Error: 'SID History cannot be updated for <user>;. This operation requires the TcpipClientSupport key be set on <sourceDC> rc=6 (NETIQKB2081)

  • Document ID:7702081
  • Creation Date:02-Feb-2007
  • Modified Date:16-May-2008
    • Micro Focus Products:
      Domain Migration Administrator

Environment

Domain Migration Administrator 7.x

Situation

Error: 'SID History cannot be updated for . This operation requires the TcpipClientSupport registry key to be set on . rc=6'.

SID History is not migrated.

Error is displayed in migration.log file when migrating with SID History.

Resolution

To register the TcpipClientSupport registry key, follow these steps:

    1. In the Migration Settings wizard, select the option to Migrate account SIDs to the target domain.
    2. Domain Migration Administrator (DMA) will check the SID History requirements against the source and target domains. There will be a prompt to create the TcpipClientSupport key.  After creating the key, DMA will prompt you to reboot the source PDC.
    3. Reboot the source PDC so that the boot process will register the new key.  If rebooting the PDC is not an option for you, then choose not to reboot the source PDC at this time. Note:  Keep in mind that this key may not properly register until the PDC is rebooted, and this could prevent migration of SID History.

If you have already used these steps to create and configure the TcpipClientSupport key and you have Trend antivirus software installed, disable the Trend antivirus software and reboot the DC. If this does not resolve the issue, uninstall the Trend software and reboot the DC. This should then allow the endpoint to register resulting in a successful sid history migration.



fix

To isolate and resolve permissions, name resolution, or connectivity issues, follow these steps:

    1. Verify that the logged on account is a member of the Domain Admins global group in the target domain.
    2. Verify that the logged on account has Administrator access in the source domain.  A recommended way to accomplish this is to take an account that is in the target Domain Admins global group and place this account (or the target Domain Admins global group itself) in the Local Administrators group on the Source Domain.
    3. Try adding the SourceServerOverride key to the Settings table to make sure DMA is requesting a connection with the PDC.
    4. Verify that success and failure auditing is enabled on source and target domains.
    5. Verify that the registry on the source PDC can be accessed from the target domain controller (DC).  Also, verify the TcpipClientSupport key is present. This key is located in the registry of the source domain controller at:

      HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\LSA  (The key TcpipClientSupport should have a value of 1.)
    6. If the TcpipClientSupport key was created manually, try deleting the key and letting DMA reset the key.
    7. In some instances, rebooting the source PDC, and/or rebooting the DMA console machine has proven to resolve some related issues. Rebooting the source PDC ensures that the TcpipClientSupport registry key is registered.
    8. Verify that the network name resolution environment is stable for both WINS and DNS.  Based on the information in the WINS database, the operating system (OS) of the machine where DMA is installed should be able to provide a connection with the source domain PDC, \\domain_name[1Bh], and the name should be resolved correctly.  Be sure that there are no stale IP addresses in DNS.  This might occur for instance if two DNS servers were swapped out at some point, but the cache had not been flushed. Make sure that the name resolution used by the DMA console in the target domain has a correct record for the PDC in the source domain.
    9. Attempt the migration by logging in with a different user account, or create a new user account with the appropriate permissions.
    10. Check open/closed ports on the firewall. Technically, DMA does not require any ports to be open, but the operating system does. At a minimum, where Microsoft Windows 2000 is involved as either the source or target domain, the following ports should be open:
      • 137-139 TCP & UDP
      • 389 for LDAP
      • 445 for Kerberos authentication
      • 3268 TCP for Active Directory (AD) Global Catalog
    11. Verify that NSLOOKUP works against the source PDC from the DMA machine (NSLOOKUP sourcedc). If not, point the DMA machine to the DNS server used by the source domain controller.
    12. It may be necessary to add a new standard zone to the target domain DNS and define the source domain and PDC.
    13. It may be necessary to add a Reverse Lookup record for the source PDC to the target domain DNS.


fix

To resolve errors posted in the migration.log file when migrating SID history in environments that have NDS for Microsoft Windows NT installed, consider the following.

  • Uninstalling NDS for NT is not recommended because:
    • Will allow SID History migration to be successful.
    • Could remove all accounts from the NT SAM.
  • The recommended solution is to do the following:
    1. Migrate the user and group accounts.
    2. Use the Translate Security Settings wizard to re-ACL the source resources to allow access to the new target accounts.


note

Note:   If these troubleshooting steps do not resolve the problem, consider using the Microsoft ClonePrincipal tool to verify the error message.  If you receive the same error message, please refer to Microsoft for further troubleshooting steps.



note
Please see Chapter 2 of the DMA Users Guide for more details on configuring the TcpipClientSupport registry key.

note

For more information regarding the use of DMA and NDS for NT, please refer to the following NetIQ Knowledge Base article:

NETIQKB2117 - 'Does Domain Migration Administrator support NDS for NT?'
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB2117



note

For more information regarding the SourceServerOverride setting, please see the following NetIQ Knowledge Base article:

NETIQKB925 - 'Which Domain Controller does Domain Migration Administrator (DMA) connect to and pull the information from when doing a migration?'
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB925



note

For more information regarding the Microsoft ClonePrincipal tool, please see the following NetIQ Knowledge Base article:

NETIQKB1284 - 'Using Microsoft's ClonePrincipal, how could I test if an environment's configuration is properly setup to migrate SID History?'
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1284



note

The following are suggestions for troubleshooting Microsoft's Windows 2000 Schema. Details for use can be found at www.microsoft.com.

  • Windows 2000 Support Tools, specifically the Active Directory Administration Tool
  • ClonePrincipal White paper (Clonepr.doc


Cause

These errors can be caused by any of the following:

  • TcpipClientSupport registry key has not been registered on the source primary domain controller (PDC).
    • If Trend antivirus software is installed on the source PDC Emulator it can prevent the DC from registering the RPC endpoint associated with the TcpipClientSupport key.
  • Existence of permission, name resolution, or connectivity issues.
  • NDS for Microsoft Windows NT is installed on the source PDC.

Additional Information

Formerly known as NETIQKB2081