Error: 'SID History cannot be updated for <user>. For security purposes, the operation must b (NETIQKB44348)

  • 7744348
  • 02-Feb-2007
  • 11-Dec-2007


Domain Migration Administrator 7.x

Error: 'SID History cannot be updated for <user>.  For security purposes, the operation must be run on a destination DC.'

The base requirements for SID history migration (as documented by Microsoft) require that the migration tool be running on a domain controller in the destination/target domain.  Further testing of Domain Migration Administrator (DMA) has confirmed that SID history migration will also be successful when the migration tool is installed on a Microsoft Windows XP Professional or Microsoft Windows 2003 Server machine. 


Domain Migration Administrator (DMA) should be installed on one of the following machine types in the target domain:

  • Domain Controller,
  • Microsoft Windows XP Professional machine, OR
  • Microsoft Windows 2003 Server machine


Warning:  The Microsoft Windows 2000 configuration described below has not been through QE testing and is not considered a supported scenario by NetIQ.

According to the requirements for the dsAddSidHistory API call, SID history migration should be successful if both the client (migration console) and the target server have 128-bit encryption. This can be achieved by installing the Microsoft Windows 2000 High Encryption Pack.  Alternatively, you can upgrade the Microsoft Windows 2000 machine to Microsoft Windows 2000 Service Pack 2 (SP2) or later (as 128-bit encryption is installed as part of this service pack).


For more information on the dsAddSidHistory API call, please refer to the following information from Microsoft:

Using dsAddSidHistory



For more information on the requirements for migrating SID history, please refer to the following NetIQ Knowledge Base article:

NETIQKB4365 - What are the requirements for using Domain Migration Administrator when migrating with SID History?

Additional Information

Formerly known as NETIQKB44348