Error Verifying Auditing and TcpipClientSupport on Domains When Using ADMT to Migrate SIDs

By Ed Bratter
Posted in Infrastructure
On June 05, 2012

If you are using the Active Directory Migration Tool (ADMT) to migrate the SID History of objects between forests, you may receive the following error if you have not configured everything according to the ADMT documentation:

Could not verify auditing and TcpipClientSupport on Domains. Will not be able to migrate the SIDs. Access is denied.

Microsoft has published a KB article to remedy the issue: ADMT: "Could Not Verify Auditing and TcpipClientSupport on Domains" Error Message When You Try to Migrate User Accounts.

The KB article makes two suggestions for fixes, but they did not resolve the problem for me. Adding the following steps to the suggestions from this article resolved my issue:

  • Make sure the AD account that you are running the tool under (presumably in the target forest) is a member of the source forest's Built-in Administrators account.
  • Confirm that you have enabled TCP/IP client support on the source domain primary domain controller (PDC) emulator. To do so, add the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA --> TcpipClientSupport, data type REG_DWORD, setting to 1.

Ed Bratter

Ed Bratter

Ed has over 15 years’ experience in the IT industry as a Systems Consultant, Systems Engineer, and Technology Specialist. He architects, designs, and manages Active Directory, Exchange, Citrix, VMware, and RSA SecurID solutions for Gotham’s clients, and provides technical expertise for Active Directory, Exchange, and Citrix.