For Example:
First Domain pair: S1-T1
Second Domain pair S2-T2
SG1 group has members from S1 and S2
After the migration, the resulting group TG1 on T1 is missing all the members from T2 that were successfully migrated as well.
The following error is logged:
"Error 0xe1000041. Apply of attribute member with value(s) =
<SID=010500000000000515000000637A6B2D3530BA72652D743B263D0000> failed.
LDAP error 0x35. Unwilling To Perform (00002141: SvcErr: DSID-031A0FC0,
problem 5003 (WILL_NOT_PERFORM), data 0). "
This is the result of some limitations in AD Domain Controllers running Windows 2003 SP1. Please refer to the resolution section for a workaround.
DSA is adding users to the target group over LDAP using their SIDs. This particular operation is not allowed in Windows 2003 SP1.
WORKAROUND:
1. Point the DSA to the different target DC that is not running Windows 2003 SP1.
2. This issue was addressed with Microsoft and the corresponding hotfix was released. Refer to Microsoft Knowledge Base Article ID 906381 - "A security principal disappears from the Authorization Manager store of a Windows Server 2003-based trusted child domain after you close and then reopen Authorization Manager":
http://support.microsoft.com/?id=906381
In order to obtain the hotfix you will need to contact Microsoft and mention that you are using the Quest Migration Manager for AD. Case ID (SRX060306601377) can be mentioned if needed. Please install it on all the 2003 SP1 DC's on the target domain, or you can set the DSA to work with a certain DC and in such a case you can install the hotfix only on that DC.
Microsoft has choosen not to include the above fix for Windows 2003 SP2 nor offer a hotfix compatible with this OS version. Also, recently released hot fix patches will not allow this hot fix to be installed. Therefore if all the DCs in the environment have SP1 and recent MS updates installed , or have been updated to SP2, then the only option is to Upgrade QMM to version 8.0 or higher. If 8.0 is installed, the following patch must be also installed :
https://support.quest.com/SUPPORT/index?page=solution&id=SOL35438
also a related Windows 2003 SP2 issue:
https://support.quest.com/SUPPORT/index?page=solution&id=SOL30514
