Error: 'SID History cannot be updated for &lt;user&gt;. For security purposes, the operation must b (NETIQKB44348)

Document ID:7744348
Creation Date:02-Feb-2007
Modified Date:11-Dec-2007
- Micro Focus Products:
  Domain Migration Administrator

Resolution

fact
Domain Migration Administrator 7.x

symptom
Error: 'SID History cannot be updated for <user>. For security purposes, the operation must be run on a destination DC.'

cause
The base requirements for SID history migration (as documented by Microsoft) require that the migration tool be running on a domain controller in the destination/target domain. Further testing of Domain Migration Administrator (DMA) has confirmed that SID history migration will also be successful when the migration tool is installed on a Microsoft Windows XP Professional or Microsoft Windows 2003 Server machine.

fix

Domain Migration Administrator (DMA) should be installed on one of the following machine types in the target domain:

Domain Controller,
Microsoft Windows XP Professional machine, OR
Microsoft Windows 2003 Server machine

note

Warning: The Microsoft Windows 2000 configuration described below has not been through QE testing and is not considered a supported scenario by NetIQ.

According to the requirements for the dsAddSidHistory API call, SID history migration should be successful if both the client (migration console) and the target server have 128-bit encryption. This can be achieved by installing the Microsoft Windows 2000 High Encryption Pack. Alternatively, you can upgrade the Microsoft Windows 2000 machine to Microsoft Windows 2000 Service Pack 2 (SP2) or later (as 128-bit encryption is installed as part of this service pack).

For the latest Microsoft Windows 2000 Service Pack, see:
http://www.microsoft.com/windows2000/downloads/servicepacks/
For the Microsoft Windows 2000 High Encryption Pack, see:
http://www.microsoft.com/windows2000/downloads/recommended/encryption/

note

For more information on the dsAddSidHistory API call, please refer to the following information from Microsoft:

Using dsAddSidHistory
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/using_dsaddsidhistory.asp
dsAddSidHistory
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/dsaddsidhistory.asp

note

For more information on the requirements for migrating SID history, please refer to the following NetIQ Knowledge Base article:

NETIQKB4365 - What are the requirements for using Domain Migration Administrator when migrating with SID History?

Additional Information

Formerly known as NETIQKB44348

Error: 'SID History cannot be updated for &amp;lt;user&amp;gt;. For security purposes, the operation must b (NETIQKB44348)

Resolution

Additional Information

Error: 'SID History cannot be updated for <user>. For security purposes, the operation must b (NETIQKB44348)