A common problem when migrating objects from one forest to another using Microsoft’s ADMT (Active Directory Migration Tool) is the inability of the tool to migrate SID history for windows standard domain global groups such as "Domain User" or "Domain Admins." Typically what happens is in situations where administrators have used these groups to assign permissions such as in file and directories on a file and print server, users no longer have access to these files and directories during the interoperability stage of a migration. This stage is when users, groups and workstations have all been migrated to the new forest, but the application servers still remain in the source domain.
In order to migrate Domain Admins and Domain Users SID to SIDHistory from one forest to another, you will need the "Windows 2003 SP2 Support Tools"
For Example:
The target DC is Windows 2008 R2. To run the utils on a Windows 2008 R2 (x64) OS the following guide needs to be followed:
• Create a trust between the forests
• Get the PDC Emulators for both forests
• Extract sidhist.vbs and clonepr.dll from the Windows 2003 SP2 Support Tools CAB file
• Log on to the PDC Emulator in the target forest (where SIDHistory is to be migrated to)
Edit the HOSTS file with IP and hostname for the PDC Emulator in the source domain
x.x.x.x SOURCEPDC
Register the clonepr.dll using the 32-bit regsvr32.dll
c:\windows\syswow64\regsvr32.exe clonepr.dll
• Create a script.cmd file with your commands
c:\windows\syswow64\cscript.exe sidhist.vbs "/srcsam:domain users" "/dstsam:domain users"/srcdom:NetBIOS_Source_Domain /dstdom:NetBIOS_Target_Domain /srcdc:NetBIOS_Source_PD/ dstdc:NetBIOS_Target_PDC
• Run the script
Your output should look like this:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Connected
Success
Learn more about Windows updates, patches, and technical implications.
Comments