Interforest migration - minimal permisions formigration account

Hi,

I want to know what exactly and minimal permissions migration account needs
to migrate users, service account workstation and servers ( known as resource
) with two way trust ( no filtering, source and target is 2003 Active
Directory Domain)

I ask because there are differences in sources ( ADMT GUIDE 3.0, ADMT Help,
and this forum ).

Need I two accounts ? ( one in source domain and second in target domain.
Does this mean that I should run ADMT with target domain account and during
wizard I should enter source domain )

Is it possible to get answer from Microsoft team ?

Best regards,
Marcin

It has been a while since I have had to run ADMT (Fortunately). IIRC, it is
going to depend on what you are migrating. If for example, you are
migrating machines the source domain will require that you are a local
machine admin as well as remove the machine from the source domain and the
destination domain will require you to be able to create a machine account.
Normally I wouldn't answer but concerned you will press forward on someones
details, instead I just wanted to try and convince you to the following.

Since this is a major undertaking I strongly urge you to set this up in a
lab first and test this out. You will be able to verify exactly what each
migration type needs and you won't be turning your production LAN into a
test environment.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Marcin" <> wrote in message
news:54ABA145-BBD7-4775-AB10-...
> Hi,
>
> I want to know what exactly and minimal permissions migration account
> needs
> to migrate users, service account workstation and servers ( known as
> resource
> ) with two way trust ( no filtering, source and target is 2003 Active
> Directory Domain)
>
> I ask because there are differences in sources ( ADMT GUIDE 3.0, ADMT
> Help,
> and this forum ).
>
> Need I two accounts ? ( one in source domain and second in target domain.
> Does this mean that I should run ADMT with target domain account and
> during
> wizard I should enter source domain )
>
> Is it possible to get answer from Microsoft team ?
>
> Best regards,
> Marcin

"Paul Bergson [MVP-DS]" <> wrote in message news:%...
> It has been a while since I have had to run ADMT (Fortunately). IIRC, it is
> going to depend on what you are migrating. If for example, you are
> migrating machines the source domain will require that you are a local
> machine admin as well as remove the machine from the source domain and the
> destination domain will require you to be able to create a machine account.
> Normally I wouldn't answer but concerned you will press forward on someones
> details, instead I just wanted to try and convince you to the following.
>
> Since this is a major undertaking I strongly urge you to set this up in a
> lab first and test this out. You will be able to verify exactly what each
> migration type needs and you won't be turning your production LAN into a
> test environment.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.

When I did a migration last year, and what I've done in the past, I've always made sure there is a two way trust and the Domain Admin of each domain has been added to the Domain Local Administrators group of the other domain.

I agree that anything like this should be tested in a lab first.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

In the source domain you'll need Domain Admin rights. In the target it
depends on either you run ADMT on a DC or not. If you're running it from a
member server you can delegate full rights on the container where you'll
migrate your objects.
However, Ace suggestion is better as you'll not run into issues because of
access rights.

And almost forgot: local admin rights on the computers being migrated - so
that the ADMT agent can connect and do his work.

Andrei
www.winadmins.net

"Ace Fekay [MVP-DS, MCT]" <> wrote in message
news:uF#...
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:%...
>> It has been a while since I have had to run ADMT (Fortunately). IIRC, it
>> is
>> going to depend on what you are migrating. If for example, you are
>> migrating machines the source domain will require that you are a local
>> machine admin as well as remove the machine from the source domain and
>> the
>> destination domain will require you to be able to create a machine
>> account.
>> Normally I wouldn't answer but concerned you will press forward on
>> someones
>> details, instead I just wanted to try and convince you to the following.
>>
>> Since this is a major undertaking I strongly urge you to set this up in a
>> lab first and test this out. You will be able to verify exactly what
>> each
>> migration type needs and you won't be turning your production LAN into a
>> test environment.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>
> When I did a migration last year, and what I've done in the past, I've
> always made sure there is a two way trust and the Domain Admin of each
> domain has been added to the Domain Local Administrators group of the
> other domain.
>
> I agree that anything like this should be tested in a lab first.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.

> Since this is a major undertaking I strongly urge you to set this up in a
> lab first and test this out.

Thank you for ansewer, but I still havent't recipt how to set minimal
permissions.
I need this to set up my lab. I want to use one account to migrate users and
resources. If I get exact recipt I will create one account for each group (
one for user, secound for profile, third for groups etc ).

Best regards,
Marcin

> When I did a migration last year, and what I've done in the past, I've
always made sure there is a two way trust and the Domain Admin of each domain
has been added to the Domain Local Administrators group of the other domain.

Thank you for answer . Your option is working but I need the highest
permissions ( domain admin in domain ). If I doesn't get recipt I will use
that rights.

Thanks again,
Marcin

"Marcin" <> wrote in message news:9D2B2713-D7DD-4D53-B2EC-...
>> When I did a migration last year, and what I've done in the past, I've
> always made sure there is a two way trust and the Domain Admin of each domain
> has been added to the Domain Local Administrators group of the other domain.
>
> Thank you for answer . Your option is working but I need the highest
> permissions ( domain admin in domain ). If I doesn't get recipt I will use
> that rights.
>
> Thanks again,
> Marcin


Marcin,

You are welcome. However, I do not understand what the last sentence means:

"If I doesn't get recipt I will use that rights."

What I was suggesting is to simply provide the domain admin of the source to have full control at the target and vice-versa. If you are still having errors, then there is something else going on. Are you seeing any specific errors show up in ADMT or the Event logs?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

> "If I doesn't get recipt I will use that rights."

I made mistake spelling. "recipt" should be "recipe". If I haven't recipe (
exactly windows rights for each kind of resources ( users, group,
workstations, servers ) or step by step ) I will use your tip ( and simplify
all procedure ).

> If you are still having errors, then there is something else going on

I would say that I haven't errors. All migration steps without error useing
your tips.

Thank you again for tips. Maybe you help me. After migration user and their
workstation ( without fileserver, trust still exist ) users havne't
permissions to fileserver if they log in to new domain. They have permission
to fileserver if they log to old domain. ( this problem with sid history ? )

Best regards,
Maciek

If you migrated the user Id across then the new Id should map to the
migrated file server.

How exactly did you migrate things across?

What do the permissions show on an object thta isn't working as expected?

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Marcin" <> wrote in message
news:8B5CA0E5-78A2-493D-821D-...
>> "If I doesn't get recipt I will use that rights."
>
> I made mistake spelling. "recipt" should be "recipe". If I haven't recipe
> (
> exactly windows rights for each kind of resources ( users, group,
> workstations, servers ) or step by step ) I will use your tip ( and
> simplify
> all procedure ).
>
>> If you are still having errors, then there is something else going on
>
> I would say that I haven't errors. All migration steps without error
> useing
> your tips.
>
> Thank you again for tips. Maybe you help me. After migration user and
> their
> workstation ( without fileserver, trust still exist ) users havne't
> permissions to fileserver if they log in to new domain. They have
> permission
> to fileserver if they log to old domain. ( this problem with sid history
> ? )
>
> Best regards,
> Maciek

"Marcin" <> wrote in message news:8B5CA0E5-78A2-493D-821D-...
>> "If I doesn't get recipt I will use that rights."
>
> I made mistake spelling. "recipt" should be "recipe". If I haven't recipe (
> exactly windows rights for each kind of resources ( users, group,
> workstations, servers ) or step by step ) I will use your tip ( and simplify
> all procedure ).
>
>> If you are still having errors, then there is something else going on
>
> I would say that I haven't errors. All migration steps without error useing
> your tips.
>
> Thank you again for tips. Maybe you help me. After migration user and their
> workstation ( without fileserver, trust still exist ) users havne't
> permissions to fileserver if they log in to new domain. They have permission
> to fileserver if they log to old domain. ( this problem with sid history ? )
>
> Best regards,
> Maciek




I'm still not sure what recipe means.

As for access to the old server in the old domain by the newly migrated account, you can use SID history, otherwise, simply add the user's account across the trust to the old server. You can also simply migrate the server to the new domain, too. But Paul makes a good point. Was the server migrated?

Ase