Error: "Inappropriate authentication" when performing SIDHistory sync. Next line in the log should contain error like: "Write. Failed to add objectSid of <AD_object> in <domain_name> using <DC_name> to sIDHistory of <AD_object>..."
To resolve the 1st cause of the issue, please do the following:
It's also possible to move PDC emulator role to the DC in ODMAD list through ADUC, Operation Masters menu.
Please note, that this will require to launch ODMAD Discovery task, as this constitutes as a change in AD schema.
The 2nd cause can be validated by the target DC, logging in Event Viewer, System the following warning: "The Security System has detected a downgrade attempt when contacting the 3-part SPN" which is having LDAP/.../@<target_domain> string in it.
This is an indication that trust between forests/domains is not working and needs to be recreated.
Note: while configuring SIDHistory with directly specifying source SIDHistory account, when target dirsync agent was installed, is "trust-less", the actual validation is done by Microsoft through the existing trust first. And if such validation will fail, then the whole SIDHistory transfer operation will fail as well.
