How does DMA perform in an intraforest migration to a native mode target? (NETIQKB24771)

  • 7724771
  • 02-Feb-2007
  • 20-Sep-2007


How does DMA perform in an intraforest migration to a native mode target?

Domain Migration Administrator 6.x

Domain Migration Administrator 7.x


In Intra-forest (same forest) scenarios, with native-mode target domains, Domain Migration Administrator (DMA) performs a move operation rather than a copy. This process automatically appends the SID History, and preserves the GUID of the object, which results in the account maintaining its permissions. If the target domain is in mixed mode, then SID History is not an option and therefore results in DMA copying the object rather than moving it. If the user is a member of a global group, other than it's Primary Group, DMA provides a warning during the wizard, stating that the user will lose its global group memberships.  If you proceed, DMA removes that user from the source global groups during the migration.  The user is migrated with no errors.  You do not have to remove the user from global groups before the migration.

If you migrate groups first, DMA will copy the group rather than moving it because all of the members will not yet have been migrated. When performing the User migration, DMA will be able to add the user to the migrated groups.


When you move an account, the original SID is not retained as the primary SID. DMA moves an account by creating a new account in the target domain. Before deleting the source account, DMA copies the SID of the source account to the SID History of the target account. If you remove SID History before translating security, the target account loses the access of the original source account. You should always translate security before you remove SID History.


Please refer to the following Knowledge Base articles, for additional information on possible issues in an intraforest migration:

NETIQKB8564 - :Error: '(7422) E25997 - Failed to move object CN=UserName, hr=8007212d Can't move objects with memberships across domain boundaries as once moved, this would violate the membership conditions of the account group. Remove the object from any account group memberships and retry'.

NETIQKB992 - Why is the SID History option is checked, but grayed out when conducting an intra-forest migration from a child mixed mode domain to a parent native mode domain?

NETIQKB26203 - Active Directory still shows printer only in source domain, after migrating the server and printer intraforest.

NETIQKB25035 - Error: E20235: Failed to find ACCOUNTNAME, hr=0x800401e4. This account will not be migrated.

NETIQKB5291 - Why are users and groups moved instead of copied in an Intra-Forest (same forest) migration?

NETIQKB17833 - When you migrate users intraforest, do you need to translate security on user profiles?

Please note that information regarding Intraforest migrations can also be obtained from Appendix C of the DMA & SC User Guide.

Additional Information

Formerly known as NETIQKB24771