Configuring the Source and Target Domains to Migrate SID History

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In order to migrate SID history, you must ensure that the following conditions are met:

• A local group used to audit SID history operations exists in the source domain.

• TCP/IP client support is enabled on the source domain primary domain controller (PDC).

• Audit policies are enabled in the source and target domains.

You can configure these items manually before beginning the migration, or you can allow ADMT to configure them automatically the first time that it runs. If you want to configure them manually, use the following procedures:

To create a local group in the source domain to support auditing

• On the source domain PDC, create a local group source_domain$$$, where domain is the name of your source domain; for example, in a domain called Boston, create a local group called boston$$$.

To enable TCP/IP client support on the source domain PDC

1. On the source domain PDC, navigate to the following registry subkey:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

2. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

3. Restart the computer.

Caution

• The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Windows Server 2003 Deployment Kit companion CD or on the Web at https://www.microsoft.com/reskit.

To enable auditing in the Active Directory target domain

1. Log on as an administrator to any domain controller in the target domain.

2. Start Active Directory Users and Computers, expand the domain, and then double-click the Domain Controllers OU.

3. On the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.

4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.

5. Double-click Audit account management, click Define these policy settings, and then click both Success and Failure.

To enable auditing in the Windows NT 4.0 source domain

1. Log on as an administrator to any domain controller in the source domain.

2. Open User Manager for Domains, click Policies, and then click Audit.

3. For User and Group Management, verify that Audit These Events is selected and that Success and Failure are both selected.