Error Messages When Using the ClonePrincipal Tool to Migrate User Accounts (283833)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q283833

SYMPTOMS

You may receive an error message when you attempt to migrate user accounts by using the Windows 2000 ClonePrincipal support tool and any of the sample batch files: Sidhist.vbs, Clonepr.vbs, Cloneggu.vbs, Clonegg.vbs, or Clonelg.vbs.

The error messages vary depending on the account migration path.

When you attempt a Microsoft Windows NT to Windows 2000 migration, you may receive the following error message:
Windows Scripting Host Error: 0x80072035

Error Description: Failed to add the source SID to the destination object's SID history. The error was: "The server is unwilling to process the request."

Error Source :DSUtils.ClonePrincipal.1

ADsError Description: "The server is unwilling to process the request."
When you attempt a Windows 2000 to Windows 2000 migration, you may receive the following error message:
Windows Scripting Host Error: 0x8007215B

Error Description: Failed to add the source SID to the destination object's SID history. The error was: "The source object's SID already exists in destination forest."

Error Source :DSUtils.ClonePrincipal.1

ADsError Description: "The source object's SID already exists in destination forest."

CAUSE

This issue can occur if the built-in account names in the source domain do not match the built-in account names in the destination domain. This behavior can occur if the built-in Administrator account was renamed in one of the domains. This issue also occurs if the built-in groups are named differently between the source and destination domains. When account names in the source domain and the destination domain are different, the ClonePrincipal tool attempts to create a duplicate security ID (SID), and the error messages occur.

This error may also occur when you are running the ClonePrincipal script for a user account that was previously imported, and then moved to a different organizational unit in Active Directory.

SIDhistory data is applied after the account is created, so the duplicate account is present even after the ClonePrincipal tool generates the errors and the migration is unsuccessful.

RESOLUTION

To resolve this issue, follow these steps:
  1. Delete the duplicate user name that was created when the error was generated.
  2. Rename the account in either the source domain or the destination domain so that the built-in account name (or built-in group name) is the same for both the source and destination domains. It is recommended that you give the accounts the default name, for example, "Administrator."
  3. The built-in account may be safely renamed after the ClonePrincipal tool has applied the SIDhistory data to the built-in accounts.

MORE INFORMATION

The sample batch files that are included in the Support Tools for ClonePrincipal do not contain any error checking capabilities.

The renamed built-in account is created as a new user. The SIDhistory function in Clonepr.dll attempts to apply the SID of the built-in source account to the brand new user, and not the built-in destination account. This operation is not successful because the SID already exists in the built-in destination account.

More information about the ClonePrincipal utility can be found in the Clonepr.doc file, that is included in the Windows 2000 Support Tools package. You can install the ClonePrincipal utility from the Windows 2000 Support Tools package.

More information about account migration and consolidation can be found in the Change and Configuration Management Deployment Guide that is located at the following Microsoft Web site:

http://microsoft.com/windows2000/library/resources/reskit/deploy/ccm/

Modification Type:MinorLast Reviewed:1/27/2006
Keywords:kberrmsg kbprb KB283833
©2004 Microsoft Corporation. All rights reserved.