LDIFDE Does Not Import Users from Trusted Domains (279259)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
This article was previously published under Q279259

SUMMARY

When you use the LDIFDE utility (Ldifde.exe) to export and import users or groups for Windows 2000-based domains, users from trusted domains do not get added back to the Windows 2000 domain groups. When you run the import command using the Verbose mode, you may receive the following message, and LDIFDE may skip the object:

The object does not exist.

MORE INFORMATION

Any users that are from trusted domains are automatically added to the Foreign Security Principals (FSP) container. This container holds the user SecurityID and the user logon name (for example Joeuser). When the LDIFDE tool is used to export the groups and their members, the users from the trusted domain are exported in the following manner:

member: CN=S-1-5-21-1656841636-584466940-1124750213-1006,CN=ForeignSecurityPrincipa ls,DC=sales,DC=mycorp,DC=com

However, a user in the domain is exported in the following manner:

member: CN=w2k user4,CN=Users,DC=sales,DC=mycorp,DC=com

When LDIFDE attempts to reimport the users back into the group, the object that it refers to does not exist in that container, and the operation is not successful. For LDIFDE to succesfully import this object into the group, the object must already exist in the FSP container.

To resolve this issue, export all the objects in the FSP container so that they can be added back to the container before the users and groups.

LDIFDE exports this information but is not able to import it because you cannot add objects directly to the FSP container. LDIFDE then stops, and the the following error message is displayed:
Unwilling to Perform. The server side error is: illegal modify operation.
Some aspect of the modification is not supported
NOTE: This behavior only occurs if the domain has been rebuilt. If you export the users or groups, delete their accounts from the domain, and then do not rebuild the domain, you are able to import trusted accounts.

For additional information about the LDIFDE utility, click the article number below to view the article in the Microsoft Knowledge Base:

237677 Using LDIFDE to Import/Export Directory Objects to Active Directory

Modification Type:MinorLast Reviewed:1/26/2006
Keywords:kbenv kbinfo KB279259
©2004 Microsoft Corporation. All rights reserved.