Question : SID History Migration failing with ADMT2 – TcpipClientSupport not set
Hi,
TcpipClientSupport HAS been set and the domain controllers HAVE been re-booted! I’ve done this procedure with other source domains and it works fine. I# pulling my hair out here. Please help!
2005-11-16 17:07:46
2005-11-16 17:07:46 Active Directory Migration Tool, Starting…
2005-11-16 17:07:46 Starting Account Replicator.
2005-11-16 17:07:46 Account Migration SourceDomain TargetDomain CopyUsers:No CopyGlobalGroups:Yes CopyLocalGroups:Yes CopyComputers:No StrongPwd:All
2005-11-16 17:07:55 CN=HEDownload – Created
2005-11-16 17:07:56 ERR2:7435 SID History cannot be updated for HEDownload. This operation requires the TcpipClientSupport registry key to be set on . rc=6.
2005-11-16 17:07:56 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem. The Active Directory Migration Tool will not attempt to migrate the remaining objects.
2005-11-16 17:07:57 Operation Aborted.
2005-11-16 17:07:59 Operation completed.
SID History Migration failing with ADMT2 – TcpipClientSupport not set
Pls check the settings as per the below procedure. I think u have missed a step or a reboot.
1. Point all Servers and Computers toward a common set of DNS and WINS .
2. Set Windows 2003 domain functional level to at least Windows 2000 native or Windows 2003.
a. Go to start  Programs  Administrative Tools  Active Directory Users & Computers.
b. Right Click on <DESTINATION DOMAIN>.GE.Com & click on Raise Domain Functional Level.
3. Establish a 2-way trust relationship between <DESTINATION DOMAIN> & <SOURCE DOMAIN
4. Configure each of the Source Domains so that the Domain Admins group from the <DESTINATION DOMAIN> domain has administrator privileges.
a. Double click on the Administrators group on the <SOURCE DOMAIN>domains & add the Domain Admins group of the <DESTINATION DOMAIN> domain.
b. Double click on the Administrators group on the <DESTINATION DOMAIN> domain & add the Domain Admins group of the <SOURCE DOMAIN>domains.
5. On the Primary Domain Controller of the source domains enable auditing.
a. Start User Manager for Domains.
b. On the Policies Menu, click Audit
c. Click Audit These Events, and then click to select the Success & Failure check boxes for User & Group Management.
d. Click on OK.
6. On the Windows 2003 Domain Controller enable auditing
a. Go to Start &#61672; Programs &#61672; Administrative Tools &#61672; Default Domain Controller Security Policy.
b. Navigate to Security Settings &#61672; Local Policies &#61672; Audit Policy.
c. Double click on Audit Account Management & select all check boxes.
7. On the Windows 2003 Domain Controller
a. Go to Start &#61672; Programs &#61672; Administrative Tools &#61672; Default Domain Controller Security Policy.
b. Navigate to Security Settings &#61672; Local Policies &#61672; Security Options.
c. Define the policy named Network Access: Let Everyone Permissions Apply to Anonymous
8. Type the following command on the Windows 2003 Domain Controller Net localgroup "Pre-Windows 2000 Compatible Access" Everyone /Add
9. Install ADMT 2.0 on the Windows 2003 Domain Controller.
10. On the Windows 2003 Domain Controller go to the command prompt & navigate to the directory where ADMT 2.0 has been installed. Create a password encryption file from the Windows 2003 server by the following command ADMT KEY <source domain> D:PESFiles,
11. Reboot the Windows 2003 Domain Controller after copying the Password Encryption Files of the respective domain to the respective NT4.0 domain controller.
12. Install the ADMT Password Migration DLL on the PDC. To do this
a. Copy & run pwdmig.exe from the location where ADMT2.0 is installed on the PDC of the NT 4.0 domain.
b. When you run the ADMT Password Migration DLL Installation Wizard (pwdmig.exe), you are prompted for the path of the .pes file that you copied to the Windows NT 4.0 PDC. You must specify a local path for this file. You are also prompted for the password that you used when you created this file.
c. Do not restart the Server.
13. Configure the source domain to permit remote procedure call (RPC) access to the security accounts manager (SAM) database by setting the TcpipClientSupport registry value to 1.To do so
a. On the PDC, click Start, click Run, type regedit in the Open box, and then click OK.
b. Navigate to the following register subkey HKEY_LOCAL_MACHINESYSTEMCurrentControlSetLsa
c. On the Edit Menu , click on New & then click on DWORD Value.
d. Name the new value TcpipClientSupport.
e. Right click TcpipClientSupport & clcik Modify
f. In the Value data box ,type 1, & then click on OK.
g. Quit the registry editor.
14. On the Windows NT 4.0 domain controller change the AllowPasswordExport register value to 1. To do this:
a. On the Windows NT 4.0 PDC, click Start &#61672; Run &#61672; regedit.
b. Navigate to the following registry subkey HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
c. In the right pane, right-click AllowPasswordExport &#61672; Modify
d. In the Value data box, type 1, & then click OK.
e. Quit the Registry Editor.
15. Reboot the Windows NT4.0 Domain Controllers & the Windows 2003 Domain Controllers.
16. Configure a new localgroup on the Windows NT4.0 PDCs & name it <Source Domain>$$$
