-
Title
Error: "Write. Inappropriate authentication" when performing SIDHistory sync -
Description
Error: "Inappropriate authentication" when performing SIDHistory sync. Next line in the log should contain error like: "Write. Failed to add objectSid of <AD_object> in <domain_name> using <DC_name> to sIDHistory of <AD_object>..."
-
Cause
Possible causes are:
1. Specified DC in the source environment, DC list, is not carrying a PDC Emulator role
2. Domain/forest trust between source and target is not working
-
Resolution
To resolve the 1st cause of the issue, please do the following:
- navigate to ODM AD, hamburger menu, Environments
- click on environment in question, that Domain Controller <DC_name> belongs to
- go to the list of DCs and make sure that there's a PDC Emulator DC listed
- if not, add PDC emulator DC into the list and move it to the top position
It's also possible to move PDC emulator role to the DC in ODMAD list through ADUC, Operation Masters menu.
Please note, that this will require to launch ODMAD Discovery task, as this constitutes as a change in AD schema.
The 2nd cause can be validated by the target DC, logging in Event Viewer, System the following warning: "The Security System has detected a downgrade attempt when contacting the 3-part SPN" which is having LDAP/.../@<target_domain> string in it.
This is an indication that trust between forests/domains is not working and needs to be recreated.
Note: while configuring SIDHistory with directly specifying source SIDHistory account, when target dirsync agent was installed, is "trust-less", the actual validation is done by Microsoft through the existing trust first. And if such validation will fail, then the whole SIDHistory transfer operation will fail as well. -
Additional Information
To verify what DC is currently carrying PDC Emulator FSMO role: - open Active Directory Users and Computers (ADUC) - right-click domain name and select "Operation Masters" - write down which DC is currently carrying a PDC Emulator role