Announcement

Collapse
No announcement yet.

ADMT - migrate NT 4.0 accounts to AD - weird sceario?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ADMT - migrate NT 4.0 accounts to AD - weird sceario?

    I am in the process of planning and designing a large migration from WIN NT 4.0 to WIN 2003 AD. Our current AD domain is in place and has been for some time because users in the NT 4.0 domain authenticate to AD for web based time entry and web access. Therefore, all the users in all NT.4.0 domains have user accounts in AD. There are about 50 NT 4.0 domains. Iím confused about how to migrate. I donít want to migrate the NT accounts into AD because they are already there. But, Iíll need to migrate user profiles and computers etc. Is it possible to migrate only the SIDís or somehow associate the NT 4.0 account SIDís with their matching user account in AD? Or does anyone have any thoughts on the best way to approach this?

    Thanks
    JRM

  • #2
    Re: ADMT - migrate NT 4.0 accounts to AD - weird sceario?

    One way to do it is to remigrate all with ADMT. Bear in mind that you cannot add sids (sidHistory really) after the account is created. You must do it with the first shot. However, you may not need the _user_ sids if you assigned all permissions using groups. In that case, you just need to migrate the groups with sidHistory.

    ADMT has a security translation wizard that will help migrate profiles.

    Comment


    • #3
      Re: ADMT - migrate NT 4.0 accounts to AD - weird sceario?

      If I remigrate won't it see the accounts that are already in AD as duplicates? I guess if the accounts were deleted from AD first but can't do that. The users use them for web and time entry and have different passwords.....oh man this seems liek a daunting task??? What to do?

      Thanks-

      Comment


      • #4
        Re: ADMT - migrate NT 4.0 accounts to AD - weird sceario?

        Originally posted by wkasdo
        One way to do it is to remigrate all with ADMT. Bear in mind that you cannot add sids (sidHistory really) after the account is created. You must do it with the first shot. However, you may not need the _user_ sids if you assigned all permissions using groups. In that case, you just need to migrate the groups with sidHistory.

        ADMT has a security translation wizard that will help migrate profiles.
        Hi wkasdo,

        I got the same situaion like JRM, but both source domain & target domain are W2K AD. I am doing a test today, I use cloneprincipal(sidhist.vbs) to copy the source user SID to target user's SID history attribute, and confirm that all DC sync, SID history attribute updated as well.

        In my test, the target user can't access the resource which only share to the source user. so, I think it's due to something block SID history.

        can you explan why you said "you cannot add sids (sidHistory really) after the account is created" ? if my way (update sid history attribute by sidhist.vbs) doesn't work? or due to other setting wrong?

        Appreciate any thoughts!

        K.

        Comment


        • #5
          Re: ADMT - migrate NT 4.0 accounts to AD - weird sceario?

          ADMT will not let you merge sIDHistory, but sidhisy.vbs should be able to do just that.

          Have you disabled the SID Filtering feature on the trust ?
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: ADMT - migrate NT 4.0 accounts to AD - weird sceario?

            Originally posted by guyt
            ADMT will not let you merge sIDHistory, but sidhisy.vbs should be able to do just that.

            Have you disabled the SID Filtering feature on the trust ?
            Hi guyt,

            Thanks for reply. Yes, I found the KB as well, from W2K SP4 OR W2K3 SP1, by default AD enabled SID filtering. That's the reason I thought.

            Comment

            Working...
            X