ADMT 3.2 "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. The specified domain either does not exist or could not be contacted."

Question

Hi,

We are migrating few of our users (Along with there SIDs) from ABC Forest to XYZ forest with the help of MS ADMT 3.2 (Active Directory migration tool). Following are the DC's and ADMT Machine's Configuration:

1. Source DC (ABC.com) - Windows Server 2008 R2 Standard
2. Target DC (XYZ.com) - Windows Server 2019 Datacenter
3. ADMT Machine - Windows Server 2012 R2 (Connected to Target DC)

While migrating user's accounts, On "Account Transition Options" window, if we select any option in "Target Account State" only and proceed every thing works as expected. But along with when we ticked "Migrate user SIDs to target domain" checkbox, tool throws below error.

---------------------------

Error

---------------------------

Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. The specified domain either does not exist or could not be contacted.

---------------------------

---------------------------

I can able to ping/Nslookup both the domains from ADMT machine as well as from DC to DC. Is there any thing else i have to verify to trouble shoot this issue?

Answer 1

Hi，@SiddheshSawant-1300
Judging from the error report, the network problem has caused the failure to contact the DC to be migrated.
Whether the port required for the normal work of ADMT is open can not be confirmed through PING/NSLOOKUP. Please refer to the following connection to confirm that the necessary ports have been opened, and the influence of blocked ports on ADMT has been excluded.

1. How to configure a firewall for Active Directory domains and trusts:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

2. ADMT Migration and Network Ports: http://techgenix.com/admt-migration-and-network-ports/
3. ADMT Series – 1. Preparing Active Directory : https://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html

Hope this information can help you
Best wishes
Vicky

Answer 2

Thanks @Vicky Wang

Have checked all the security ports (Mentioned in the links in your last post) From Target to Source, Source to Target and Source/Target to ADMT Machine. I can able to Telnet each and every port, Port on which at least one service has hosted. Following are my observation:

1. On Both the DCs, we have configured Stub Zone on DNS Server. (Do i have to Configure Conditional Forward only?)
2. One-way trust is in place, where Source trusts Target forest. (Do i need two-way trust?) Ref URL: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/inter-forest-sidhistory-migration-with-admt.

Answer 3

Hi,
Thank you for the update.
Because your question is more complex and difficult, it exceeds the scope of our forum’s knowledge
After discussing with our colleagues, we suggest that you find more professional engineers for help, they can give you more professional and quick answers.
Thank you for your understanding and support
reference:https://support.microsoft.com/en-in/hub/4343728/support-for-business
Best wishes
Vicky

Answer 4

I have the same error message, does anyone have any idea what else can be done?