Another requirement for ADMT to start migrating SIDhistory is the “Audit Account Management” setting on both source and target domain DCs. This should be set to both success and failure. When the domain still has Windows 2003 domain controllers, then this is as easy as setting the following setting in the domain controllers GPO:
However when dealing with Windows 2008 (or 2008 R2) domain controllers, the new fine-grained auditing settings come in play. Setting the above might have no effect. See how the setting is managed by GPO, but the setting says “no auditing”:
The reason for this is the “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” (wow what a setting) which is enabled.
When this setting is active, we have to configure the auditing configuration through auditpol.exe (a built-in command line utility). Try using “auditpol /get/ category:*” to find out the current settings. Or use “auditpol /set /category:”Account Management” /success:enable /failure:enable”. In the end the Account Management category should look like:
Remember: the auditpol commands have to be executed on each domain controller! If you have the MS Enterprise Client model implemented, as referenced in my previous blog entry, you will have to edit the template auditing settings files in the sysvol folder which come with the EC accelerator.
A nice place to start when considering ADMT is the ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains The above requirement comes from this guide.