| Author |
Message |
Gentle28
Guest
|
 Posted:
Tue Jan 11, 2005 4:53 am Post subject:
GPMC Migration table populate with wrong source name |
|
|
Hi there,
I am using GPMC to migrate GPOs from a Windows 2000 Forest to a Win 2003
Forest. For example, the source domain is domain A and the target domain is
domain B. Domain A is a Win 2000 domain and domain B is a Win 2003 domain.
There is trust exist between the two domains for migration. So I can use
copy and paste to migrate the GPOs. I am running GPMC on a Win 2003 domain
controller on the target domain called domain B. I log onto the Win 2003
domain controller as domain admins on domain B. I use migration talbe and
choose populate from GPO to populate the migration table. There are some
source names displayed as domain B\IT Desktop Support and so on. Source type
as Free Text or SID. These are supposed to display as domain A\... because
domain A is the source domain. Is there anything related to the fact that I
logged onto domain B when I ran GPMC? Has anyone seen this problem before?
Assistance please.
Regards,
Eric |
|
| Back to top |
|
 |
Gentle28
Guest
|
| Posted:
Wed Jan 12, 2005 9:47 am Post subject:
RE: GPMC Migration table populate with wrong source name |
|
|
Hi Rebecca,
Thank you for your quick response.
Before I populated the GPO migration table from GPO, I had migrated all
users and group across forest to domain B. In addtion, I have turned off
SIDHistory filtering. I found that any groups within the GPO settings will
display properly as IT_Destop_Support@domainA etc. If I tick During scan,
include security principals from the DACL on the GPO, then the groups in DACL
will show up twice in the source name column. One is shown as
IT_Desktop_Support@domainA, anther one is shown as
domainB\IT_Desktop_Support. Do you think it has something to do with the fact
that the group has been migrated to domain B and SIDHistory is being used?
Regards,
Eric
"Rebecca Chen [MSFT]" wrote:
| Quote: | Hi Eric,
Where do you see Domain B which is supposed to be Domain A? I have opened
the Migration Table Editor->Tools->Populate from GPO.
There is a drop down arrow to allow you to choose the location to migration
the GPO. Please see the attachment. If this is not the case, please take a
screen shot of the information and let me know the steps to reproduct this
issue so that I can get more concert idea about it.
In addition, I stronly recommend you read the following article carefully
to migrate GPO by using GPMC:
Migrating GPOs Across Domains with GPMC
http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights |
|
|
| Back to top |
|
|
Rebecca Chen [MSFT]
Guest
|
| Posted:
Wed Jan 12, 2005 7:49 pm Post subject:
RE: GPMC Migration table populate with wrong source name |
|
|
Hi Eric,
Yes, That is becuase you have keep the SIdHistory. One group have two SIDs,
when you check the ACL, SID will be announced to in the network to find the
corresponding display name. This explains why the same group shows twice.
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
Gentle28
Guest
|
| Posted:
Thu Jan 13, 2005 9:43 am Post subject:
RE: GPMC Migration table populate with wrong source name |
|
|
Hi Rebecca,
I only scan the GPO from the source domain of domain A. The DACL of GPO
should only have domain A group assign to it. For example, domain
A\IT_Desktop_Support is assigned to the ACL of a GPO. When you scan the GPO
to populate the migration table, should it only find domain
A\IT_Desktop_Support and show it in Source Name? I don't understand what you
meant by saying "one group have two SIDs". Do you mean that every group in
domain A has two SIDs ?
Best regards,
Eric
"Rebecca Chen [MSFT]" wrote:
| Quote: | Hi Eric,
Yes, That is becuase you have keep the SIdHistory. One group have two SIDs,
when you check the ACL, SID will be announced to in the network to find the
corresponding display name. This explains why the same group shows twice.
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
| Back to top |
|
|
Rebecca Chen [MSFT]
Guest
|
| Posted:
Fri Jan 14, 2005 5:12 pm Post subject:
RE: GPMC Migration table populate with wrong source name |
|
|
Hi Eric,
I have better understanding of this issue. I would like to confirm that if
you have migrated A\IT_Desktop_Support group from DomainA to DomainB with
SidHistroy enabled? If so, it is possible A\IT_Desktop_Support group is
displayed twice.
This is because when you open GPO link to see the security, GPO link will
query who has the permission, A\IT_Desktop_Support group is stored as SIDs
instead of its friendly name " A\IT_Desktop_Support ". When GPO check the
SID, it finds two SIDs of " A\IT_Desktop_Support ", one SID is from the old
domain and another SID is from the new domain. SIDs are broadcasted in the
network and find the server will response to give the friendly name.
Technically speaking, the nearest DC will response this broadcast and
translate both SID to "A\IT_Desktop_Support " sicne the server only
recognize the friendly name within its own domain.
This is a normal behavior, please don't worry about it. If you don't want
keep SIDhistory anymore, please use clearsid.vbs script to achieve this
goal. Please NOTE: You can not retrieve the SID removed after running
clearsid.vbs.
How To Use Visual Basic Script to Clear SidHistory
http://support.microsoft.com/default.aspx?scid=kb;en-us;295758
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
Gentle28
Guest
|
| Posted:
Tue Jan 18, 2005 8:46 am Post subject:
RE: GPMC Migration table populate with wrong source name |
|
|
Hi Rebecca,
Yes, I have migrated A\IT_Desktop_Support group from DominA to DomainB with
SidHistory enabled. You advised that the server only recognize the friendly
name within its own domain. The server I ran GPMC on is a member of the
Domain B. That explains why it display twice. One as
IT_Desktop_Support@domainA which must be from the old SID. Another one as
DomainB\IT_Desktop_Support which must be translated from SID from the new
domain (domainB). Because the server is a member of domain B, it translated
the SID to a friendly name within its own domain. So it shows as
domainB\IT_Desktop_Support.
I would like to ask one more question. Is it better to run GPMC on a
machine of the source domain (domain A) or the destination domain (domain B) ?
With your explanation, I understand much better and I don't need to worry
about whether I actually did something wrong. My team members and I
appreciate your help.
Thanks heaps,
Eric
"Rebecca Chen [MSFT]" wrote:
| Quote: | Hi Eric,
I have better understanding of this issue. I would like to confirm that if
you have migrated A\IT_Desktop_Support group from DomainA to DomainB with
SidHistroy enabled? If so, it is possible A\IT_Desktop_Support group is
displayed twice.
This is because when you open GPO link to see the security, GPO link will
query who has the permission, A\IT_Desktop_Support group is stored as SIDs
instead of its friendly name " A\IT_Desktop_Support ". When GPO check the
SID, it finds two SIDs of " A\IT_Desktop_Support ", one SID is from the old
domain and another SID is from the new domain. SIDs are broadcasted in the
network and find the server will response to give the friendly name.
Technically speaking, the nearest DC will response this broadcast and
translate both SID to "A\IT_Desktop_Support " sicne the server only
recognize the friendly name within its own domain.
This is a normal behavior, please don't worry about it. If you don't want
keep SIDhistory anymore, please use clearsid.vbs script to achieve this
goal. Please NOTE: You can not retrieve the SID removed after running
clearsid.vbs.
How To Use Visual Basic Script to Clear SidHistory
http://support.microsoft.com/default.aspx?scid=kb;en-us;295758
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
| Back to top |
|
|
Rebecca Chen [MSFT]
Guest
|
| Posted:
Wed Jan 19, 2005 5:03 pm Post subject:
RE: GPMC Migration table populate with wrong source name |
|
|
Hi Eric,
It is glad to hear the info helps. :)
With regards to which domain is better to install the GPMC, based on my
research, there is no special restrictions. You can install GPMC on source
or the target domain to copy and paste the GPO.
Take COPY as a sample, the destination domain can be any accessible domain
in which you have the rights to create new GPOs, making it very easy to
migrate GPOs among domains. Simply add the desired forests and domains to
the GPMC console and use the GPMC user interface to copy and paste (or drag
and drop) the desired GPOs from one domain to another. To add a forest to
the console in GPMC, you must either have trust to that forest, or you can
use the Stored User Names and Passwords utility in Windows. The procedure
for using this utility in conjunction with GPMC is documented in detail in
the GPMC white paper, and allows you to perform a copy operation even if
the source and target domains do not trust one another.
When copying a GPO to another domain, you have the option of specifying a
migration table if the GPO contains security principals or UNC paths that
may need to be updated to new values in the target domain.
This is addressed in the GPMC white paper, you can download it from the
link below:
Migrating GPOs Across Domains with GPMC
http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx
More info:
How to use the Group Policy Migration utility to migrate Windows NT System
Policy settings to Windows 2000 or Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;317367
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in