Resolution
fact
Domain Migration Administrator 7.x
symptom
E20838: Failed to add sid history for <Username> to <Username>. RC=8333
symptom
E20326: Failed to get the target account info for <Username>. rc = 2221
symptom
Problems migrating SidHistory and password information when using the Update Active Directory Connector Accounts wizard
cause
The "TargetAccountName" in the ADCMapping table of the Protar.mdb does not match the "User Logon Name (Pre-Windows 2000)" field of that user's account properties in the target domain.
fix
note
This could happen when changes are made to the users' environments before DMA is able to update the ADC accounts. Changes like renaming the account so that the account can be used in the target domain and moving the account to a different OU after the ADC has run can cause the information in DMA's ADCMapping table to get out of synch.
note
For testing purposes, you could copy and paste the value that shows up in ADUC for the "User Logon Name (pre-Windows 2000)" for the account(s) getting the error, and paste that information into the "TargetAccount" column for the record that reflects that user's "SourcePath". Once this info is copied, try running the Update Active Directory Connector accounts wizard again and re-update that users information again.
Domain Migration Administrator 7.x
symptom
E20838: Failed to add sid history for <Username> to <Username>. RC=8333
symptom
E20326: Failed to get the target account info for <Username>. rc = 2221
symptom
Problems migrating SidHistory and password information when using the Update Active Directory Connector Accounts wizard
cause
The "TargetAccountName" in the ADCMapping table of the Protar.mdb does not match the "User Logon Name (Pre-Windows 2000)" field of that user's account properties in the target domain.
fix
In order for DMA to update / migrate the ADC Accounts, the following 2 values need to match Exactly:
Value 1:
- Launch Active Directory Users and Computers connecting to the target domain and browse to the user account(s) in question
- Check the properties of the user account(s) in question, click on the Account tab and view the "User Logon Name (pre-Windows 2000)" field
- Make a note of the value
Value 2:
- Open Protar.mdb by browsing to it at Program Files\Netiq\DMA\Protar.mdb, click on tables and open the ADCMapping table
- Search for the user account in question by looking for it in the "SourcePath" column of the table (Should look something like WinNT:\\Username)
- For that user account, view the value listed in the "TargetAccount" column
If the values don't match exactly, re-gather the ADC Mapping information within DMA by performing the following:
- Launch DMA and select the global option to "Update Active Director Connector Accounts"
- Choose the domain that contains the ADC accounts and click Next
- For the Update Information screen, choose the option "Yes, update the information"
- DMA will rebuild the ADCMapping table in Protar.mdb with the correct information
note
This could happen when changes are made to the users' environments before DMA is able to update the ADC accounts. Changes like renaming the account so that the account can be used in the target domain and moving the account to a different OU after the ADC has run can cause the information in DMA's ADCMapping table to get out of synch.
note
For testing purposes, you could copy and paste the value that shows up in ADUC for the "User Logon Name (pre-Windows 2000)" for the account(s) getting the error, and paste that information into the "TargetAccount" column for the record that reflects that user's "SourcePath". Once this info is copied, try running the Update Active Directory Connector accounts wizard again and re-update that users information again.
Additional Information
Formerly known as NETIQKB52915