Problem to migrate SIDHistory with command line

Question

For a migration inter-forest, SIDHistory is migrated fine with Wizard.

But with commandline, there is always an error that has no sense "ERR2:7615 SID History cannot be updated for xxx. You must be an administrator in the source domain."

The account used is administrator on source domain

ADMT is installed on a domain controller.

How to solve that ?

Regards

Gilles

Answer 1

Hello Gilles T,

Thank you for posting in Q&A forum.

You can check sIDHistory migration additional dependencies and Additional requirements for migrating sIDHistory with the command line or scripting interfaces in the link below.

How to troubleshoot inter-forest sIDHistory migration with ADMTv2
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/inter-forest-sidhistory-migration-with-admt

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Hello

Yes I already do all checks

I remember that there is no problem with the wizard. The problem is only with command line

Regards

Gilles

Answer 3

Hi,

The same problem here.

Answer 4

The same problem here.

Hi,

I am migrating Exchange accounts between forests from one Exchange environment to another using the Exchange native scripts alongside ADMT. However, I encounter the error below when migrating Active Directory users via ADMT's command line to merge passwords, SIDs, and ADUser. Strangely, using the graphical interface (GUI) does not produce any errors, and the SID and password are copied correctly.

<#

2024-11-13 18:31:33 ERR2:7615 SID History cannot be updated for TESTEuser1. You must be an administrator in the source domain.

2024-11-13 18:31:33 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem. The Active Directory Migration Tool will not attempt to migrate the remaining objects.

2024-11-13 18:31:33 Operation Aborted.

#>

I followed all the steps in the two links below in a lab environment, and everything worked perfectly. However, in production, I am encountering issues. I would appreciate guidance on how to resolve this.

ADMT 3.2 Interforest Migration - Part 2

https://social.technet.microsoft.com/wiki/contents/articles/16208.admt-3-2-interforest-migration-part-2.aspx

ADMT 3.2 Interforest Migration - Part 3

https://learn.microsoft.com/en-us/archive/technet-wiki/16621.admt-3-2-interforest-migration-part-3

I am using this script, which worked flawlessly in the lab environment, but in production, it fails with errors only via the command line, while the ADMT console works fine:

PowerShell ADMT Script

https://github.com/duffney/PowerShell/blob/master/ActiveDirectory/Migrate-ADMTUserCLI.ps1

To isolate the issue, I tested using direct commands on the ADMT server, but the same problem occurred.

Test Without Script

admt user /N "TESTEuser1" /SD:"SOURCEDOMAIN.LOCAL" /SDC:"DC01.SOURCEDOMAIN.LOCAL" /TD:"TARGETDOMAIN.LOCAL" /TDC:"AD01.TARGETDOMAIN.LOCAL" /TO:"Hosting/0123456789" /UGR:YES /FGM:YES /CO:MERGE /MSS:YES /PS:"MTDC07.SOURCEDOMAIN.LOCAL" /PO:"COPY" /UX "HomeMDB,HomeMTA,showInAddressBook,msExchHomeServerName,mail,msExchRBACPolicyLink,msExch*,msRTCSIP*,msOnlineSIP*" /UMO:YES PS: The problem only occurs when copying SIDHistory via power shell. Perform a migration without SIDHistory, removing the /MSS:YES parameter, it works, except that the graphical interface goes without problems.

Answer 5

The ADMT cannot operate via command line when the IPv6 disable registry key is present.

Copy

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters -Name DisabledComponents -PropertyType DWord -Value 0xFF

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents

For it to work via command line, the IPv6 system must be active on the network adapter to avoid the error I mentioned in the post.

Solution: Remove the registry key that disables IPv6 on the network interface(s) of the ADMT Server host.

DisabledComponents with the value 0xFF

I solved my problem, and now I can run commands or scripts to automate the process via System Center Orchestrator. When I point the script to an AD with IPv6 disabled in the registry key, it doesn’t work; when I point it to an AD with IPv6 enabled, it works.

NOTE: I opened two support cases with MSFT and did not receive satisfactory service in either case; I was somewhat ignored. What they say in the link about doing their "best effort" doesn't exist. For those who open a case with the professional plan like I did, you won’t get any help. It’s like they don’t care about us; that’s the truth. They don’t even contact you to connect to the environment and check if you did anything wrong or right.

I hope this helps someone in the future.