security translation with ADMTv3

Discussion in 'Active Directory' started by jefsower, Sep 6, 2006.

  1. jefsower

    jefsower Guest

    Im stumped. I've googled and googled but haven't found a solution to this.
    The issue itself is common enough but none of the common solutions seem to be
    for me.

    Heres the situation:

    - Computer Migration Wizard is run from ADMTv3. It's set to translate all
    objects (user profiles, user rights, etc.) in Replace mode.
    - After computer restarts user logs into new domain but rather than use the
    translated profile a new profile is created with the format user.newdomain.

    Why?

    Details:
    1) All other aspects of the migration look to have done fine (i.e. NTFS
    permissons on the user's exsisting profile have been chagned from
    'olddomain\user' to 'newdomain\user').
    2) There are no errors or warnings in the migration log or in the agent log.
    3) Each domains' 'Domain Admins' group is a member of the others'
    Builtin\Administrators group
    4) Account running ADMT is a Domain Admin in 'newdomain' (and as a result of
    3, an admin in 'olddomain') and also a local admin on the PC being migrated.
    5) Both the target and source domains have 'Anonymous Logon' and 'Everyone'
    in the 'pre-Windows 2000 Compatible Access' group.
    6) Both the target and source domains are auditing success and failure of
    account managment.
    7) This is an inter-forest migration
    8 ) Im sure I've mised some so I'll fill this in as I get replies that
    remind me.

    To my understanding SIDHistory dosn't come into play with this but, to cover
    all my bases: SIDHistory is enabled and working.

    Im aware of the reg hack to change the SID in the ProfileList key but I
    don't plan a doing that to every system in the domain.

    So, what I'm trying to find out is:

    1) What exactly is ADMT failing to do that is causing this to happen? Is
    ADMT supposed to change the SID on the ProfileList reg key?
    2) Why isn't it?

    Any help would be greatly appreciated!
     
    jefsower, Sep 6, 2006
    #1
    1. Advertisements

  2. What order have you migrated these objects? I believe it can make a
    difference. I remember doing an ill prepared migration a couple of years
    back and getting a similar problem because I did things in the wrong order.
     
    Paul Williams [MVP], Sep 6, 2006
    #2
    1. Advertisements

  3. jefsower

    jefsower Guest

    Paul,
    I'm not sure which objects you're refering to. If you're refering to the
    'user profiles, user rights, etc.' these are all selected (checked or
    unchecked) on one screen of the wizard and the program itself would control
    the order. The full list of objects to translate are: Files and folders,
    Local groups, Printers, Registry, Shares, User profiles, User rights.

    The one order-related thing I know of that tends to cause this is if you log
    into the computer with an already-migrated user name before you migrate the
    computer. Then when you run the wizard to migrate the computer it will fail
    because a profile already exsists for the user's new SID.
     
    jefsower, Sep 6, 2006
    #3
  4. jefsower

    TC-UK Guest

    The best way to sort this is to migrate placeholder accounts for the users,
    selecting the SID history only. Then migrate users and groups in batches.
    This will allow the new user account to access the translated profile on the
    client. Make sure translation is performed in replace mode
     
    TC-UK, Sep 7, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.