| Author |
Message |
Antti
Guest
|
 Posted:
Mon Jan 17, 2005 6:14 pm Post subject:
ADMT problem: W2k to WS2003 |
|
|
Hello,
I have a problem with the ADMT v2.0. I get the same error all the
time:
"SIDHistory could not be updated due to a configuration or
permissions problem."
The source domain is Windows 2000 in native mode and the target
domain is Windows Server 2003 in native mode, too. Both domains
are root (and only) domains of their own forests. There is a
two-way trust in place and SID filtering is turned off at both
ends.
I have created and installed the password migration key several
times. Both registry keys, "AllowPasswordExport" and
"TcpipClientSupport", do exist with correct value (REG_DWORD:1) at
the source PDC emulator, which I have restarted several times,
too. But still no effect.
It's a live production environment without any other problems that
I'm aware of. Netdiag.exe and Dcdiag.exe tools indicate no
failures, dns resolution works, etc, etc.
Here is the command line I've been using (multi-line for reading
clarity):
admt user
/tm:no
/sd:source.domain
/td:target.domain
/po:copy
/ps:pdc.source.domain
/dot:targetsameassource
/mss:yes
/to:testou
/n:testuser
If I use either the "/tm:yes" or "/mss:no" option, everything
works fine.
Any ideas what might be the reason?
--
Antti |
|
| Back to top |
|
 |
jjhols
Guest
|
| Posted:
Tue Jan 18, 2005 7:37 pm Post subject:
RE: ADMT problem: W2k to WS2003 |
|
|
Is the account you are running the ADMT tool with a Administrator level
account in both domains?
"Antti" wrote:
| Quote: | Hello,
I have a problem with the ADMT v2.0. I get the same error all the
time:
"SIDHistory could not be updated due to a configuration or
permissions problem."
The source domain is Windows 2000 in native mode and the target
domain is Windows Server 2003 in native mode, too. Both domains
are root (and only) domains of their own forests. There is a
two-way trust in place and SID filtering is turned off at both
ends.
I have created and installed the password migration key several
times. Both registry keys, "AllowPasswordExport" and
"TcpipClientSupport", do exist with correct value (REG_DWORD:1) at
the source PDC emulator, which I have restarted several times,
too. But still no effect.
It's a live production environment without any other problems that
I'm aware of. Netdiag.exe and Dcdiag.exe tools indicate no
failures, dns resolution works, etc, etc.
Here is the command line I've been using (multi-line for reading
clarity):
admt user
/tm:no
/sd:source.domain
/td:target.domain
/po:copy
/ps:pdc.source.domain
/dot:targetsameassource
/mss:yes
/to:testou
/n:testuser
If I use either the "/tm:yes" or "/mss:no" option, everything
works fine.
Any ideas what might be the reason?
--
Antti
|
|
|
| Back to top |
|
|
Antti
Guest
|
| Posted:
Wed Jan 19, 2005 4:37 am Post subject:
Re: ADMT problem: W2k to WS2003 |
|
|
"jjhols" <jjhols@discussions.microsoft.com> wrote in message
news:5933C96A-AC0F-48CF-B7A4-D9A17EA7CDDE@microsoft.com...
| Quote: |
"Antti" wrote:
"SIDHistory could not be updated due to a configuration or
permissions problem."
Is the account you are running the ADMT tool with a
Administrator level account in both domains?
|
Yes, I log on to the forest root server as an administrator. Also
the administrator account in both domains is member of built-in
administrators group in the other domain.
--
Antti |
|
| Back to top |
|
|
Don
Guest
|
| Posted:
Wed Jan 19, 2005 5:51 am Post subject:
Re: ADMT problem: W2k to WS2003 |
|
|
I successfully updated Win2k to Windows 2003 Enterprise server. However I
used an evaluation copy primarily for certification study. Now that it has
expired, I would like to remove 2003 from my Windows 2000 Professional
system. I had installed the 2003 in a dual boot scenario, so I never
de-installed 2000.
Windows 2000 is fully operational, with one exception. The add/remove
programs no longer lists the installed applications.
Thanks,
Don Wood
dwood@indy.rr.com
"Antti" wrote:
| Quote: | "jjhols" <jjhols@discussions.microsoft.com> wrote in message
news:5933C96A-AC0F-48CF-B7A4-D9A17EA7CDDE@microsoft.com...
"Antti" wrote:
"SIDHistory could not be updated due to a configuration or
permissions problem."
Is the account you are running the ADMT tool with a
Administrator level account in both domains?
Yes, I log on to the forest root server as an administrator. Also
the administrator account in both domains is member of built-in
administrators group in the other domain.
--
Antti
|
|
|
| Back to top |
|
|
Carsyn Gu [MSFT]
Guest
|
| Posted:
Wed Jan 19, 2005 1:09 pm Post subject:
RE: ADMT problem: W2k to WS2003 |
|
|
Hi Antti,
Thanks for your posting.
You can verify with the following steps:
1. Delete the trust links on both sides and then re-configure the trust
between two domains.
2. Make sure that the Administrators Group is in the other domain's Domain
Admin Group.
3. Make sure that Everyone account is in the "Pre-Windows 2000 Compatible
Access" group.
4. The password of the administrator account of both domains is not blank.
5. Make sure that ADMT tool is installed on the target domain's DC.
6. Install PasswordExport tool on the source domain's DC.
7. On the target domain's Default Domain Controller Policy, enable the
security policy:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options Network access: Allow anonymous SID/name
translation
8. On the target domain controller, configure the following registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous =
0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymoussam
= 0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Everyoneincludesanon
ymous = 1
9. On the source domain controller, configure the following registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport
=1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport=1
Sincerely,
Carsyn Gu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Antti" <avah@community.nospam>
| Subject: ADMT problem: W2k to WS2003
| Date: Mon, 17 Jan 2005 19:12:55 +0200
| Lines: 45
| Organization: n/a
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-15";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <#wFKQfL$EHA.1452@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: bsod.office.eunet.fi 195.197.62.36
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
..phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:16634
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| Hello,
|
| I have a problem with the ADMT v2.0. I get the same error all the
| time:
|
| "SIDHistory could not be updated due to a configuration or
| permissions problem."
|
| The source domain is Windows 2000 in native mode and the target
| domain is Windows Server 2003 in native mode, too. Both domains
| are root (and only) domains of their own forests. There is a
| two-way trust in place and SID filtering is turned off at both
| ends.
|
| I have created and installed the password migration key several
| times. Both registry keys, "AllowPasswordExport" and
| "TcpipClientSupport", do exist with correct value (REG_DWORD:1) at
| the source PDC emulator, which I have restarted several times,
| too. But still no effect.
|
| It's a live production environment without any other problems that
| I'm aware of. Netdiag.exe and Dcdiag.exe tools indicate no
| failures, dns resolution works, etc, etc.
|
| Here is the command line I've been using (multi-line for reading
| clarity):
| admt user
| /tm:no
| /sd:source.domain
| /td:target.domain
| /po:copy
| /ps:pdc.source.domain
| /dot:targetsameassource
| /mss:yes
| /to:testou
| /n:testuser
|
| If I use either the "/tm:yes" or "/mss:no" option, everything
| works fine.
|
| Any ideas what might be the reason?
|
| --
| Antti
|
| |
|
| Back to top |
|
|
Antti
Guest
|
| Posted:
Wed Jan 19, 2005 11:43 pm Post subject:
Re: ADMT problem: W2k to WS2003 |
|
|
"Carsyn Gu [MSFT]" <kshengu@online.microsoft.com> wrote in message
news:xqX7SXf$EHA.644@cpmsftngxa10.phx.gbl...
Hello Carsyn,
Thank for your ansver.
| Quote: | You can verify with the following steps:
1..7
|
Check
| Quote: | 8. On the target domain controller
HKEY_LOCAL_MACHINE
\System
\CurrentControlSet
\Control
\LSA
RestrictAnonymous = 0
|
Check
| Quote: | RestrictAnonymoussam = 0
Everyoneincludesanonymous = 1
|
I changed these two as they were defined as 1 and 0, respectively.
But it didn't make a difference even after a reboot.
| Quote: | 9. On the source domain controller
HKEY_LOCAL_MACHINE
\System
\CurrentControlSet
\Control
\LSA
AllowPasswordExport = 1
TcpipClientSupport = 1
|
Check
--
Antti |
|
| Back to top |
|
|
Carsyn Gu [MSFT]
Guest
|
| Posted:
Thu Jan 27, 2005 1:01 pm Post subject:
Re: ADMT problem: W2k to WS2003 |
|
|
Hi Antti,
Appreciate your update and response. I am glad to hear that the problem has
been fixed. If you have any other questions or concerns, please do not
hesitate to contact us. It is always our pleasure to be of assistance.
Have a nice day!
Sincerely,
Carsyn Gu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Antti" <avah@community.nospam>
| References: <#wFKQfL$EHA.1452@TK2MSFTNGP11.phx.gbl>
<xqX7SXf$EHA.644@cpmsftngxa10.phx.gbl>
| Subject: Re: ADMT problem: W2k to WS2003
| Date: Wed, 19 Jan 2005 19:43:45 +0200
| Lines: 48
| Organization: n/a
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-15";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <uGhIu5k$EHA.2568@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: nefas.saunalahtigroup.fi 195.197.62.194
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
..phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:16686
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| "Carsyn Gu [MSFT]" <kshengu@online.microsoft.com> wrote in message
| news:xqX7SXf$EHA.644@cpmsftngxa10.phx.gbl...
|
| Hello Carsyn,
|
| Thank for your ansver.
|
| > You can verify with the following steps:
| >
| > 1..7
|
| Check
|
|
| > 8. On the target domain controller
| >
| > HKEY_LOCAL_MACHINE
| > \System
| > \CurrentControlSet
| > \Control
| > \LSA
| > RestrictAnonymous = 0
|
| Check
|
|
| > RestrictAnonymoussam = 0
| > Everyoneincludesanonymous = 1
|
| I changed these two as they were defined as 1 and 0, respectively.
| But it didn't make a difference even after a reboot.
|
|
| > 9. On the source domain controller
| >
| > HKEY_LOCAL_MACHINE
| > \System
| > \CurrentControlSet
| > \Control
| > \LSA
| > AllowPasswordExport = 1
| > TcpipClientSupport = 1
|
| Check
|
| --
| Antti
|
| |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in