I’m currently in the middle of an Active Directory Forest consolidation project. Basically a customer with three separate Active Directory Forests is merging them into a single Active Directory Domain.
We enabled auditing on the domain controllers according to the ADMT guide, this is necessary to allow sid history migration. However every time we ran the ADMT tool we would receive an error stating that Auditing was not enabled and asking us if we would like to enable it.
After clicking yes two things would happen.
1. The user migration would fail to migrate with SID history.
2. The auditing in the Default Domain Controller GPO would revert to Un-configured.
After a lot of digging around we finally found the solution.
Open the GPO and navigate to the Advanced Auditing Policies and enable auditing for all the options under Account Management to Success & Failure & DS Access to Success.