The pre-migration report indicates that user principal names cannot be migrated or that domain trust issues exist between the source and target systems.


One or more domain users fails to resolve from their source account identifier to a target user principal name. The pre-migration report displays the following messages to describe the problem and offer problem resolutions.

  • Fatal Error – No users are migrated and pre-migration suspended.

    Command ExtractUPN failed. Error: 'Users cannot be uploaded to the repository. Verify that the administrator who is running pre-migration has domain access to the source and target systems.

  • Warning – A single instance of a user failed to migrate.

    Failed to resolve user principal with Sid S-1-5-21-0000000000-0000000000-0000000000-0000 and account name DOMAIN\Username. This user principal will not be migrated. If you see multiple instances of this error, verify that you are running the migration tool from a machine that is joined to the same domain as the machine on which the source 5.2 server is installed.

  • Warning – By design, non-domain local accounts that are no longer supported are not migrated.

    The following user principals are well known accounts and thus will not be migrated: ["Sid: S-1-1-0, Account name: Everyone, UPN: ","Sid: S-1-5-32-544, Account name: BUILTIN\\Administrators, UPN: "]

The migration tool is unable to resolve the user information by account name to find the user principal name. Users that remained as 5.2 users but have since been removed from the active directory may fall under this category. If all users failed or all users from a particular domain failed to migrate, the migration tool failed to contact active directory domain services using the credentials supplied to retrieve the user information. The migration tool is only capable of reporting users it was unable to resolve and cannot verify the prerequisite domain membership trusts or user account privileges.


The user running the migration tool is not a member of the shared domain or a domain trust issue exists for the named user between the source and target system identity stores.

The account from which you run the migration tool must have a trust relationship with the domain to which the source vRealize Automation servers are joined. Equally important, the Identity Appliance and IaaS servers must be joined to the same domain as the source vRealize Automation system servers.

For related information, see Prerequisites for vRealize Automation Migration and Running the Pre-Migration Task.


  1. If a specific user is no longer valid, you can ignore, update, or remove the user from the source.
  2. Verify the domain membership of the Windows IaaS administrator relative to the source server domain or the domain of equivalent trusts.
  3. Verify that the credentials used by the Model Manager Web Service administrator are identical to the service account or that the administrator has equivalent privileges to the domains.
  4. Restart the migration tool and rerun the pre-migration task.
  5. When the pre-migration task is finished, verify that the pre-migration report does not contain warnings about valid domain users who cannot be translated.


The pre-migration report does not contain warnings about valid users that cannot be migrated.