ADMT-Migration: "Domain local" Group with all Members
Trusting domain name is "Contoso.com" & Trusted domain name is "microsoft.com". Now we will be migrated a domain local group (will_be_Migrated). Which having multiple members from trusting domain & trusted domain.ADMT Version 3.1.
Will migrate a domain local group called will_be_Migrated
but is the member of the trusting domain (Contoso.com) and Ed & Richard are the members of the trusted domain (Microsoft.com).
Click Active Directory Migration tool
ADMT Wizard
Click Group Account Migration Wizard
Click Next
Select the source & target domain and DCs
Click Next
Click Next
Type the Group name
Need to browse the target OU & Click next
Fix membership of the group (Selected by default) should be selected for migrating all group members.
Click Next
Click Next
Click Finish.
See the errors. If anything is there & after competing the migration you need to check the ADMT log.
Log location is C:\Windows\ADMT\Logs. The migration log is below.
---------------------------ADMT LOG-----------------------------
[Settings Section]
Task: Group Migration (2)
ADMT Console
User: CONTOSO\Administrator
Computer: KOL-LDS01.contoso.com (KOL-LDS01)
Domain: contoso.com (CONTOSO)
OS: Windows Server (R) 2008 Datacenter 6.0 (6001) Service Pack 1
Source Domain
Name: contoso.com (CONTOSO)
DC: KOL-LDS01.contoso.com (KOL-LDS01)
OS: Windows Server® 2008 Datacenter 6.0 (6001) Service Pack 1
OU:
Target Domain
Name: microsoft.com (MICROSOFT)
DC: biz-ads0001.microsoft.com (BIZ-ADS0001)
OS: Windows Server 2003 5.2 (3790) Service Pack 2
OU: LDAP://microsoft.com/OU=ptest,DC=microsoft,DC=com
Intra-Forest: No
Migrate Security Identifiers: No
Update Rights: No
Fix group membership: Yes
Conflict Option: Ignore
Migrate members: No
[Object Migration Section]
2013-01-20 10:57:06 Starting Account Replicator.
2013-01-20 10:57:06 CN=will_be_Migrated - Created
2013-01-20 10:57:07 WRN1:7561 ADMT could not migrate some properties for this object type (group) due to schema mismatches. Please refer to the Schema Section in the migration log for a complete listing. The Schema Section will be available once object migration is complete.
2013-01-20 10:57:07 Processing group membership for CN=will_be_Migrated.
2013-01-20 10:57:07 MICROSOFT\Richard added.
2013-01-20 10:57:07 MICROSOFT\Ed added.
2013-01-20 10:57:08 CONTOSO\but added.
2013-01-20 10:57:08 Operation completed.
[Schema Section]
The following properties for group objects are not defined in the target forest schema.
msDS-AzBizRule
msDS-AzBizRuleLanguage
msDS-AzLastImportedBizRulePath
msDS-AzApplicationData
msDS-PrincipalName
msDS-RevealedDSAs
msDS-KrbTgtLinkBl
msDS-IsFullReplicaFor
msDS-IsDomainFor
msDS-IsPartialReplicaFor
msDS-PhoneticDisplayName
msDS-AzObjectGuid
msDS-AzGenericData
msDS-AuthenticatedToAccountlist
msDS-NC-RO-Replica-Locations-BL
msDS-RevealedListBL
msDS-PSOApplied
msDS-NcType
If you check the entire the log you will get all information about the migration.
Now have a look the Microsoft.com domain where we have migrated the group.
Bingo!!! But, Ed & Richard is there into that Domain local group.
___________________________________________________________________________________________________________________
Using Group Nesting Strategy - AD Best Practices for Group Strategy
Users will be present in trusted domain & trusting domain as well because Inter forest migration is the copy paste operation not the cut paste. Cut paste operataiton is Intra forest migration.
How to Disable SID Filtering
Contoso.com is the trusting domain & GS is the trusted domain.
Enabling the sidhistory for Forset trust
Netdom trust contoso.com /domain:gs.com /enableSIDhistory:yes
Enabling the sidhistory for External trust
Netdom trust contoso.com /domain:gs.com /quarantine:No
__________________________________________________________________________________________________________________
1.ADMT not fixing user group membership