Resolution
fact
Domain Migration Administrator 7.1
symptom
Error: SID history cannot be updated for user account. A session may already be open between this computer and a domain controller in source using credentials other than domain/account name.
symptom
This error may appear in the Migration.log after a failed attempt to migrate an account with SID History.
cause
This error may related to the number of secure channels being used between the DMA console and the source domain controller. The first migration attempt may cause the additional secure channel to be removed allowing the second migration with SID History to succeed.
fix
Domain Migration Administrator 7.1
symptom
Error: SID history cannot be updated for user account. A session may already be open between this computer and a domain controller in source using credentials other than domain/account name.
symptom
This error may appear in the Migration.log after a failed attempt to migrate an account with SID History.
cause
This error may related to the number of secure channels being used between the DMA console and the source domain controller. The first migration attempt may cause the additional secure channel to be removed allowing the second migration with SID History to succeed.
fix
Steps for reproduction:
1) On the first attempt of migrating users with SID history, this error is logged in the Migration.log:
SID history cannot be updated for user account. A session may already be open between this computer and a domain controller in source using credentials other than domain/account name.
DMA creates an account in target. However, the new account is disabled.
2) If you delete the account created on the first attempt, then migrate the users again, this time the migration is successful.
If the second SID History migration attempt fails or you would like to avoid an initial failure, please use these troubleshooting steps:
- Verify there are no other open connections between the source and target DCs (mapped drives, etc.)
- Verify there are no applications using a connection between the source and target DCs (Exchange Administrator, etc.)
- Verify there are no Terminal Server sessions utilizing a connection with the credentials that you are logged in with.
- Verify the logged in account is a local administrator on the source PDC and is a member of Domain Admins in the target domain.
- Verify that WINS and DNS servers used by the DMA console are correctly configured with IP addresses of source and target domain controllers.
- Verify that the TcpipClientSupport registry key has been added as discussed in Chapter 2 of the DMA User Guide.
- Review the application log on the PDC in the source domain. Verify that the group named sourcedomain$$$ was the user account in use when the SID History migration was attempted.
- Consider using the NLTest utility from the Windows 2000 Resource Kit to verify the status of the secure channel. Syntax: nltest /SERVER:<server name> /SC_QUERY:<domain name>
, to query the secure channel for the specified domain on the specified server.
Additional Information
Formerly known as NETIQKB4713