Knowledge Base

ClonePrincipal and ADMT Require Uplevel Trust to Migrate Objects Between Windows 2000 Domains

Article ID: 256250

Article Last Modified on 2/28/2007

APPLIES TO

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server

This article was previously published under Q256250

SYMPTOMS

After you upgrade a Microsoft Windows NT Server 4.0 domain to Windows 2000, ClonePrincipal and ADMT successfully migrate security principals such as users, groups, and computers. However, both ClonePrincipal and ADMT do not add the SIDHistory of objects to the destination domain, even though they meet the following configuration requirements:

Auditing is enabled
$$$ group is created
Administration membership is correct
Functional trust relationship
Destination domain is set to native mode
TcpipClientConfig registry entry is defined

ClonePrincipal displays the following information during script execution:

c:\cloneprin>cscript clonepr.vbs /srcdc:SRCDOMPDC /srcdom:SRCDOMPDC /srcsam:JDOE
/dstdc:DESTDOMPDC /dstdom:DESTDOM /dstSam:JDOE
/dstDN:cn=JDOE,CN=Users,dc=DESTDOM,dc=COM

Microsoft (R) Windows Script Host Version 5.1 for Windows
Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.

Connected to source and destination domain controllers
Bound to source User JDOE
Destination object JDOE not found (by SAM name) path used:
WinNT://DESTDOM/DESTDOMPDC/JDOE
Destination DN found
Setting properties for target user JDOE
Downlevel properties set.
Fixing group memberships for user cn=JDOE
Found global group WinNT://SRCDOM/SRCDOMPDC/Domain Users
Skipping WinNT://SRCDOM/SRCDOMPDC/Domain Users -- not cloned yet
User's Group memberships restored.
User changes committed.
Adding SID for source User JDOE to SID history of target user
cn=JDOE
Error 0x80072029 occurred.
Error Description: Failed to add the source SID to the destination object's SID history. The error was: "Inappropriate authentication. "
Error Source : DSUtils.ClonePrincipal.1
ADsError Description:
Inappropriate authentication.

The ADMT migration log displays the following information:

2000-03-08 18:05:32-
2000-03-08 18:05:32-Active Directory Migration Tool, Starting...
2000-03-08 18:05:32-Starting Account Replicator.
2000-03-08 18:05:32-Account Migration M1 A CopyUsers:Yes CopyGlobalGroups:No CopyLocalGroups:No CopyComputers:No ReplaceExisting:Yes
2000-03-08 18:05:33-CN=jdoe - Created
2000-03-08 18:05:33-E20655: Failed to add sid history for jdoe to jdoe. RC=8233
2000-03-08 18:05:40- - Set password for jdoe.
2000-03-08 18:05:40-Operation completed.

For both ClonePrincipal and ADMT, the Directory Service event log on the primary domain controller (PDC) emulator of the destination domain logs the following error message:

Event ID: 1540
Category: Directory Access
Description: Error 8233, DSID 11a0aa7, adding SID to object ?.

CAUSE

This issue occurs because the inbound trust relationship on the source Windows NT Server 4.0 domain is a downlevel trust, and trust relationships between Windows NT Server 4.0 domains are not upgraded to Windows 2000 uplevel trusts when you upgrade your domain to Windows 2000. The destination domain performs a version check to see if the source domain is running Windows 2000 so that the Lightweight Directory Access Protocol (LDAP) session may be signed or encrypted, however, the secure LDAP bind between the source and destination domains cannot occur over a downlevel trust, causing the "Inappropriate Authentication" error message to occur.

RESOLUTION

To resolve this issue, delete and then rebuild the trust relationship by using either one of the following tools:

The Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in (Domain.msc) tool.
The Netdom.exe tool.

STATUS

This behavior is by design.

MORE INFORMATION

Downlevel Trusts

Downlevel trusts are identified by:

The "trusttype" attribute defining the trust is set to 1 when viewed in an Active Directory editor such as Ldp.exe. In this case, the DN path for the trust object is:

CN=<srcdom>,CN=System,DC=<destdom>,DC=com
The Active Directory Domains and Trusts MMC snap-in (Domain.msc) displays Srcdom by its NetBIOS name Srcdom rather the fully qualified domain name (FQDN) Srcdom.com.

Uplevel Trusts

Uplevel trusts are identified by the FQDN of the trusted domain when viewed in the Active Directory Domains and Trusts MMC snap-in, or by the "trusttype" attribute = 2 when viewed by using the Ldp.exe or equivalent Active Directory editing tool. For example, for two domains with the following attributes:

Source domain: SRCDOM
Source domain PDC: SRCDOMPDC
Destination domain: DESTDOM
Destination domain PDC: DESTDOMPDC
Cloned account name: JDoe
Trust relationship: SRCDOM trusts DESTDOM (one way trust defined in Windows NT Server 4.0)

Distinguishing attributes in a downlevel trust as seen in the Ldp.exe tool have the following attributes:

Expanding base 'CN=SRCDOM,CN=System,DC=destdom,DC=dom'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:

>> Dn: CN=SRCDOM,CN=System,DC=destdom,DC=dom
1> cn: SRCDOM;
1> flatName: SRCDOM;
1> distinguishedName: CN=SRCDOM,CN=System,DC=destdom,DC=dom;
1> objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=destdom,DC=dom;
1> objectClass: top; leaf; trustedDomain;
1> name: SRCDOM;
1> trustAttributes: 16777216;
1> trustDirection: 1;
1> trustPartner: SRCDOM;
1> trustType: 1;

The uplevel trust has the following attributes:

Expanding base 'CN=srcdom.com,CN=System,DC=dstdom,DC=com'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:

>> Dn: CN=CN=srcdom.com,CN=System,DC=dstdom,DC=com
1> cn: srcdom.com;
1> flatName: srcdom;
1> distinguishedName: CN=srcdom.com,CN=System,DC=dstdom,DC=com;
1> objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=dstdom,DC=com;
3> objectClass: top; leaf; trustedDomain;
1> name: srcdom.com;
1> trustAttributes: 0;
1> trustDirection: 1;
1> trustPartner: srcdom.com;
1> trustType: 2;

Additional query words:

Keywords: kberrmsg kbmigrate kbprb kbtrusts KB256250

Microsoft KB Archive/256250

Contents