I'm preparing an interforest ADMT migration from windows 2003 to windows 2008 R2

I've setup the ADMT server settings according to the ADMT setup guide.

Audit setting:audit account management Success and Failure,  audit directory access Success

When I'm running an admt migration and select "enable sid history" I get a popup :

Auditing is currently not enabled on the target domain. Would you like to enable auditing?If not, SID migration will be disabled.
Yes / No / Cancel

 

 

 

 

 

 

 

Did you verify the Auditing settings after seeing this message?  Also, make sure the ADMT service account has proper permission in both source and target domains. 

Hi Santhosh,

I'm sorry for the delay in my response, but I've been out of town for a week.

The admt service account has the appropriate rights in both source and target domain.  But I don't see what this has to do with the popup I receive every time I run the ADMT wizard. 

When I acknowledge the pop-up question, it changes my audit policy to "No auditing"???? thereafter the SIDHistory migration works. With the next run of ADMT, it asks the question again.  When answer No to the popupquestion, SIDHistory migration fails.

Any idea what is happening?

thnx

 

Frederik

Did you try to enable auditing manually?  Make sure to run GPUPDATE /Force command on DCs to get the updated policy. 

I put the auditing policy in my default domain controller policy.  After Gpupdate/ force the policy is applied to the DC's, I can see it in the RSOP.

When I thereafter execute an ADMT migration with SID history, I get the popup window.  I have to click yes to be able to migrate with SID history.  After clicking Yes, the default domain controller policy is changed back to "no auditing"

Hope this clarifies teh issue i'm facing.

I am having the same issue. Any updates please?

Update August 2010:

 

I was able to resolve this finally by going to advanced auditing policies and enable auditing for all the options under account management. Don't know exact place right now but if someone has an issue, let me know and I can get the exact GP path.

 

***************************************************************************************************

Ok, even though I should not have to do it, but I was able to resolve this by changing the following group policy:

 

Default Domain Controller Policy/Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options

 

Network Access: Let Everyone permissions apply to anonoymous

 

Changed this setting to enabled and the SID migration is working.

 

It still is prompting me to enable the auditing though. And I select YES. It looks to me that it almost looks at the local security policy as opposed to "Default Domain Controller Policy". Because in the local security policy, the setting for "Audit Account Management" was set to NOT DEFINED and after I click yes, this setting was changed to "SUCCESS AND FAILURE".

 

I don't know how these two are related but this is what got us going.

 

It is prompting me to enable the auditing everytime and after I select YES, it works. Hopefully there is a fix/update on this soon.

 

Hope this helps.

 

As your target domain is 2008 R2, you may try to set auditing by next way:

Default Domain Controller Policy/Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management

Hi,

I was hitting this issue also and found the following:

If you look in C:\Windows\security\logs\winlogon.log, you can see the message 'Legacy audit settings are disabled. Skipped configuration of legacy audit settings' when it would be bringing down the audit settings. The skipping of legacy policies applying is controlled by the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." setting (for me it is currently set to enabled in the default domain controller policy, Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options).

There are three ways we should be able to work around this:

1. Set the group policy setting to disabled to enable legacy audit settings.

2. Disable in the registry - This way we should be able to limit the change only to the domain controller we are using for ADMT - however, I have tested this in my lab and it did not seem to resolve the issue as it still disabled legacy settings.

3. Increase the auditing in the sub-categories to make the change on the root category. Basically it appears that unless all options in a sub-category are configured, the root category will not be configured, so by setting all of the options in a sub-category we should get the result we want. The settings that would have to be configured are:

Computer Configuration - Policies - Windows Settings - Security Settings - Advanced Audit Policy Configuration - Audit policies - Account Management - Set all to Success and Failure

Computer Configuration - Policies - Windows Settings - Security Settings - Advanced Audit Policy Configuration - Audit policies - DS Access - Set all to Success

By setting all of these advanced policies to the same setting, it seems to set the main category to the same setting.

This resolved the issue for me, but let me know how you go

Cheers

Heath

 

• Proposed as answer by slavatem Tuesday, March 19, 2013 5:00 AM

3. Increase the auditing in the sub-categories to make the change on the root category. Basically it appears that unless all options in a sub-category are configured, the root category will not be configured, so by setting all of the options in a sub-category we should get the result we want. The settings that would have to be configured are:

Computer Configuration - Policies - Windows Settings - Security Settings - Advanced Audit Policy Configuration - Audit policies - Account Management - Set all to Success and Failure

Computer Configuration - Policies - Windows Settings - Security Settings - Advanced Audit Policy Configuration - Audit policies - DS Access - Set all to Success

Option 3 resolved the issue for me, we are migrating to a new Windows 2008 R2 domain and had this issue.  It seemed like if you ran through the user migration wizard fast and didn't have too many users it would succeed. But if the migration took too long (too many users at once or waited too long after saying 'yes' to enable auditing) the GPOs would kick in and the migration would fail.  After changing the settings above it never asks to enable auditing.  Thanks.

After changing the settings above it never asks to enable auditing.  Thanks.

No problems at all, glad I could help :)

Thanks! Your steps helped me resolve this.

Reg,