Resolution
Domain Migration Administrator 7.x
symptom
SID History cannot be updated for <username>. For security reasons, this operation must be run on the destination DC. rc=8558.
symptom
SIDHistory could not be updated due to a configuration or permissions problem. The Domain Migration Administrator will not attempt to migrate the remaining objects.
cause
These types of errors can occur if the DMA console computer is not affiliated with the target domain or is not a Domain Controller (DC) in the target domain. If the DMA console computer is not a DC in the target domain, the DMA console computer must be running Windows XP Service Pack 1 or later or must be a Member Server running Windows Server 2003 in the target domain.
DMA logs these error messages in the migration.log file in the %systemroot%\Program Files\NetIQ\DMA\logs folder on the DMA console computer.
fix
Install DMA on a Windows XP SP 1 or later or Windows 2003 computer in the target domain, or on a DC in the target domain. If your DMA computer already meets these requirements, try the following additional measures to identify and correct the problems.
fix
Use the clonepr.vbs utility to test the Windows target domain environment. You can locate the clonepr.vbs Support Tool on the installation CD for the operating system for the DMA console computer. After installing the utility, use clonepr.vbs to test the migration of an account with SID History. If you use sidhis.vbs to migrate a user account with SID History, ensure the user account exists in both the source and target domains. The sidhis.vbs script cannot create a user account in the target domain.
For more information about using clonepr.vbs to test your environment, refer to the following Knowledge Base article:
Using Microsoft's ClonePrincipal, how could I test if an environment's configuration is properly setup to migrate SID History?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1284
fix
The account you use to log on to the DMA console computer must have the following permissions:
- Local Administrator on DMA console computer
- Account resides in target domain
- Member of built-in Administrators group in source domain
- For Windows 2000 target domain: member of Domain Admins global group in target domain
- For Windows 2003 target domain: member of Domain Admins global group in target domain or possess Migrate SID History permission for the target domain
For more information on permissions required to migrate with SID History, see the following Knowledge Base article:
What are the requirements for using Domain Migration Administrator when migrating with SID History?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB4365