Before you can upgrade this Windows NT 4.0 primary domain controller (PDC) you must disable security identifier (SID) filtering on external trusts
Summary
SID filtering is applied to one or more external trusts from this domain. Windows 2000 Server and Windows Server 2003 Setup requires that you disable SID filtering for all trusts that are established from this Windows NT 4.0 domain before you can upgrade.
Description
SID filtering increases the security of communications across domains or forests. Using SID filtering, an administrator can specify that the domain controllers in a given domain quarantine a trusted domain. This causes the domain controllers in a trusting domain to remove all SIDs that did not originate from the trusted domain, thereby preventing authorization data from passing to resources located in the trusting domain. For more information about SID filtering, see Q289246, "Forged SID Could Result in Elevated Privileges in Windows NT 4.0" in the Microsoft Knowledge Base.
After you have upgraded this Windows NT 4.0 PDC, you should determine whether SID filtering will still be necessary after you install the upgrade. For more information about how to determine this, start Help and Support Center by clicking Start, clicking Help and Support, and then, in Search, type Securing external trusts. For more information about how to disable SID filtering, see Q811961, "Windows 2000 Server and Windows Server 2003 Setup Does Not Succeed When You Upgrade from a Windows NT 4.0-Based Primary Domain Controller" in the Microsoft Knowledge Base.
Disabling SID filtering on external trusts
To disable SID filtering, you need to modify a registry key on this Windows NT 4.0 PDC.
Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Notes