| Author |
 Topic  |
|
|
megs28
Seasoned But Casual Onlooker
45 Posts
Status: offline |
 Posted - 05/15/2012 : 11:46:50 AM
|
I performed a domain migration using ADMT this past weekend.
Target domain was running 2008 R2 and 2003 DCs
Domain functional level: 2000 native
Forest funcational level: Win 2000.
ADMT version used: 3.1
On some computers when I go into the local admins I see their username twice (domain\user), but one account has the SID of the old domain ammended to it.
Users already had accounts in the target domain as they have Exchange mailboxes. I migrated their SIDs for SID history with following settings:
Migrate Security Identifiers: Yes
Update Rights: Yes
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Merge, rights = No, members = No, move objects = Yes
Source Disable Option: Leave source account
Source Expiration: Do not expire source account
Target Disable Option: Enable target account
Migrate groups: No
Migrate service accounts: Yes
After that I performed the computer account migration with these settings:
Intra-Forest: No
Translate Option: Add
Translate Files: Yes
Translate Local Groups: Yes
Translate Printers: No
Translate Registry: Yes
Translate Rights: Yes
Translate Shares: Yes
Translate User Profiles: Yes
Conflict Option: Merge, rights = No, members = No, move objects = Yes
Perform Pre-check Only: No
No errors there except access denied to performance data and system recovery information, which is normal.
I'm sure I used the same settings and procedure for the other 3 domain migrations I did, and I never saw this occur. So far everything seems fine and it doesn't seem to be causing any issues, but it's only day 2 :) I'm curious if anyone has ever seen this and if eventually did cause problems? I have already decomissioned the old DC and removed the trust.
|
|
|
Pieter
Old Timer
Belgium
522 Posts
Status: offline |
Posted - 05/16/2012 : 02:23:40 AM
|
Perfectly normal.
It's been a long time, but if I remember well there is a wizard in ADMT by which you have to migrate the resource servers from the old domain to the new one. You have there an option to 'clean up' the old SIDs. It isn't necessary to do that.
In ADMT version 2 : Computer Migration Wizard, on the Security Translation Options dialog you can choose you option. Replace or Add the new SID with the old one or even Remove the old SID.
|
Pieter Demeulemeester |
 |
|
|
Jazzy
Administrator
Netherlands
1930 Posts
Status: offline |
Posted - 05/16/2012 : 03:27:12 AM
|
| If I remember correctly, the second SID limits the amount of groups the user object can be a member of. For that reason you should remove the SID after you've done with the migration. Am I right? |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
Pieter
Old Timer
Belgium
522 Posts
Status: offline |
Posted - 05/16/2012 : 03:30:14 AM
|
Yes, Jazzy is right.
It's a fairly high number of groups, though.
|
Pieter Demeulemeester |
|
|
|
megs28
Seasoned But Casual Onlooker
45 Posts
Status: offline |
Posted - 06/12/2012 : 2:27:48 PM
|
Something is wonky with my GP processing, and I think it's related to this duplicate SID. Duplicate SIDs only show up on the migrated PCs (now all of them), not on new ones. I have never removed the SIDhistory for my other users and everything has always been fine (don't have that many groups). ProfileList and ProfileGUI entries in the registry look pretty normal - identical structure to a PC from a migrated domain that I didn't have this problem.
I have 5 AD sites. 4 out of 5 have an orphaned trust from this domain, which is very odd. I can't find anything in ADSI under CN=System that has the TrustedDomain class, but it's there in the MMC and when I do "netdom query trust". I think it's residual from me messing around with the AD topology after this migration (just forced a few recalculations as I let AD "figure it out" for me), because everything is replicating just fine otherwise. I've cheked with replmon, repadmin, and all user info and DNS zones and netlogon content has been replicating without problems. 0 replication failures per replmon.
Could this orphan be what is causing the duplicate SIDs to appear and GP processing issues? I'm a bit paranoid to forcefully remove it with netdom and cause profile issues for my users. The domain I migrated from is long gone.... The other thing I can't figure out is where this trust info is in ADSI edit.
Any thoughts? |
|
|
| |
Topic |
|
Two SIDs after using ADMT?
