RE: [ActiveDir] Interforest Password Migration

[Grillenmeier, Guido]

some minor corrections/comments   - if you've created a forest trust (requires that source and target forest running at Win2003 forest functional level), then SIDfiltering is not enabled by default   - pls. don't add any SIDs to SIDhistory of target domain admins group to gain rights in the source - this is not supported (at least not via ADMT) and considered bad practise (although it can be done technically).  It is not a problem to grant appropriate rights to the account performing the migration, without requiring domain admin rights in the target (see my previous post).  - you can't add users from one domain to the domain admins group of another domain.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Freitag, 16. Dezember 2005 20:02 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interforest Password Migration No. That domain wide authentication thing you mention is called selective authentication. Although the selection you made is OK, that is not what you need in this case to get admin permissions on the source domain. To read more about selective authentication see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx   Another thing... On the outgoing trust (source --> target) sidfiltering is enabled by default if the trusts was created on a W2KSP4 DC or higher (it is disabled by default if the trust was created on a W2KSP3 DC or earlier For more info see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx   If you want to use sidhistory then sid filtering will have impact on that. Disable it for the moment you use sidhistory if it is enabled   To use an account that has full admin rights on both source and target environment (to migrate users, groups, computers, etc.) you can: (1) add target domain admins to source domain administrators and add SID of source domain admins to sidhistory of target domain admins (2) Create a domain local group in the source domain. With restricted groups add that domain local group to the local administrators group of all computers where you need admin permissions. Add target domain admins to source domain administrators and the previously created domain local group   NOTE: to be able to created domain local groups in the source env. that source domain must at least have windows 2000 native   To use an account that has full admin rights on both source and target environment (to migrate only users and groups and passwords) you can: (1) add target domain admins to source domain administrators   for the rest just follow: http://support.microsoft.com/kb/326480   Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams Sent: Friday, December 16, 2005 16:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interforest Password Migration Thanks for the reply. Yes this is the document that I am using as my guide to do this.   The only part I am not sure about is the part that says the "users must have administrator rights in both domains." As far as I can see it is not possible to to add the Domain Admin from one domain to the Domain Administrators group in the other domain. If you go into Active Directory Users and Computers to add accounts to Domain Admins the only location you are given is that domain. So I am assuming that the necessary right come from creating the trust relationship. When I created this I used the Domain wide authentication option. Can I assume that this gives Domain Admins in Domain1 appropriate rights to Domain 2   Thanks Lloyd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, December 16, 2005 4:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Interforest Password Migration Is everything configured as mentioned in http://support.microsoft.com/kb/326480   Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams Sent: Friday, December 16, 2005 01:58 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interforest Password Migration I am using ADMT v3.0 to migrate users from one 2000/2003 forest to another 2003 forest. I have no trouble migrating users however I cannot migrate passwords. I have the password migration service installed on the PDC of the source domain. I have generated a key in the target domain, then used it in the source domain during the installation of the Password Migration Service. When I use ADMT to migrate the password I get "unable to establish a session with the password export server. Access is denied" I have the password export service on the source machine running as the administrator on the target machine. The trusts seem to verify OK, anyone have any idea?   Thanks Lloyd This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.