SBS migration new domain admt problem

Hi all, please help me.

I have SBS2003 with single domain label, so i cannot migrate to SBS2008 with
same domain. I installed SBS2008 with new domain and running ADMT on SBS2003
as described here
http://blogs.technet.com/sbs/archive...main-name.aspx



I have problem to transfer user account, accounts i transfered but without
SID. Here is error from ADMT log



[Object Migration Section]

2009-08-18 18:18:57 Starting Account Replicator.

2009-08-18 18:18:57 CN=D V - Created

2009-08-18 18:18:58 ERR2:7111 Failed to add sid history for DV to DV.
RC=8233

2009-08-18 18:18:59 WRN1:7857 Could not copy following properties for 'CN=D
V'.

2009-08-18 18:18:59 showInAddressBook = CN=Default Global Address
List,CN=All Global Address Lists,CN=Address Lists
Container,CN=oldDomain,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=oldDomain , ... Do¹lo k naru¹ení
omezení.

2009-08-18 18:18:59 lastLogonTimestamp = 128950639487047493 Server
odmítá zpracovat ¾ádost.

2009-08-18 18:18:59 CN=D V - Strong password generated.

2009-08-18 18:18:59 WRN1:7372 ADMT does not process BUILTIN accounts or
change the membership of BUILTIN groups (Administrators, etc.). Skipping
LDAP://oldDomain/CN=Domain Admins,CN=Users,DC=oldDomain

2009-08-18 18:18:59 Updated user rights for CN=D V

2009-08-18 18:18:59 Operation completed.

Many thanks for your help

David

Hello David,

Please use the SBS newsgroup for this:
microsoft.public.windows.server.sbs

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi all, please help me.
>
> I have SBS2003 with single domain label, so i cannot migrate to
> SBS2008 with
>
> same domain. I installed SBS2008 with new domain and running ADMT on
> SBS2003
>
> as described here
>
> http://blogs.technet.com/sbs/archive...-to-sbs-2008-m
> igration-to-a-different-domain-name.aspx
>
> I have problem to transfer user account, accounts i transfered but
> without SID. Here is error from ADMT log
>
> [Object Migration Section]
>
> 2009-08-18 18:18:57 Starting Account Replicator.
>
> 2009-08-18 18:18:57 CN=D V - Created
>
> 2009-08-18 18:18:58 ERR2:7111 Failed to add sid history for DV to DV.
> RC=8233
>
> 2009-08-18 18:18:59 WRN1:7857 Could not copy following properties for
> 'CN=D V'.
>
> 2009-08-18 18:18:59 showInAddressBook = CN=Default Global Address
> List,CN=All Global Address Lists,CN=Address Lists
> Container,CN=oldDomain,CN=Microsoft
> Exchange,CN=Services,CN=Configuration,DC=oldDomain , ... Do¹lo k
> naru¹ení omezení.
>
> 2009-08-18 18:18:59 lastLogonTimestamp = 128950639487047493
> Server odmítá zpracovat ¾ádost.
>
> 2009-08-18 18:18:59 CN=D V - Strong password
> generated.
>
> 2009-08-18 18:18:59 WRN1:7372 ADMT does not process BUILTIN accounts
> or change the membership of BUILTIN groups (Administrators, etc.).
> Skipping LDAP://oldDomain/CN=Domain Admins,CN=Users,DC=oldDomain
>
> 2009-08-18 18:18:59 Updated user rights for CN=D V
>
> 2009-08-18 18:18:59 Operation completed.
>
> Many thanks for your help
>
> David
>

<David> wrote in message news:%23%23n%.. .
> Hi all, please help me.
>
> I have SBS2003 with single domain label, so i cannot migrate to SBS2008
> with
> same domain. I installed SBS2008 with new domain and running ADMT on
> SBS2003
> as described here
> http://blogs.technet.com/sbs/archive...main-name.aspx
>
>
>
> I have problem to transfer user account, accounts i transfered but without
> SID. Here is error from ADMT log
>
>
>
> [Object Migration Section]
>
> 2009-08-18 18:18:57 Starting Account Replicator.
>
> 2009-08-18 18:18:57 CN=D V - Created
>
> 2009-08-18 18:18:58 ERR2:7111 Failed to add sid history for DV to DV.
> RC=8233
>
> 2009-08-18 18:18:59 WRN1:7857 Could not copy following properties for
> 'CN=D
> V'.
>
> 2009-08-18 18:18:59 showInAddressBook = CN=Default Global Address
> List,CN=All Global Address Lists,CN=Address Lists
> Container,CN=oldDomain,CN=Microsoft
> Exchange,CN=Services,CN=Configuration,DC=oldDomain , ... Do¹lo k naru¹ení
> omezení.
>
> 2009-08-18 18:18:59 lastLogonTimestamp = 128950639487047493 Server
> odmítá zpracovat ¾ádost.
>
> 2009-08-18 18:18:59 CN=D V - Strong password generated.
>
> 2009-08-18 18:18:59 WRN1:7372 ADMT does not process BUILTIN accounts or
> change the membership of BUILTIN groups (Administrators, etc.). Skipping
> LDAP://oldDomain/CN=Domain Admins,CN=Users,DC=oldDomain
>
> 2009-08-18 18:18:59 Updated user rights for CN=D V
>
> 2009-08-18 18:18:59 Operation completed.
>
> Many thanks for your help
>
> David

David,

I cross-posted this to the SBS group to the folks that are more experienced
with SBS.

My first thought is that it could be failing due to the single label name,
or possibly a DNS misconfig. Do you see any event log errors? If so, post
the EventID# and Source, please.

Please also post an unedited ipconfig /all for both of the SBS servers, to
insure there aren't any basic configuration issues.

However, just to add my 5.6 cents (adjusted for inflation), why even bother
with SIDHistory if you are moving everything over to the new domain anyway?
SIDHistory provides the ability to co-exist the source and target domain to
allow the newly migrated users to access the old domain's resource without
the need to supply credentials. Assuming you are moving all shared folders
and other data to the new side, do you expect to use that feature?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Thank for your reply.

Yes failing due SLD, I find (intensive googling over last night) article
(similar problem from SBS2003-SLD to SBS2003) how to allow SLD and now ADMT
working with SID history.

Why I need SID history? In old domain site is file server (another W2003srv
DC) with deep and complexity folder structure. For my opinion without old
SID I need edit all security properties at files and folders. Am I right?

I read about icacls, but SID history is easier for me. Is it right way?
W2003srv will be moved to new domain (dcpromo and dcpromo).

Thanks for reply and advice

David

"Ace Fekay [MCT]" <> píše v diskusním
príspevku news:...
> <David> wrote in message
> news:%23%23n%.. .
>> Hi all, please help me.
>>
>> I have SBS2003 with single domain label, so i cannot migrate to SBS2008
>> with
>> same domain. I installed SBS2008 with new domain and running ADMT on
>> SBS2003
>> as described here
>> http://blogs.technet.com/sbs/archive...main-name.aspx
>>
>>
>>
>> I have problem to transfer user account, accounts i transfered but
>> without
>> SID. Here is error from ADMT log
>>
>>
>>
>> [Object Migration Section]
>>
>> 2009-08-18 18:18:57 Starting Account Replicator.
>>
>> 2009-08-18 18:18:57 CN=D V - Created
>>
>> 2009-08-18 18:18:58 ERR2:7111 Failed to add sid history for DV to DV.
>> RC=8233
>>
>> 2009-08-18 18:18:59 WRN1:7857 Could not copy following properties for
>> 'CN=D
>> V'.
>>
>> 2009-08-18 18:18:59 showInAddressBook = CN=Default Global Address
>> List,CN=All Global Address Lists,CN=Address Lists
>> Container,CN=oldDomain,CN=Microsoft
>> Exchange,CN=Services,CN=Configuration,DC=oldDomain , ... Do¹lo k naru¹ení
>> omezení.
>>
>> 2009-08-18 18:18:59 lastLogonTimestamp = 128950639487047493 Server
>> odmítá zpracovat ¾ádost.
>>
>> 2009-08-18 18:18:59 CN=D V - Strong password generated.
>>
>> 2009-08-18 18:18:59 WRN1:7372 ADMT does not process BUILTIN accounts or
>> change the membership of BUILTIN groups (Administrators, etc.). Skipping
>> LDAP://oldDomain/CN=Domain Admins,CN=Users,DC=oldDomain
>>
>> 2009-08-18 18:18:59 Updated user rights for CN=D V
>>
>> 2009-08-18 18:18:59 Operation completed.
>>
>> Many thanks for your help
>>
>> David
>
> David,
>
> I cross-posted this to the SBS group to the folks that are more
> experienced with SBS.
>
> My first thought is that it could be failing due to the single label name,
> or possibly a DNS misconfig. Do you see any event log errors? If so, post
> the EventID# and Source, please.
>
> Please also post an unedited ipconfig /all for both of the SBS servers, to
> insure there aren't any basic configuration issues.
>
> However, just to add my 5.6 cents (adjusted for inflation), why even
> bother with SIDHistory if you are moving everything over to the new domain
> anyway? SIDHistory provides the ability to co-exist the source and target
> domain to allow the newly migrated users to access the old domain's
> resource without the need to supply credentials. Assuming you are moving
> all shared folders and other data to the new side, do you expect to use
> that feature?
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum to benefit from collaboration
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>

<David> wrote in message news:...
> Thank for your reply.
>
> Yes failing due SLD, I find (intensive googling over last night) article
> (similar problem from SBS2003-SLD to SBS2003) how to allow SLD and now
> ADMT working with SID history.
>
> Why I need SID history? In old domain site is file server (another
> W2003srv DC) with deep and complexity folder structure. For my opinion
> without old SID I need edit all security properties at files and folders.
> Am I right?
>
> I read about icacls, but SID history is easier for me. Is it right way?
> W2003srv will be moved to new domain (dcpromo and dcpromo).
>
> Thanks for reply and advice
>
> David

It may be failing due to ADMT can't authenticate with using DNS because of
the single label name (assuming that's what you mean by SLD). You can
possibly try patching the old domain and the new domain with this bandaid to
allow single label name queries and registrations. By default, any Windows
2000 SP4 and newer machines will not register into DNS with a single label
name. This reg entry overrides that. If it works, complete your tasks, and
back the reg entry out when done.

Yes, the SIDHistory works right away, however, how long do you expect to
keep using the SIDHistory? You'll need to eventually change it anyway. It's
designed for an interim phase during coexistence, and if you disjoin and
rejoin the other Windows 2003 server that has the complex folder structure
(I assume it is not a domain controller), you will need to change the
permissions over to the new domain accounts, then run the SIDHIstory Cleanup
Script to remove the old SIDs off the new accounts.

So if it were me, I would first create a report of all share and security
permissions on the complex structure on the Windows 2003 machine, then
migrate without the SIDHistory option, disjoin and rejoin the machine to the
new domain, change the permissions on the structure to reflect the new
accounts (users and groups) and be done and over with the old side.

Security Explorer - create security permissions report on all folders
http://www.scriptlogic.com/products/security-explorer/

JSI Tip 8670. How can I report the NTFS folder permissions on a ..
The report is generated in a SharedFolderPerms.log file which is created in
the current ...
http://windowsitpro.com/article/arti...d-folders.html

Ace