Share tips from the IT field
Microsoft training
Photo by Ricardo Gomez Angel / Unsplash
ADMT - sIDHistory - Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied

ADMT - sIDHistory - Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied

Published on 05 Feb 2025
Bastien Perez
Bastien Perez

Clap

The problem

When you migrate the SIDHistory, you may have the following problem:

Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Access is denied

The myth of the TcpipClientSupport key for sIDHistory migration

En voyant ce message, il est facile de croire que le problème vient de TcpipClientSupport. Une recherche en ligne vous mènera à de nombreux articles recommandant d’ajouter cette clé de registre sur le contrôleur de domaine ayant le rôle PDC.
Cependant, cette clé est obsolète depuis Windows Server 2003 (et il y a peu de chances que vous migriez encore depuis ou vers Windows Server 2000, non ? 😀).
La documentation ADMT est sans équivoque à ce sujet :

Seeing this message, it's easy to believe that the issue comes from TcpipClientSupport. An online search will lead you to numerous articles recommending adding this registry key on the domain controller holding the PDC role.
However, this key has been obsolete since Windows Server 2003 (and you're probably not migrating from or to Windows Server 2000 anymore, right? 😀).
The ADMT documentation is clear on this:

If you are migrating from a domain with domain controllers that run Windows Server 2003 or later to another domain with domain controllers that run Windows Server 2003 or later, the TcpipClientSupport registry entry does not have to be modified.

Source: admtv32migguid.doc

Fix the problem

As explained earlier, the TcpipClientSupport key is not the cause, as it is simply useless.

Possible causes of the sIDHistory migration issue may include:

  • The service account used by ADMT does not have the necessary rights on the source domain.
  • The service account lacks the required permissions on the target domain.
  • Logging is not enabled, making diagnosis more difficult.
  • The SOURCE$$$ group has not been created in the source domain (replace SOURCE with the NetBIOS name of your source domain). This group must be empty.
  • The Audit Directory Service Access and Audit Account Management logs have not been set to Success and Failure.

Comments

banner-Bastien Perez
Bastien Perez

Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace

France