Problem to migrate SID History using ADMT with powershell script only

Evandro Boa Semedo 371 Reputation points
2024-11-15T15:31:34.31+00:00

Hi,

I am migrating Exchange accounts between forests from one Exchange environment to another using the Exchange native scripts alongside ADMT. However, I encounter the error below when migrating Active Directory users via ADMT's command line to merge passwords, SIDs, and ADUser. Strangely, using the graphical interface (GUI) does not produce any errors, and the SID and password are copied correctly.

<#

2024-11-13 18:31:33 ERR2:7615 SID History cannot be updated for TESTEuser1. You must be an administrator in the source domain.

2024-11-13 18:31:33 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem. The Active Directory Migration Tool will not attempt to migrate the remaining objects.

2024-11-13 18:31:33 Operation Aborted.

#>

I followed all the steps in the two links below in a lab environment, and everything worked perfectly. However, in production, I am encountering issues. I would appreciate guidance on how to resolve this.

ADMT 3.2 Interforest Migration - Part 2

https://social.technet.microsoft.com/wiki/contents/articles/16208.admt-3-2-interforest-migration-part-2.aspx

ADMT 3.2 Interforest Migration - Part 3

https://learn.microsoft.com/en-us/archive/technet-wiki/16621.admt-3-2-interforest-migration-part-3

I am using this script, which worked flawlessly in the lab environment, but in production, it fails with errors only via the command line, while the ADMT console works fine:

PowerShell ADMT Script

https://github.com/duffney/PowerShell/blob/master/ActiveDirectory/Migrate-ADMTUserCLI.ps1

To isolate the issue, I tested using direct commands on the ADMT server, but the same problem occurred.

Test Without Script

admt user /N "TESTEuser1" /SD:"SOURCEDOMAIN.LOCAL" /SDC:"DC01.SOURCEDOMAIN.LOCAL" /TD:"TARGETDOMAIN.LOCAL" /TDC:"AD01.TARGETDOMAIN.LOCAL" /TO:"Hosting/0123456789" /UGR:YES /FGM:YES /CO:MERGE /MSS:YES /PS:"MTDC07.SOURCEDOMAIN.LOCAL" /PO:"COPY" /UX "HomeMDB,HomeMTA,showInAddressBook,msExchHomeServerName,mail,msExchRBACPolicyLink,msExch*,msRTCSIP*,msOnlineSIP*" /UMO:YES

PS: The problem only occurs when copying SIDHistory via power shell. Perform a migration without SIDHistory, removing the /MSS:YES parameter, it works, except that the graphical interface goes without problems.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,725 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Evandro Boa Semedo 371 Reputation points
    2024-12-04T00:36:36.3666667+00:00

    The ADMT cannot operate via command line when the IPv6 disable registry key is present.

    New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters -Name DisabledComponents -PropertyType DWord -Value 0xFF
    
    reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents
    

    For it to work via command line, the IPv6 system must be active on the network adapter to avoid the error I mentioned in the post.

    Solution: Remove the registry key that disables IPv6 on the network interface(s) of the ADMT Server host.

    DisabledComponents with the value 0xFF

    I solved my problem, and now I can run commands or scripts to automate the process via System Center Orchestrator. When I point the script to an AD with IPv6 disabled in the registry key, it doesn’t work; when I point it to an AD with IPv6 enabled, it works.

    NOTE: I opened two support cases with MSFT and did not receive satisfactory service in either case; I was somewhat ignored. What they say in the link about doing their "best effort" doesn't exist. For those who open a case with the professional plan like I did, you won’t get any help. It’s like they don’t care about us; that’s the truth. They don’t even contact you to connect to the environment and check if you did anything wrong or right.

    I hope this helps someone in the future.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.