How do I migrate and retain SID history? (NETIQKB4767)

  • Document ID:7704767
  • Creation Date:02-Feb-2007
  • Modified Date:08-Oct-2007
    • Micro Focus Products:
      Domain Migration Administrator

Resolution

goal
How do I migrate and retain SID history?

fact
Domain Migration Administrator 7.x

symptom
Error: 'Could not verify auditing and TcpipClientSupport on domain. Will not be able to migrate SID history. Please verify that the configuration changes needed to enable SID History support have been made.'

symptom

The error message is displayed as a pop-up in the Migration Settings wizard when you enable the option for SID history.



symptom
A similar error message may appear in the Migration.log file.

cause

This error is caused by one of the following:

  • Attempting to Migrate account SIDs to target domain using an account that is not a member of the Domain Admins global group in the Target domain.
  • Failing to enable auditing in the Source and Target domains.
  • Failing to properly set the TcpipClientSupport registry key on the primary domain controller (PDC) or PDC Emulator of the Source domain.

Note:  In Domain Migration Administrator (DMA) 7.2, the error message is expected.  You do not have to be a member of the Domain Admins global group in the Target domain to migrate SID History to a Microsoft Windows 2003 domain.  You can continue the migration if :

  • The account used for migration has Full Control to the Target OU
  • The account used for migration has Migrate SID History permission on the domain object
  • All other Microsoft SID History requirements have been met


fix

When migrating and retaining SID history:

  1. The account logged on to the DMA console computer must
    • Be a member of the Domain Admins global group in the Target domain, unless migrating to a Microsoft Windows 2003 target domain using DMA 7.2 or later.
    • Have Backup and Restore privileges on the Target domain. By default, the Domain Admins global group has these privileges. If Backup and Restore privileges have been removed from the Domain Admins global group, re-assign these privileges to the account used to log on to the DMA console machine.
  2. Auditing of account management for success and failure in the Source and Target domains must be enabled.
  3. The TcpipClientSupport registry key on the PDC in every source domain must be enabled, as explained in Chapter 2 of the Domain Migration Administrator User Guide.
  4. Verify that the account being used has Local Administrator privileges in the Source domain.

If you are logged on to the DMA console machine with the Target domain's built-in Administrator account and the problem persists:

  1. Create a user account for migration purposes.
  2. Add this account to the Domain Admins global group on the Target Domain.
  3. Use the migration account to log on and perform the migration on the DMA console machine.


note

For more information on the requirements for migrating with SID History, please refer to the following NetIQ Knowledge Base article:

NETIQKB4365:  What are the requirements for using Domain Migration Administrator when migrating with SID History?



note
Note:  The information in this knowledge base article can also be obtained from Chapter 2 of the Domain Migration Administrator User Guide.

Additional Information

Formerly known as NETIQKB4767