One other thing beyond what Jorge mentioned.... if you've Enabled
Disable [oxymoron :-)] anonymous SAM enumeration via Group Policy you're
also likely to end up with problems accessing resoures.
Regards,
Mylo
Almeida Pinto, Jorge de wrote:
No. That domain wide authentication thing you mention is called
selective authentication. Although the selection you made is OK, that
is not what you need in this case to get admin permissions on the
source domain. To read more about selective authentication see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx
Another thing...
On the outgoing trust (source --> target) sidfiltering is enabled by
default if the trusts was created on a W2KSP4 DC or higher (it is
disabled by default if the trust was created on a W2KSP3 DC or earlier
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx
If you want to use sidhistory then sid filtering will have impact on
that. Disable it for the moment you use sidhistory if it is enabled
To use an account that has full admin rights on both source and target
environment (to migrate users, groups, computers, etc.) you can:
(1) add target domain admins to source domain administrators and add
SID of source domain admins to sidhistory of target domain admins
(2) Create a domain local group in the source domain. With restricted
groups add that domain local group to the local administrators group
of all computers where you need admin permissions. Add target domain
admins to source domain administrators and the previously created
domain local group
NOTE: to be able to created domain local groups in the source env.
that source domain must at least have windows 2000 native
To use an account that has full admin rights on both source and target
environment (to migrate only users and groups and passwords) you can:
(1) add target domain admins to source domain administrators
for the rest just follow: http://support.microsoft.com/kb/326480
Cheers,
Jorge
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Lloyd Williams
*Sent:* Friday, December 16, 2005 16:50
*To:* [email protected]
*Subject:* RE: [ActiveDir] Interforest Password Migration
Thanks for the reply. Yes this is the document that I am using as my
guide to do this.
The only part I am not sure about is the part that says the "users
must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain Admin from
one domain to the Domain Administrators group in the other domain.
If you go into Active Directory Users and Computers to add accounts to
Domain Admins the only location you are given is that domain.
So I am assuming that the necessary right come from creating the trust
relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1 appropriate
rights to Domain 2
Thanks
Lloyd
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Almeida
Pinto, Jorge de
*Sent:* Friday, December 16, 2005 4:40 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Interforest Password Migration
Is everything configured as mentioned in
http://support.microsoft.com/kb/326480
Cheers,
Jorge
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Lloyd Williams
*Sent:* Friday, December 16, 2005 01:58
*To:* [email protected]
*Subject:* [ActiveDir] Interforest Password Migration
I am using ADMT v3.0 to migrate users from one 2000/2003 forest to
another 2003 forest. I have no trouble migrating users however I
cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in
the target domain, then used it in the source domain during the
installation of the Password Migration Service. When I use ADMT to
migrate the password I get "unable to establish a session with the
password export server. Access is denied"
I have the password export service on the source machine running as
the administrator on the target machine.
The trusts seem to verify OK, anyone have any idea?
Thanks
Lloyd
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date: 15/12/2005
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
