ClonePrincipal and ADMT Require Uplevel Trust to Migrate Objects Between Windows 2000 Domains (256250)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q256250 SYMPTOMS
After you upgrade a Microsoft Windows NT Server 4.0 domain to Windows 2000, ClonePrincipal and ADMT successfully migrate security principals such as users, groups, and computers. However, both ClonePrincipal and ADMT do not add the SIDHistory of objects to the destination domain, even though they meet the following configuration requirements:
- Auditing is enabled
- $$$ group is created
- Administration membership is correct
- Functional trust relationship
- Destination domain is set to native mode
- TcpipClientConfig registry entry is defined
ClonePrincipal displays the following information during script execution:
c:\cloneprin>cscript clonepr.vbs /srcdc:SRCDOMPDC /srcdom:SRCDOMPDC /srcsam:JDOE
/dstdc:DESTDOMPDC /dstdom:DESTDOM /dstSam:JDOE
/dstDN:cn=JDOE,CN=Users,dc=DESTDOM,dc=COM
Microsoft (R) Windows Script Host Version 5.1 for Windows
Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.
Connected to source and destination domain controllers
Bound to source User JDOE
Destination object JDOE not found (by SAM name) path used: WinNT://DESTDOM/DESTDOMPDC/JDOE
Destination DN found
Setting properties for target user JDOE
Downlevel properties set.
Fixing group memberships for user cn=JDOE
Found global group WinNT://SRCDOM/SRCDOMPDC/Domain Users
Skipping WinNT://SRCDOM/SRCDOMPDC/Domain Users -- not cloned yet
User's Group memberships restored.
User changes committed.
Adding SID for source User JDOE to SID history of target user cn=JDOE
Error 0x80072029 occurred.
Error Description: Failed to add the source SID to the destination object's SID history. The error was: "Inappropriate authentication. "
Error Source : DSUtils.ClonePrincipal.1
ADsError Description:
Inappropriate authentication.
The ADMT migration log displays the following information:
2000-03-08 18:05:32-
2000-03-08 18:05:32-Active Directory Migration Tool, Starting...
2000-03-08 18:05:32-Starting Account Replicator.
2000-03-08 18:05:32-Account Migration M1 A CopyUsers:Yes CopyGlobalGroups:No CopyLocalGroups:No CopyComputers:No ReplaceExisting:Yes
2000-03-08 18:05:33-CN=jdoe - Created
2000-03-08 18:05:33-E20655: Failed to add sid history for jdoe to jdoe. RC=8233
2000-03-08 18:05:40- - Set password for jdoe.
2000-03-08 18:05:40-Operation completed.
For both ClonePrincipal and ADMT, the Directory Service event log on the primary domain controller (PDC) emulator of the destination domain logs the following error message:
Event ID: 1540
Category: Directory Access
Description: Error 8233, DSID 11a0aa7, adding SID to object ?.
CAUSE
This issue occurs because the inbound trust relationship on the source Windows NT Server 4.0 domain is a downlevel trust, and trust relationships between Windows NT Server 4.0 domains are not upgraded to Windows 2000 uplevel trusts when you upgrade your domain to Windows 2000. The destination domain performs a version check to see if the source domain is running Windows 2000 so that the Lightweight Directory Access Protocol (LDAP) session may be signed or encrypted, however, the secure LDAP bind between the source and destination domains cannot occur over a downlevel trust, causing the "Inappropriate Authentication" error message to occur.
RESOLUTION
To resolve this issue, delete and then rebuild the trust relationship by using either one of the following tools:
- The Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in (Domain.msc) tool.
- The Netdom.exe tool.
STATUS
This behavior is by design.
Modification Type: | Major | Last Reviewed: | 9/22/2003 |
---|
Keywords: | kberrmsg kbmigrate kbprb kbTrusts w2000migrate w2000trusts KB256250 |
---|
|