------------------
>> --->Reply-To: "Venkat" <>
>> --->From: "Venkat" <>
>> --->Subject: Active Directory Processing
>> --->Date: Mon, 4 Aug 2008 23:33:06 +0530
>> --->Lines: 15
>> --->X-Priority: 3
>> --->X-MSMail-Priority: Normal
>> --->X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
>> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
>> --->X-RFC2646: Format=Flowed; Original
>> --->Message-ID: <>
>> --->Newsgroups: microsoft.public.windows.server.migration
>> --->NNTP-Posting-Host: abts-ap-dynamic-252.130.169.122.airtelbroadband.in
>> 122.169.130.252
>> --->Path:
>> TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
>> --->Xref: TK2MSFTNGHUB02.phx.gbl
>> microsoft.public.windows.server.migration:4183
>> --->X-Tomcat-NG: microsoft.public.windows.server.migration
>> --->
>> --->Does ADMT:
>> --->1. Process the DACLS on the source domain objects during the
>> migration
>> e.g.
>> --->assume that an OU (US Accounts) in the source domain was delegated to
>> US
>> --->Admins group, so the DACL of all the objects under US Accounts OU
>> will
>> have
>> --->US Admins group in their DACL. Now when you migrate
>> users/groups/computers
>> --->from US Accounts OU in source domain to the target domain...what will
>> be the
>> --->changed made to the DACL on the migrated objects in the target domain
>> --->
>> --->2.Is ownership, auditing information etc updated using ADMT?
>> --->
>> --->3.Can SID History be cleaned using ADMT?
>> --->
>> --->Regards
>> --->
>> --->
>> --->
>>
>>

Hi,

Thanks for your reply.

<I would like to know if the ACL on the directory objects itself (for e.g.
user object) will be updated when they are migrated from source to target
domain?>

ADMT will not automatically update ACL on the directory objects along with
users and groups migration. We need to run "Security Translation Wizard"
included in ADMT tool to perform ACL update. Security Translation Wizard
will translate the original SIDs of users and groups into updated ones
using SID mapping file, which is generated during users and groups
migration. The directory ACL will be updated accordingly, so the migrated
users and groups can access their resources on source domain.

For more about SIDs mapping file, please refer to:
http://www.eggheadcafe.com/forumarch...n/Jul2005/post
23150198.asp
<When you open the ACl of the source\user1 and click Advanced, you have two
tabs Auditing and Ownership....i want to know if entries under these are
updated as well using ADMT, if so which process does this?>

As I said above, Security Translation Wizard will do this. Security
Translation Wizard realizes this by replacing original users and groups
SIDs with the updated ones generated on target domain.

Please refer to the following article to understand this problem better:

How to use a SID mapping file with the ADMT tool to perform a resource
domain migration to Windows Server 2003
http://support.microsoft.com/default...b;EN-US;835991

How to use Active Directory Migration Tool version 2 to migrate from
Windows 2000 to Windows Server 2003
http://support.microsoft.com/kb/326480/en-us

Thanks.


Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Reply-To: "Venkat" <>
--->From: "Venkat" <>
--->References: <>
<IDIgu$>
<817A9018-571B-4D5C-989F->
--->Subject: Re: Active Directory Processing
--->Date: Wed, 6 Aug 2008 09:57:04 +0530
--->Lines: 214
--->X-Priority: 3
--->X-MSMail-Priority: Normal
--->X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
--->X-RFC2646: Format=Flowed; Original
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
--->Message-ID: <>
--->Newsgroups: microsoft.public.windows.server.migration
--->NNTP-Posting-Host: abts-ap-dynamic-212.160.169.122.airtelbroadband.in
122.169.160.212
--->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.migration:4216
--->X-Tomcat-NG: microsoft.public.windows.server.migration
--->
--->Also on the SID History part, my question was:
--->
--->If i have migrated source domain SID's to the target domain, can i use
ADMT
--->to clean them up as a post migration task?
--->
--->Regards
--->venkat
--->
--->"Viswanath" <> wrote in message
--->news:817A9018-571B-4D5C-989F-...
--->> Thanks Morgan for the response.
--->> With respect to the my query 1, here is some clarification. I would
like
--->> to
--->> know if the ACL on the directory objects itself (for e.g. user
object)
--->> will
--->> be updated when they are migrated from source to traget domain?
--->>
--->> OK..let me give an example here:
--->>
--->> "Source\User1" ACL shows that "UserAdmin" group has Full Controll
--->> permission
--->> on that object, now when i migrate source user 1 will that ACL be
--->> updated/copied by ADMT?
--->>
--->> Likewise on the Auditing and Ownership, some more clarification:
--->>
--->> When you open the ACl of the source\user1 and click Advanced, you
have two
--->> tabs Auditing and Ownership....i want to know if entries under these
are
--->> updated as well using ADMT, if so which process does this?
--->>
--->> Thanks
--->>
--->> "Morgan che(MSFT)" wrote:
--->>
--->>> Hi,
--->>>
--->>> Thanks for posting here.
--->>>
--->>> <what will be the changed made to the DACL on the migrated objects
in the
--->>> target domain>
--->>>
--->>> {Morgan}:
--->>>
--->>> Considering convenience , I'd suggest you grand user account
performing
--->>> migration task the following permissions:
--->>>
--->>> a. local Administrator on the computer on which ADMT is installed.
--->>>
--->>> b. To migrate users, groups and computers, we need to add it as a
member
--->>> of
--->>> the Built-in\Administrators group in both the source and target
domain.
--->>>
--->>> <Is ownership, auditing information etc updated using ADMT?>
--->>>
--->>> {Morgan}:
--->>>
--->>> ADMT does not update auditing information automatically. We should
--->>> manually
--->>> enable it before real migration task. I list some necessary steps we
--->>> should
--->>> prepare before running ADMT tool for your reference.
--->>>
--->>> <1> Enable "TcpipClientSupport", please do the following:
--->>>
--->>> 1). While you are logged on to the PDC in the source domain, click
Start,
--->>> and then
--->>> click Run.
--->>>
--->>> 2). In Open, type regedit, and then click OK.
--->>>
--->>> 3). In Registry Editor, navigate to the following registry subkey:
--->>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA
--->>>
--->>> 4). On the Edit menu, point to New, and then click DWORD Value.
--->>>
--->>> 5). Type TcpipClientSupport in the name field, and then press ENTER.
--->>>
--->>> 6). Double-click TcpipClientSupport.
--->>>
--->>> 7). In Value data, type 1, and then click OK.
--->>>
--->>> 8). Close Registry Editor, and then restart the computer.
--->>>
--->>> <2> Enable Audit on both DCs, please modify the Default domain
Controller
--->>> Policy as below:
--->>>
--->>> 1). Log on as an administrator to any computer in the target domain.
--->>>
--->>> 2). Click Start, point to All Programs, point to Administrative
Tools,
--->>> and
--->>> then
--->>> Click Active Directory Users and Computers.
--->>>
--->>> 3). In the console tree, double-click the domain, right-click the
Domain
--->>> Controllers OU, and then click Properties.
--->>>
--->>> 4). On the Group Policy tab, click Default Domain Controllers
Policy, and
--->>> then
--->>> click Edit.
--->>>
--->>> 5). Double-click Computer Configuration, double-click Windows
Settings,
--->>> double-click Security Settings, double-click Local Policies, and
then
--->>> click
--->>> Audit Policy.
--->>>
--->>> 6). Double-click Audit account management, and then select both the
--->>> Success
--->>> and
--->>> Failure check boxes.
--->>>
--->>> 7). Click Apply, and then click OK.
--->>>
--->>> 8). Wait till the policy replicated to all DCs, then on DCs, run
--->>> 'gpupdate
--->>> /force' on the DCs to apply the policy.
--->>>
--->>> <3> Create the domain$$$ (use your real target domain name to replace
--->>> domain) local group in source domain and ensure there is no member
--->>> residing
--->>> in this group.
--->>>
--->>> For more information, please refer to:
--->>> =======================
--->>> ADMT v3 Migration Guide
--->>>
http://www.microsoft.com/downloads/d...770-3BBB-4B9E-
--->>> A8BC-01E9F7EF7342&displaylang=en
--->>>
--->>> Support WebCast: Domain Migration Using the Microsoft Active
Directory
--->>> Migration Tool
--->>> http://support.microsoft.com/kb/325393
--->>>
--->>> <Can SID History be cleaned using ADMT?>
--->>>
--->>> {Morgan}:
--->>>
--->>> Yes, you can choose not to migrate SID history by unchecking 'Sid
--->>> history'
--->>> box during migrating process. However, typically, we need to migrate
Sid
--->>> history for rollback plan. If migration task failed or we hadn't
timely
--->>> migrated all resources , such as files , folders, printers etc, to
target
--->>> domain, the migrated users and groups could still access these
resources
--->>> on
--->>> source domain. So, I suggest you migrate Sid history along with
users and
--->>> groups migration.
--->>>
--->>> More information, please refer to the rollback plan section of ADMT
v3
--->>> Migration Guide
--->>> Above.
--->>>
--->>> Hope this helps.
--->>>
--->>>
--->>> Sincerely
--->>> Morgan Che
--->>> Microsoft Online Support
--->>> Microsoft Global Technical Support Center
--->>>
--->>> Get Secure! - www.microsoft.com/security
--->>> ================================================== ===
--->>> When responding to posts, please "Reply to Group" via your
newsreader so
--->>> that others may learn and benefit from your issue.
--->>> ================================================== ===
--->>> This posting is provided "AS IS" with no warranties, and confers no
--->>> rights.
--->>>
--->>>
--->>> --------------------
--->>> --->Reply-To: "Venkat" <>
--->>> --->From: "Venkat" <>
--->>> --->Subject: Active Directory Processing
--->>> --->Date: Mon, 4 Aug 2008 23:33:06 +0530
--->>> --->Lines: 15
--->>> --->X-Priority: 3
--->>> --->X-MSMail-Priority: Normal
--->>> --->X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
--->>> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
--->>> --->X-RFC2646: Format=Flowed; Original
--->>> --->Message-ID: <>
--->>> --->Newsgroups: microsoft.public.windows.server.migration
--->>> --->NNTP-Posting-Host:
abts-ap-dynamic-252.130.169.122.airtelbroadband.in
--->>> 122.169.130.252
--->>> --->Path:
--->>> TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
--->>> --->Xref: TK2MSFTNGHUB02.phx.gbl
--->>> microsoft.public.windows.server.migration:4183
--->>> --->X-Tomcat-NG: microsoft.public.windows.server.migration
--->>> --->
--->>> --->Does ADMT:
--->>> --->1. Process the DACLS on the source domain objects during the
--->>> migration
--->>> e.g.
--->>> --->assume that an OU (US Accounts) in the source domain was
delegated to
--->>> US
--->>> --->Admins group, so the DACL of all the objects under US Accounts
OU
--->>> will
--->>> have
--->>> --->US Admins group in their DACL. Now when you migrate
--->>> users/groups/computers
--->>> --->from US Accounts OU in source domain to the target domain...what
will
--->>> be the
--->>> --->changed made to the DACL on the migrated objects in the target
domain
--->>> --->
--->>> --->2.Is ownership, auditing information etc updated using ADMT?
--->>> --->
--->>> --->3.Can SID History be cleaned using ADMT?
--->>> --->
--->>> --->Regards
--->>> --->
--->>> --->
--->>> --->
--->>>
--->>>
--->
--->
--->

Hi,

I am wirting to see how evertything is going?

Have this issue been sovled or you need further assistance? please feel
free to let me know.

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Reply-To: "Venkat" <>
--->From: "Venkat" <>
--->References: <>
<IDIgu$>
<817A9018-571B-4D5C-989F->
--->Subject: Re: Active Directory Processing
--->Date: Wed, 6 Aug 2008 09:57:04 +0530
--->Lines: 214
--->X-Priority: 3
--->X-MSMail-Priority: Normal
--->X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
--->X-RFC2646: Format=Flowed; Original
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
--->Message-ID: <>
--->Newsgroups: microsoft.public.windows.server.migration
--->NNTP-Posting-Host: abts-ap-dynamic-212.160.169.122.airtelbroadband.in
122.169.160.212
--->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.migration:4216
--->X-Tomcat-NG: microsoft.public.windows.server.migration
--->
--->Also on the SID History part, my question was:
--->
--->If i have migrated source domain SID's to the target domain, can i use
ADMT
--->to clean them up as a post migration task?
--->
--->Regards
--->venkat
--->
--->"Viswanath" <> wrote in message
--->news:817A9018-571B-4D5C-989F-...
--->> Thanks Morgan for the response.
--->> With respect to the my query 1, here is some clarification. I would
like
--->> to
--->> know if the ACL on the directory objects itself (for e.g. user
object)
--->> will
--->> be updated when they are migrated from source to traget domain?
--->>
--->> OK..let me give an example here:
--->>
--->> "Source\User1" ACL shows that "UserAdmin" group has Full Controll
--->> permission
--->> on that object, now when i migrate source user 1 will that ACL be
--->> updated/copied by ADMT?
--->>
--->> Likewise on the Auditing and Ownership, some more clarification:
--->>
--->> When you open the ACl of the source\user1 and click Advanced, you
have two
--->> tabs Auditing and Ownership....i want to know if entries under these
are
--->> updated as well using ADMT, if so which process does this?
--->>
--->> Thanks
--->>
--->> "Morgan che(MSFT)" wrote:
--->>
--->>> Hi,
--->>>
--->>> Thanks for posting here.
--->>>
--->>> <what will be the changed made to the DACL on the migrated objects
in the
--->>> target domain>
--->>>
--->>> {Morgan}:
--->>>
--->>> Considering convenience , I'd suggest you grand user account
performing
--->>> migration task the following permissions:
--->>>
--->>> a. local Administrator on the computer on which ADMT is installed.
--->>>
--->>> b. To migrate users, groups and computers, we need to add it as a
member
--->>> of
--->>> the Built-in\Administrators group in both the source and target
domain.
--->>>
--->>> <Is ownership, auditing information etc updated using ADMT?>
--->>>
--->>> {Morgan}:
--->>>
--->>> ADMT does not update auditing information automatically. We should
--->>> manually
--->>> enable it before real migration task. I list some necessary steps we
--->>> should
--->>> prepare before running ADMT tool for your reference.
--->>>
--->>> <1> Enable "TcpipClientSupport", please do the following:
--->>>
--->>> 1). While you are logged on to the PDC in the source domain, click
Start,
--->>> and then
--->>> click Run.
--->>>
--->>> 2). In Open, type regedit, and then click OK.
--->>>
--->>> 3). In Registry Editor, navigate to the following registry subkey:
--->>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA
--->>>
--->>> 4). On the Edit menu, point to New, and then click DWORD Value.
--->>>
--->>> 5). Type TcpipClientSupport in the name field, and then press ENTER.
--->>>
--->>> 6). Double-click TcpipClientSupport.
--->>>
--->>> 7). In Value data, type 1, and then click OK.
--->>>
--->>> 8). Close Registry Editor, and then restart the computer.
--->>>
--->>> <2> Enable Audit on both DCs, please modify the Default domain
Controller
--->>> Policy as below:
--->>>
--->>> 1). Log on as an administrator to any computer in the target domain.
--->>>
--->>> 2). Click Start, point to All Programs, point to Administrative
Tools,
--->>> and
--->>> then
--->>> Click Active Directory Users and Computers.
--->>>
--->>> 3). In the console tree, double-click the domain, right-click the
Domain
--->>> Controllers OU, and then click Properties.
--->>>
--->>> 4). On the Group Policy tab, click Default Domain Controllers
Policy, and
--->>> then
--->>> click Edit.
--->>>
--->>> 5). Double-click Computer Configuration, double-click Windows
Settings,
--->>> double-click Security Settings, double-click Local Policies, and
then
--->>> click
--->>> Audit Policy.
--->>>
--->>> 6). Double-click Audit account management, and then select both the
--->>> Success
--->>> and
--->>> Failure check boxes.
--->>>
--->>> 7). Click Apply, and then click OK.
--->>>
--->>> 8). Wait till the policy replicated to all DCs, then on DCs, run
--->>> 'gpupdate
--->>> /force' on the DCs to apply the policy.
--->>>
--->>> <3> Create the domain$$$ (use your real target domain name to replace
--->>> domain) local group in source domain and ensure there is no member
--->>> residing
--->>> in this group.
--->>>
--->>> For more information, please refer to:
--->>> =======================
--->>> ADMT v3 Migration Guide
--->>>
http://www.microsoft.com/downloads/d...770-3BBB-4B9E-
--->>> A8BC-01E9F7EF7342&displaylang=en
--->>>
--->>> Support WebCast: Domain Migration Using the Microsoft Active
Directory
--->>> Migration Tool
--->>> http://support.microsoft.com/kb/325393
--->>>
--->>> <Can SID History be cleaned using ADMT?>
--->>>
--->>> {Morgan}:
--->>>
--->>> Yes, you can choose not to migrate SID history by unchecking 'Sid
--->>> history'
--->>> box during migrating process. However, typically, we need to migrate
Sid
--->>> history for rollback plan. If migration task failed or we hadn't
timely
--->>> migrated all resources , such as files , folders, printers etc, to
target
--->>> domain, the migrated users and groups could still access these
resources
--->>> on
--->>> source domain. So, I suggest you migrate Sid history along with
users and
--->>> groups migration.
--->>>
--->>> More information, please refer to the rollback plan section of ADMT
v3
--->>> Migration Guide
--->>> Above.
--->>>
--->>> Hope this helps.
--->>>
--->>>
--->>> Sincerely
--->>> Morgan Che
--->>> Microsoft Online Support
--->>> Microsoft Global Technical Support Center
--->>>
--->>> Get Secure! - www.microsoft.com/security
--->>> ================================================== ===
--->>> When responding to posts, please "Reply to Group" via your
newsreader so
--->>> that others may learn and benefit from your issue.
--->>> ================================================== ===
--->>> This posting is provided "AS IS" with no warranties, and confers no
--->>> rights.
--->>>
--->>>
--->>> --------------------
--->>> --->Reply-To: "Venkat" <>
--->>> --->From: "Venkat" <>
--->>> --->Subject: Active Directory Processing
--->>> --->Date: Mon, 4 Aug 2008 23:33:06 +0530
--->>> --->Lines: 15
--->>> --->X-Priority: 3
--->>> --->X-MSMail-Priority: Normal
--->>> --->X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
--->>> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
--->>> --->X-RFC2646: Format=Flowed; Original
--->>> --->Message-ID: <>
--->>> --->Newsgroups: microsoft.public.windows.server.migration
--->>> --->NNTP-Posting-Host:
abts-ap-dynamic-252.130.169.122.airtelbroadband.in
--->>> 122.169.130.252
--->>> --->Path:
--->>> TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
--->>> --->Xref: TK2MSFTNGHUB02.phx.gbl
--->>> microsoft.public.windows.server.migration:4183
--->>> --->X-Tomcat-NG: microsoft.public.windows.server.migration
--->>> --->
--->>> --->Does ADMT:
--->>> --->1. Process the DACLS on the source domain objects during the
--->>> migration
--->>> e.g.
--->>> --->assume that an OU (US Accounts) in the source domain was
delegated to
--->>> US
--->>> --->Admins group, so the DACL of all the objects under US Accounts
OU
--->>> will
--->>> have
--->>> --->US Admins group in their DACL. Now when you migrate
--->>> users/groups/computers
--->>> --->from US Accounts OU in source domain to the target domain...what
will
--->>> be the
--->>> --->changed made to the DACL on the migrated objects in the target
domain
--->>> --->
--->>> --->2.Is ownership, auditing information etc updated using ADMT?
--->>> --->
--->>> --->3.Can SID History be cleaned using ADMT?
--->>> --->
--->>> --->Regards
--->>> --->
--->>> --->
--->>> --->
--->>>
--->>>
--->
--->
--->