According to ADMT 3.2: Interforest Migration – Part 3 – TechNet Articles – United States (English) – TechNet Wiki (microsoft.com) you enable Success and Failure for the policy “Audit account management” in Default Domain Controllers Policy.
Now you are trying to migrate users or groups or computers using ADMT console. You get this freaking error:
011-10-25 14:03:23 ERR2:7430 SID History for <account name> cannot be updated because auditing is not enabled on <target domain>. rc=8536.\n This operation requires that auditing be enabled for Success and Failure auditing of account management operations.
2011-10-25 14:03:23 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem. The Active Directory Migration Tool will not attempt to migrate the remaining objects.
2011-10-25 14:03:23 Operation Aborted.
You might be wondering you already enabled auditing in the GPO. Why the HELL are you getting this error?
I believe Microsoft meant to enable auditing in Default Domain Controllers Policy under Computer Configuration >>> Polices >>> Windows Settings >>> Security Settings >>> Advanced Audit Policy Configuration >>> Account Management. and Enable all Auditing policies.
Another Advise is to use SAME ACCOUNT for Source and Target domains during ADMT migration wizard. After you created TRUST between domains, make your (or service) account as administrator to the source domain like this:
- add your (or a service account) to a LOCAL security group (I named it ADMT-Admins) in source domain
- Add the Local Security Group (ADMT-Admins) to Administrators built-in group.