Microsoft KB Archive/256250

= ClonePrincipal and ADMT Require Uplevel Trust to Migrate Objects Between Windows 2000 Domains =

Article ID: 256250

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q256250





SYMPTOMS
After you upgrade a Microsoft Windows NT Server 4.0 domain to Windows 2000, ClonePrincipal and ADMT successfully migrate security principals such as users, groups, and computers. However, both ClonePrincipal and ADMT do not add the SIDHistory of objects to the destination domain, even though they meet the following configuration requirements:
 * Auditing is enabled
 * $$$ group is created
 * Administration membership is correct
 * Functional trust relationship
 * Destination domain is set to native mode
 * TcpipClientConfig registry entry is defined

ClonePrincipal displays the following information during script execution:

c:\cloneprin>cscript clonepr.vbs /srcdc:SRCDOMPDC /srcdom:SRCDOMPDC /srcsam:JDOE

/dstdc:DESTDOMPDC /dstdom:DESTDOM /dstSam:JDOE

/dstDN:cn=JDOE,CN=Users,dc=DESTDOM,dc=COM

Microsoft (R) Windows Script Host Version 5.1 for Windows

Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.

Connected to source and destination domain controllers

Bound to source User JDOE

Destination object JDOE not found (by SAM name) path used:

WinNT://DESTDOM/DESTDOMPDC/JDOE

Destination DN found

Setting properties for target user JDOE

Downlevel properties set.

Fixing group memberships for user cn=JDOE

Found global group WinNT://SRCDOM/SRCDOMPDC/Domain Users

Skipping WinNT://SRCDOM/SRCDOMPDC/Domain Users -- not cloned yet

User's Group memberships restored.

User changes committed.

Adding SID for source User JDOE to SID history of target user

cn=JDOE

Error 0x80072029 occurred.

Error Description: Failed to add the source SID to the destination object's SID history. The error was: "Inappropriate authentication. "

Error Source : DSUtils.ClonePrincipal.1

ADsError Description:

Inappropriate authentication.

The ADMT migration log displays the following information:

2000-03-08 18:05:32-

2000-03-08 18:05:32-Active Directory Migration Tool, Starting...

2000-03-08 18:05:32-Starting Account Replicator.

2000-03-08 18:05:32-Account Migration M1 A CopyUsers:Yes CopyGlobalGroups:No CopyLocalGroups:No CopyComputers:No ReplaceExisting:Yes

2000-03-08 18:05:33-CN=jdoe - Created

2000-03-08 18:05:33-E20655: Failed to add sid history for jdoe to jdoe. RC=8233

2000-03-08 18:05:40- - Set password for jdoe.

2000-03-08 18:05:40-Operation completed.

For both ClonePrincipal and ADMT, the Directory Service event log on the primary domain controller (PDC) emulator of the destination domain logs the following error message:

Event ID: 1540

Category: Directory Access

Description: Error 8233, DSID 11a0aa7, adding SID to object ?.



CAUSE
This issue occurs because the inbound trust relationship on the source Windows NT Server 4.0 domain is a downlevel trust, and trust relationships between Windows NT Server 4.0 domains are not upgraded to Windows 2000 uplevel trusts when you upgrade your domain to Windows 2000. The destination domain performs a version check to see if the source domain is running Windows 2000 so that the Lightweight Directory Access Protocol (LDAP) session may be signed or encrypted, however, the secure LDAP bind between the source and destination domains cannot occur over a downlevel trust, causing the "Inappropriate Authentication" error message to occur.



RESOLUTION
To resolve this issue, delete and then rebuild the trust relationship by using either one of the following tools:
 * The Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in (Domain.msc) tool.
 * The Netdom.exe tool.



STATUS
This behavior is by design.



Downlevel Trusts
Downlevel trusts are identified by:  The "trusttype" attribute defining the trust is set to 1 when viewed in an Active Directory editor such as Ldp.exe. In this case, the DN path for the trust object is:

CN= ,CN=System,DC= ,DC=com

 The Active Directory Domains and Trusts MMC snap-in (Domain.msc) displays Srcdom by its NetBIOS name Srcdom rather the fully qualified domain name (FQDN) Srcdom.com.

Uplevel Trusts
Uplevel trusts are identified by the FQDN of the trusted domain when viewed in the Active Directory Domains and Trusts MMC snap-in, or by the "trusttype" attribute = 2 when viewed by using the Ldp.exe or equivalent Active Directory editing tool. For example, for two domains with the following attributes:
 * Source domain: SRCDOM
 * Source domain PDC: SRCDOMPDC
 * Destination domain: DESTDOM
 * Destination domain PDC: DESTDOMPDC
 * Cloned account name: JDoe
 * Trust relationship: SRCDOM trusts DESTDOM (one way trust defined in Windows NT Server 4.0)

Distinguishing attributes in a downlevel trust as seen in the Ldp.exe tool have the following attributes:

Expanding base 'CN=SRCDOM,CN=System,DC=destdom,DC=dom'...

Result <0>: (null)

Matched DNs:

Getting 1 entries:

>> Dn: CN=SRCDOM,CN=System,DC=destdom,DC=dom

1> cn: SRCDOM;

1> flatName: SRCDOM;

1> distinguishedName: CN=SRCDOM,CN=System,DC=destdom,DC=dom;

1> objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=destdom,DC=dom;

1> objectClass: top; leaf; trustedDomain;

1> name: SRCDOM;

1> trustAttributes: 16777216;

1> trustDirection: 1;

1> trustPartner: SRCDOM;

1> trustType: 1;

The uplevel trust has the following attributes:

Expanding base 'CN=srcdom.com,CN=System,DC=dstdom,DC=com'...

Result <0>: (null)

Matched DNs:

Getting 1 entries:

>> Dn: CN=CN=srcdom.com,CN=System,DC=dstdom,DC=com

1> cn: srcdom.com;

1> flatName: srcdom;

1> distinguishedName: CN=srcdom.com,CN=System,DC=dstdom,DC=com;

1> objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=dstdom,DC=com;

3> objectClass: top; leaf; trustedDomain;

1> name: srcdom.com;

1> trustAttributes: 0;

1> trustDirection: 1;

1> trustPartner: srcdom.com;

1> trustType: 2;

Additional query words:

Keywords: kberrmsg kbmigrate kbprb kbtrusts KB256250

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.