Resolution
fact
Domain Migration Administrator 7.1
symptom
This operation is only allowed on the primary domain controller of the domain, error code=2226.
symptom
This occurs during the user migration wizard when trying to migrate users with SID history from an NT 4 source domain.
cause
At this point, DMA is trying to create the SourceDomain$$$ local group in the source domain. This group must be created on the PDC. If you receive this message, that means that DMA has connected to a BDC in the source domain, which does not have a writable copy of the SAM.
fix
Domain Migration Administrator 7.1
symptom
This operation is only allowed on the primary domain controller of the domain, error code=2226.
symptom
This occurs during the user migration wizard when trying to migrate users with SID history from an NT 4 source domain.
cause
At this point, DMA is trying to create the SourceDomain$$$ local group in the source domain. This group must be created on the PDC. If you receive this message, that means that DMA has connected to a BDC in the source domain, which does not have a writable copy of the SAM.
fix
To resolve this issue, try one of the following, then run the User Migration wizard again.
1. Reset the secure channel between the source PDC and the target domain controller. This can be done with the Windows 2000 Support Tools utility NLTEST. The syntax when run from the target domain controller is:
NLTEST /SC_RESET:<DomainName> \<DCName>
2. You can specify which domain controller DMA will connect to in the source domain as indicated in Knowledge Base article NETIQKB925. Specify the PDC as the source server.
Additional Information
Formerly known as NETIQKB15134