Troubleshooting Intraforest Migration Issues

Updated: September 29, 2013

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

This topic describes known issues related to intraforest migrations using the Active Directory Migration Tool (ADMT).

Domain-wide user and group rights are not migrated to the target domain

When you check User Rights in the User and Group Account Migration Wizards, you migrate only the local rights on the source domain controller. Domain-wide rights are not migrated.

Global Group migration and mixed mode source domains

When global groups are migrated between a mixed mode source domain and a native mode target domain and the groups are not empty, ADMT creates copies of the global groups in the target domain and does not add the security identifier (SID) of the source domain’s global group to the SID history attribute. This is by design.

In this situation, ADMT cannot convert the global group to a universal group because mixed mode domains do not recognize universal groups and cannot add them to the access token of the user. Therefore, the users would lose access to resources.

Global Groups are copied without SID history for intraforest migrations if they are not migrated with group members and the source domain is in mixed mode

When you migrate a global group in a mixed mode domain for an intraforest migration by using the Group Account Migration Wizard, if you do not select the Copy Group Members option, that global group is copied—not migrated—without SID history, instead of being moved. This behavior is a result of the rules of global group membership.

If ADMT moves, rather than copies, the global group, the group members are "orphaned" from the group and lose any resource access that is granted through membership of the group because global groups cannot contain members from other domains.

When that global group’s members are later migrated, the group membership is restored. However, because SID history is not migrated with the group, you must run the Security Translation Wizard to update the access control lists (ACLs), just as you would do in an interforest migration without SID history.

We strongly recommend that you migrate users and groups only between native mode domains only.

Migrated objects table does not sync

If the administrator in the target domain deletes a migrated group after the migration, the entries for the migrated group are not removed from the migrated object table. If a group with the same name as the group that is deleted in the target domain is migrated from the source domain, an error can occur. This error occurs only if users are migrated with the group. The error message is as follows:

ERR2:7422 Failed to move object <object_RDN>, hr=80070057 The parameter is incorrect.

Community Additions