none
roaming user profile migration RRS feed

  • Question

  • I am working on a 2003 -> 2008 inter-forest domain migration.   I have migrated the user accounts and the terminal servers from the 2003 domain to the 2008 domain with one problem.  The roaming user profiles for the terminal servers are mapped via policy to a share on a 2008 file server.  The contents of the share are copies (used robocopy with security) of the profiles from the 2003 domain.   "Everyone" has full control on the share, and members of the "domain users" group in the 2008 domain have "full control" of the files themselves.  When a migrated user in the new domain logs on to the terminal server, a new profile is created in the folder, instead of using the migrated profile.  I did pick the translate roaming user profiles option when I migrated the accounts, but it seems like something still isn't right. Is there a way to verify if the SID/security translation was done correctly?
    Monday, September 22, 2008 8:46 PM

All replies

  • FYI, the terminal servers are 2003.
    Monday, September 22, 2008 8:47 PM
  • FYI, the terminal servers are 2003.
    Monday, September 22, 2008 8:49 PM
  •  

    Hi,

     

    <Is there a way to verify if the SID/security translation was done correctly?>

     

    To verify if SID translation has been done. You can view its ACL. If the permission granted to users on the source domain has been replaced by the corresponding users on destination domain, our migration is successful.

     

    For example, we grand a.com\user1 Read permission on folder01. After migrating, when we view folder01's ACL by right-clicking folder01, choosing properties and security, it should be b.com\user1. (Note:a.com is source domain; b.com is destination domain)

     

    As for this issue, please check if the migrated user has the corresponding permissions on his roaming profile. If not, please explicitly grant the full control permission for the migrated user account.

     

    Tuesday, September 23, 2008 9:39 AM
    Moderator
  • The user accounts are not assigned explicit "Full Control" permissions.  The "Full Control" permissions are assigned to the Domain users group.  In the old 2003 domain the Full Control permissions were only assigned to the "Domain Users" group, and not the individual users.
    Tuesday, September 23, 2008 1:59 PM
  •  

    Hi,

     

    From my experience, the roaming profile migration may occur some problem. Please check if the old domain\domain users has been replaced by new domain\domain users group. If not, it can turn out that the roaming profile migration is not successful. In this case, we should manually configure its permission to explicitly grant migrate users full control rights so that the migrated users can still access their roaming profile.

     

    Wednesday, September 24, 2008 9:33 AM
    Moderator
  •  

    Hi,

     

    From my experience, the roaming profile migration may occur some problem. Please check if the old domain\domain users has been replaced by new domain\domain users group. If not, it can turn out that the roaming profile migration is not successful. In this case, we should manually configure its permission to explicitly grant migrate users full control rights so that the migrated users can still access their roaming profile.

     

    Wednesday, September 24, 2008 9:34 AM
    Moderator
  • Sorry for resuscitating a seemingly dead thread, but this issue is far from resolved.  It was simply delayed.  I tried re-running the user migration wizard with the "translate roaming user profiles option" enabled.  Th log seems to indicate that there is some sort ntuser.dat issue.  In contrary to the seemingly obvious wording of the error message the ntuser.dat file is present and visible to my migration account.  What else can cause this error?

    2008-10-24 15:43:16 ERR3:7438 No NTUser.DAT file for ttestcustomer was found in \\clients.mynewdomain.local\C$\DFSRoots\Users\profiles\ttestcustomer.  The roaming profile cannot be migrated.


    Friday, October 24, 2008 8:05 PM
  • So does anyone at least know of any issues with security Translation and DFS?  Anyone?
    Tuesday, October 28, 2008 6:10 PM
  • Windows Server 2003 and Windows Server 2008 user profiles are not compatible or interoperable, so that is probably at the root of your problem.
    Wednesday, December 10, 2008 2:52 PM
  • Windows 2008 has different folder structure so it will not work, you may have to try below article to migrate profile structure from w2k3 to w2k8.

    http://support.microsoft.com/kb/947025

     

    Monday, December 20, 2010 4:58 PM