How do I migrate and retain SID history?
Domain Migration Administrator 7.x
Error: 'Could not verify auditing and TcpipClientSupport on domain. Will not be able to migrate SID history. Please verify that the configuration changes needed to enable SID History support have been made.'
The error messageĀ is displayed as aĀ pop-upĀ in the Migration Settings wizard when you enable the option for SID history.
A similar error message may appear in the
This error is caused by one of the following:
- Attempting to Migrate account SIDs to target domain using an account that is not a member of the Domain Admins global group in the Target domain.
- Failing to enable auditing in the Source and Target domains.
- Failing to properly set the TcpipClientSupport registry key on theĀ primary domain controller (PDC) or PDC EmulatorĀ of the Source domain.
Note:Ā InĀ Domain Migration Administrator (DMA) 7.2, the error message is expected.Ā You do not have to be a member of the Domain Admins global group in the Target domain to migrate SID History to a Microsoft Windows 2003 domain.Ā YouĀ can continue the migration if :
- The account used for migration has Full Control to the Target OU
- The account used for migration has Migrate SID History permission on the domain object
- All other Microsoft SID History requirements have been met
When migratingĀ and retainingĀ SID history:
- The account logged on to the DMA console computer must
- Be a member of the Domain Admins global groupĀ in the Target domain, unless migrating to a Microsoft Windows 2003 target domain using DMA 7.2 or later.
- Have Backup and Restore privileges on the Target domain.Ā By default, the Domain Admins global group has these privileges. If Backup and Restore privileges have been removed from the Domain Admins global group, re-assignĀ these privilegesĀ to the account used to log on to the DMA console machine.
If you are logged on to the DMA console machine with the Target domain'sĀ built-in Administrator account and the problem persists:
- Create a userĀ account for migration purposes.
- Add this account to the Domain Admins global group on the Target Domain.
- Use the migration account to log on and perform the migration on the DMA console machine.
For more information on the requirements for migrating with SID History, please refer to the following NetIQ Knowledge Base article:
NETIQKB4365:Ā What are the requirements for using Domain Migration Administrator when migrating with SID History?
Note:Ā Ā The information in this knowledge base article can also be obtained from Chapter 2 of the Domain Migration Administrator User Guide.