Configuring the Source and Target Domains for SID History Migration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To migrate SID history, three conditions must be met:

• A local group used to audit SID history operations exists in the source domain.

• TCP/IP client support must be enabled on the source domain primary domain controller (PDC) emulator.

• Audit policies must be enabled.

You can configure these items manually before beginning the migration, or you can allow ADMT to configure them automatically the first time it runs. If you want to configure them manually, use the following procedures.

To create a local group in the source domain to support auditing

• In the source domain, create a local group source_domain$$$, where domain is the NetBIOS name of your source domain, for example, boston$$$. Do not add members to this group; if you do, SID history migration will fail.

  Caution

  • The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Windows Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.

To enable TCP/IP client support on the source domain PDC emulator

1. On the domain controller in the source domain that holds the PDC emulator role, use the registry editor to navigate to the following registry subkey:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

2. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

3. Restart the computer.

To enable auditing on the Windows Server 2003 domains

1. Log on as an administrator to any domain controller in the target domain.

2. Open Active Directory Users and Computers, expand the domain, and double-click the Domain Controllers OU.

3. On the Group Policy tab, click Default Domain Controllers Policy.

4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.

5. Double-click Audit account management, and then click both Success and Failure.

6. Repeat steps 1-5 on the source domain.

Note

• To assist you in using the event log to troubleshoot errors in the migration process, be sure to synchronize the time on all computers that are involved in the migration.