Article ID: 256250
Article Last Modified on 2/28/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q256250
SYMPTOMS
After you upgrade a Microsoft Windows NT Server 4.0 domain to Windows 2000, ClonePrincipal and ADMT successfully migrate security principals such as users, groups, and computers. However, both ClonePrincipal and ADMT do not add the SIDHistory of objects to the destination domain, even though they meet the following configuration requirements:
- Auditing is enabled
- $$$ group is created
- Administration membership is correct
- Functional trust relationship
- Destination domain is set to native mode
- TcpipClientConfig registry entry is defined
ClonePrincipal displays the following information during script execution:
The ADMT migration log displays the following information:
For both ClonePrincipal and ADMT, the Directory Service event log on the primary domain controller (PDC) emulator of the destination domain logs the following error message:
CAUSE
This issue occurs because the inbound trust relationship on the source Windows NT Server 4.0 domain is a downlevel trust, and trust relationships between Windows NT Server 4.0 domains are not upgraded to Windows 2000 uplevel trusts when you upgrade your domain to Windows 2000. The destination domain performs a version check to see if the source domain is running Windows 2000 so that the Lightweight Directory Access Protocol (LDAP) session may be signed or encrypted, however, the secure LDAP bind between the source and destination domains cannot occur over a downlevel trust, causing the "Inappropriate Authentication" error message to occur.
RESOLUTION
To resolve this issue, delete and then rebuild the trust relationship by using either one of the following tools:
- The Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in (Domain.msc) tool.
- The Netdom.exe tool.
STATUS
This behavior is by design.
MORE INFORMATION
Downlevel Trusts
Downlevel trusts are identified by:
- The "trusttype" attribute defining the trust is set to 1 when viewed in an Active Directory editor such as Ldp.exe. In this case, the DN path for the trust object is:
CN=<srcdom>,CN=System,DC=<destdom>,DC=com
- The Active Directory Domains and Trusts MMC snap-in (Domain.msc) displays Srcdom by its NetBIOS name Srcdom rather the fully qualified domain name (FQDN) Srcdom.com.
Uplevel Trusts
Uplevel trusts are identified by the FQDN of the trusted domain when viewed in the Active Directory Domains and Trusts MMC snap-in, or by the "trusttype" attribute = 2 when viewed by using the Ldp.exe or equivalent Active Directory editing tool. For example, for two domains with the following attributes:
- Source domain: SRCDOM
- Source domain PDC: SRCDOMPDC
- Destination domain: DESTDOM
- Destination domain PDC: DESTDOMPDC
- Cloned account name: JDoe
- Trust relationship: SRCDOM trusts DESTDOM (one way trust defined in Windows NT Server 4.0)
Distinguishing attributes in a downlevel trust as seen in the Ldp.exe tool have the following attributes:
Expanding base 'CN=SRCDOM,CN=System,DC=destdom,DC=dom'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=SRCDOM,CN=System,DC=destdom,DC=dom
1> cn: SRCDOM;
1> flatName: SRCDOM;
1> distinguishedName: CN=SRCDOM,CN=System,DC=destdom,DC=dom;
1> objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=destdom,DC=dom;
1> objectClass: top; leaf; trustedDomain;
1> name: SRCDOM;
1> trustAttributes: 16777216;
1> trustDirection: 1;
1> trustPartner: SRCDOM;
1> trustType: 1;
The uplevel trust has the following attributes:
Expanding base 'CN=srcdom.com,CN=System,DC=dstdom,DC=com'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=CN=srcdom.com,CN=System,DC=dstdom,DC=com
1> cn: srcdom.com;
1> flatName: srcdom;
1> distinguishedName: CN=srcdom.com,CN=System,DC=dstdom,DC=com;
1> objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=dstdom,DC=com;
3> objectClass: top; leaf; trustedDomain;
1> name: srcdom.com;
1> trustAttributes: 0;
1> trustDirection: 1;
1> trustPartner: srcdom.com;
1> trustType: 2;
Additional query words:
Keywords: kberrmsg kbmigrate kbprb kbtrusts KB256250