No mapping between account names and security IDs was done during demotion

mark_667
mark_667 used Ask the Experts™
on
I'm trying to demote a Server 2003 DC in the same domain as a Windows 2000 DC. On Running DCPROMO I get a prompt for credentials to modify the computer account of the 2000 DC. The following event is logged on the 2000 DC at the same time.

Event Type:      Warning
Event Source:      SceCli
Event Category:      None
Event ID:      1202
Date:            23/10/2009
Time:            11:49:26
User:            N/A
Computer:      <Win 2000 DC name here>
Description:
Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "troubleshooting 1202 events".
A user account in one or more Group policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped nor deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.Identify accounts that could not be resolved to a SID: From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.Identify the GPOs that contain the unresolvable account name:
From the command prompt type FIND /I "JohnDough" %SYSTEMROOT%\Security\templates\policies\gpt*.*
      The output of the FIND command will resemble the following:
      ---------- GPT00000.DOM
      ---------- GPT00001.DOM
      SeRemoteShutdownPrivilege=JohnDough
      This indicates that of all the GPOs being applied to this machine,  the unresolvable account exists only in one GPO.  Specifically, the cached GPO named GPT00001.DOM.
      Now we need to determine the friendly name of this GPO in the next step.

3. Locate the friendly names of each of the GPOs that contain an unresolvable account name.  These GPOs were identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log
      The string following "[Mapping] gpt0000?.dom =" in the FIND output identifies the friendly names for all GPOs being applied to this machine.
      Example: [Mapping] gpt00001.dom = User Rights Policy
      In this case, the GPO that contains the unresolvable account (gpt00001.dom) has a friendly name of "User Rights Policy".

4. Remove unresolved accounts from each GPO that contains an unresolvable account.
      a. Start -> Run -> MMC.EXE
      b. From the File menu select "Add/Remove Snap-in&"
      c. From the "Add/Remove Snap-in" dialog box select "Add&"
      d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
      e. In the "Select Group Policy Object" dialog box click the "Browse" button.
      f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
      g. Right click on the first policy identified in step 3 and choose edit
      h.      Review each setting under Computer Configuration/ Windows Settings/ Security Settings/ Local Policies/ User Rights
       Assignment or Computer Configuration/ Windows Settings/ SecuritySettings/ Restricted Groups for accounts identified in step 1.
      i. Repeat steps 3g and 3h for all subsequent GPOs identified in step 3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I followed the steps described and got the following:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator>FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log

---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
        Cannot find Power Users.
        Cannot find Power Users.
        Cannot find Power Users.

C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>FIND /I "Power Users" %SYSTEMROOT%\Security\templates\policies\gpt*.

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM

---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF

C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log

---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG
[Mapping] gpt00000.dom = Default Domain Policy
[Mapping] gpt00001.inf = Default Domain Controllers Policy
[Mapping] gpt00000.dom = Default Domain Policy
[Mapping] gpt00001.inf = Default Domain Controllers Policy
[Mapping] gpt00000.dom = Default Domain Policy
[Mapping] gpt00001.inf = Default Domain Controllers Policy
[Mapping] gpt00000.dom = Default Domain Policy

C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>

Unfortunately there is nothing under Restricted Groups and no User Rights under Local Policies. Also, looking in C:\WINNT\security\templates\policies\gpt00001.inf (the only gpt .inf file in the directory) there are no security IDs in the entire file. Does anyone have any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
If the 2003 server is still up, then you could use the GPMC (Download it from Microsoft) and that may help you find the policy and where the settings are.

Is this the only 2003 server in your domain?  I don't know what the ramifications are, but I don't think I would demote the only 2003 server I had in a mixed domain.  

Author

Commented:
I tried running the Group Policy Results Wizard from the 2003 machine but got the following:
'The selected computer does not support RSoP logging. Rsop logging support is avilable in operating system releases after Windows 2000'. As it is only a test system there aren't many policies in place and I cannot find any mention of Power Users.

From what I gather the problem is that there is some mention of the Power Users group in the GP which it is unable to resolve to a SID. Could it be anything else?

Also, I know it seems counter-intuitive to demote the 2003 DC but there is logic in the madness-we are getting rid of the domain, when it's demoted I'll do a P2V migration, add it to a seperate one and get rid of the 2000 DC.
Commented:
Have you tried using the forceremoval switch?

http://support.microsoft.com/kb/332199

Author

Commented:
Why can't it just work?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial