question

ChauLe-8759 avatar image
0 Votes"
ChauLe-8759 asked DaisyZhou-MSFT answered

Migrating SIDHistory works then randomly stops!!!

Title says it all. We have all the requirements set up for SIDhistory. All auditing requirements in both source and target DCs.. empty group in source netbiosname$$$ .... all the requirements.

2 issues...

  1. Each and EVERYTIME we run the wizard and sidhistory is checked, the wizard ALWAYS says Auditing is not enabled on target do you want to enable it? I click yes, put in credentials and migration works for users/group object. EVERYTIME never fails... why does it keep asking??

  2. When I do a bulk migration of user or groups.... I go thru same issue from #1 ....but then during the migration it randomly stops at a user/group stating that Auditing is not turned on? I re run the migration and same issue, stops randomly... it doesn't stop at the same object and if I migrate only the object where it stops and report the error.... it works...so its not the user or group.....

Why does it work migrating SIDHistory and merging...then randomly stops and complain that Auditing is not turned on??? If its not turned on it shouldn't work at all!

Thoughts???

windows-server-migration
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ChauLe-8759,

Thank you for posting here.

We are researching it, and if there is any update, we will reply you here.

Thank you for your understanding and support.


Best Regards,
Daisy Zhou

0 Votes 0 ·

Hi Daisy any news?

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @ChauLe-8759,

Thank you for your patience.

You can try the steps in the following link to see if it helps.

Configuring the Source and Target Domains for SID History Migration
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974410(v=ws.10)?redirectedfrom=MSDN

Similar case.
ADMT 3.2 ERR2:7430 When migrating users
https://social.technet.microsoft.com/Forums/en-US/60aafcc8-4a0f-4f3c-9663-5b927e72b714/admt-32-err27430-when-migrating-users?forum=winserverMigration

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou




[1]: /answers/storage/attachments/86162-if1.png


if1.png (56.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChauLe-8759 avatar image
0 Votes"
ChauLe-8759 answered DaisyZhou-MSFT commented

This is the error I keep getting



2021-04-10 06:22:10 ERR2:7430 SID History for Accounts mailbox cannot be updated because auditing is not enabled on infosolco.net. rc=8536.\n This operation requires that auditing be enabled for Success and Failure auditing of account management operations.
2021-04-10 06:22:10 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem. The Active Directory Migration Tool will not attempt to migrate the remaining objects.
2021-04-10 06:22:10 Operation Aborted.
2021-04-10 06:22:10 Operation completed.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ChauLe-8759,

Thank you for your update.

What are you doing then you receive the error above?

Did you Configuring the Source and Target Domains for SID History Migration based on the link I provided above?


Best Regards,
Daisy Zhou

0 Votes 0 ·
ChauLe-8759 avatar image
0 Votes"
ChauLe-8759 answered

Yes I run the ADMT wizard for user or groups...same error. I check "migrate SIDHistory" ... and each time I get the below picture.

86650-image.png





Why would I get this each time? I click yes one time and put in credentials and it continues. But based on this message it appears that the tool will set it for me? For some reason the tool is not recognizing the Auditing settings. I set the Auditing settings in Default Domain Controller GPO.


image.png (67.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @ChauLe-8759,

Thank you for your update.

It prompt the one only time in my lab when I migrate the first user account.

It will not prompt the message when I migrate second and later user account in my lab.

It seems the setting is misconfigured or some setting is not configured in your environement.


1.Did you configure Legacy audit policy under Computer Configuration\Windows settings\security settings\local policies\audit policy or advanced audit policies under Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration?

Tip:
1-Advanced audit policies will overwrite all legacy audit policies by default.

2-If you have never configured any advanced audit policies before, then you configure traditional audit policies.

3-If you have configured any advanced audit policy before, you need to configure the advanced audit policy.

We can run the following commands on the domain controller to force the refresh policy and check whether the related audit policy settings are enabled:

gpupdate /force
auditpol /get /category:*

For example:

I configure advanced audit policy.
86792-ds1.png


2.Did you create a local group in the source domain to support auditing?
In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain, for example, Boston$$$. Do not add members to this group; if you do, SID history migration will fail.


Best Regards,
Daisy Zhou



ds1.png (94.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChauLe-8759 avatar image
0 Votes"
ChauLe-8759 answered

Looks like I have some differences than yours. Let me configure to match yours and try again

86956-image.png



image.png (91.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChauLe-8759 avatar image
0 Votes"
ChauLe-8759 answered

Here is the weird part.... I have advance monitoring set but the auditpol is showing different.... I thought you said advance monitoring takes precendence?

86957-image.png





This is the default domain controller policy. Do I need to make the change in the Default Domain Policy?

Thanks


image.png (323.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChauLe-8759 avatar image
0 Votes"
ChauLe-8759 answered

Daisy I found the issue... in the Domain Controller Container there was another GPO with Audit setting taking precedence!

I update that GPO instead and now it works..no more warning! its fixed!!!

Always check other GPOs! I found this from gpresult /h

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @ChauLe-8759,

Thank you for your update. I am very glad that the information is helpful and the problem has been solved.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

If the Answer is helpful, please click "Accept Answer" and upvote it.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.