Correct - and I support what is being said by MS - that it will only migrate to the exact SID on the receiving end.
However, maybe someone else can shed some light - I'm not sure what the setting is to allow it in ADMT at the moment. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, June 06, 2003 8:43 AM To: [EMAIL PROTECTED] Rick, thanks for the reply post. membership of these groups not the issue - i take your point though it is more to do with the ability to translate the security of the resources which as i understand wont happen without an entry in the ADMT database - but thinking about it I don't need to do security translation as long as i populate sidhistory of the target domain admins / users group objects using alternative tools such as cloneprincipal ?? although that said this loses some of the "genericness" of a security translation i assume the manual "hack" of the sidhistory to be a supported operation ? as an aside i picked up from netiq.com a technote that suggests that it does support the migration of sidhistory for these well known objects - heres an extract - and by corollary thought that this would be supported under ADMT2 "The API used to migrate SID History for Well-Known objects will only migrate to a target domain object with the same RID. This has been implemented by Microsoft for security reasons. For example, you can only migrate the SID of the source domain's Well-Known Domain Admins group to the SID History of the target domain's Well-Known Domain Admins group. You could not apply it to any other group." GT On Fri, 6 Jun 2003 07:57:07 -0500, "Rick Kingslan" wrote: > > Graham, > > You cannot migrate the well known groups from one domain (or forest) > to another. The SIDS are universally the same. ADMT will attempt, > however the > well-known already exists, and you cannot migrate it. > > Our solution was to take an inventory of who / what was member of the groups > (or included membership of) and recreate that via scripting, manual methods, > what have you. > > If someone else has a solution, great - I hope that they do for the > sake of > your time in collecting the data. > > Otherwise, you do have a task - not monumental, but not small either. BTW, > our environment - 15k desktops, 25k users. Lots of groups. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Friday, June 06, 2003 7:44 AM > To: [EMAIL PROTECTED] > > Dear all, have posted quite recently with no feedback so hoping this > time round to get a bit more info, > > still looking at strategy for migration of the well known accounts - "Domain > Admins" / Domain Users on which a lot of domain security is based. > > thought this was where the Group mapping and merging wizard gave us > some help. > > using it to map sourcedom\Domain Admins to targetdom\Domain Admins > with the > "migrate group sids" option enabled - i assumed this would populate > the Sidhistory of the targetdomain group object with that of the > source domain sid and in doing so creating an entry in the ADMT > database that will be read > by the security translation / user migration wizards. > > ditto for Domain Users > > However this ADMT process is failing with the following error codes; > > ERR2: 7085 > Replace failed rc=1371 > Cannot perform this operation on builtin accounts > > for me am i not right to say that the above groups are not in fact > builtin accounts but "well known accounts" ?? > > saw one post back that documented the use of a manual process > (cloneprincipal) to acheive the population of the sidhistroy but this > will not allow us to acheive the requirement of security translation > > any clues ?? > > GT > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
