When performing a migration the following errors may appear:
"apply of attribute msDS-Site-Affinity with value(s) failed because of (INSUFF_ACCESS_RIGHTS)"
"apply of attribute msDS-Cached-Membership-Time-Stamp with value(s) failed because of (INSUFF_ACCESS_RIGHTS)"
"apply of attribute msDS-Cached-Membership with value(s) failed because of (INSUFF_ACCESS_RIGHTS)"
The attributes mentioned in the errors do not need to be migrated. The value they contain is valid only for the source domain. Trying to copy and preserve this value from source domain would mean to populate the value in target domain with improper, bogus information.
To skip the attributes from being migrated please perform the following:
To skip the attribute from being synchronized please perform the following:
1. Click on the Synchronization properties and click on Advanced Options.
2. In the Advanced Options window, click on Attributes to Skip button.
3. In Attributes to Skip window select the checkbox "Show advanced attributes", find and select needed attributes, ensure it applies to Two-way Sync (is skipped in both directions) and close by clicking OK.
Note: This change does not require a full resync but you need to stop and start dirsync if synchronization was running.
msDS-Cached-Membership: This attribute contains all the universal and global groups the user is a member of as stored in the GC.
msDS-Cached-Membership-Time-Stamp: This is the time that a user's cached membership was last updated. Certain triggers use this attribute to ensure that the group membership listed in the msDS-cached-Membership attribute is up-to-date.
msDS-Site-Affinity: This attribute contains the Globally Unique Identifier (GUID) of the sites where the user has logged on and a time stamp when the attribute was last updated. This is the only attribute of the three that is replicated via AD replication.