Error: E20671: SID History cannot be updated for 'prefix' Domain Users. SourceDomain\Domain Users ma (NETIQKB2068)

fact
Domain Migration Administrator 7.1

symptom
Error: E20671: SID History cannot be updated for 'prefix' Domain Users. SourceDomain\Domain Users may be a Builtin account, a Well-Known account...

symptom

E20671: SID History cannot be updated for Domain Users. SourceDomain\Domain Users may be a Builtin account, a Well-Known account different from TargetDomain\ Domain Users, a local user account, or an inter-domain trust account. This error occurs in either of the following situations:

• Scenario 1:

When the following option is selected in the Migrate User Accounts wizard:

'Select how all migrated accounts should be renamed' with either a prefix or suffix. This option is in the User Options window of the Migrate User Accounts wizard.

• Scenario 2:

When the following option is selected in the Migrate User Accounts wizard:

'Rename Conflicting accounts by adding the following' with either a prefix or suffix. This option is in the Naming Conflicts window of the Migrate User Accounts wizard.

In either of these scenarios for migrating with SID history, DMA will throw the above error. For example, you migrate SID History for Domain Users and you choose to rename all accounts or rename conflicting accounts with a prefix or suffix. Because a Domain Users group already exists in the target, a new group will be created such as 'prefix' Domain Users. This new account will have a different RID from the Source Domain Users as well as the Target Domain Users.

cause
The API used to migrate SID History for Well-Known objects will only migrate to a target domain object with the same RID. This has been implemented by Microsoft for security reasons. For example, you can only migrate the SID of the source domain's Well-Known Domain Admins group to the SID History of the target domain's Well-Known Domain Admins group. You could not apply it to any other group.

fix
Do not select any renaming of account options and be sure to select the 'Replace and Update Conflicting Accounts' option (without either sub-option checked). This will result in the Well-Known group being migrated to the Well Known group of the same name in the target. Or migrate the Well-Known group with the renaming/prefix options and translate security for that group.

This is by design.

note

Please contact Technical Support to create a Support Request for any issues you encounter that are not addressed by the User Guide, any Knowledge Base articles found on the website, or current hotfixes available for download.

• Online Support Request Form

Formerly known as NETIQKB2068