If you are using the Active Directory Migration Tool (ADMT) to migrate the SID History of objects between forests, you may receive the following error if you have not configured everything according to the ADMT documentation:
Could not verify auditing and TcpipClientSupport on Domains. Will not be able to migrate the SIDs. Access is denied.
Microsoft has published a KB article to remedy the issue: ADMT: "Could Not Verify Auditing and TcpipClientSupport on Domains" Error Message When You Try to Migrate User Accounts.
The KB article makes two suggestions for fixes, but they did not resolve the problem for me. Adding the following steps to the suggestions from this article resolved my issue:
- Make sure the AD account that you are running the tool under (presumably in the target forest) is a member of the source forest's Built-in Administrators account.
- Confirm that you have enabled TCP/IP client support on the source domain primary domain controller (PDC) emulator. To do so, add the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA --> TcpipClientSupport, data type REG_DWORD, setting to 1.