Chat now with support
Chat mit Support

Binary Tree Power365 Current - SID History Synchronization Quick Start Guide

Introduction - SID History Synchronization

The goal of this guide is to provide a step-by-step walk through of how-to setup SID History (sIDHistory) Synchronization for objects between your On-Premises Active Directory environments.

This guide will focus on sIDHistory synchronization between two on-premises Active Directory environments without a Trust enabled between two Directories. To set up Power365 Directory Sync for sIDHistory migration, four (4) configurations must be completed prior to the first synchronization.

  1. Set up Environments

  2. Set up Local Agents

  3. Set up Templates

  4. Set up Workflows

    The next section will provide the list of requirements needed to successfully migration sIDHistory between two Active Directory environments.

Requirements

In order to facilitate the sIDHistory migration, the following is a list of minimum requirements to get set up using Power365 Directory Sync with your On-Premises Active Directory.  Power365 Directory Sync supports sIDHistory migration for environments that have an Active Directory trust configured as well as environments without a trust configured. 

Preparing the Source and Target Domains

To prepare each source and target domain for sIDHistory Synchronization, the following configuration steps must be completed:

  1. In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.

    Notes: sIDHistory synchronization will fail if members are added to this local group.

  2. Enable TCP/IP client support on the source domain PDC emulator: 

    1. On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.

    2. In Open, type regedit, and then click OK.

    3. In Registry Editor, navigate to the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

    4. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

    5. Close Registry Editor, and then restart the computer.

  3. Enable auditing in the target domain:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    6. In the details pane, right-click Audit account management, and then click Properties.

    7. Click Define these policy settings, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. In the details pane, right-click Audit directory service access and then click Properties.

    10. Click Define these policy settings and then click Success.

    11. Click Apply, and then click OK.

    12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    13. Repeat the above steps in the source domain.

  4. Enable Advanced Auditing in the target domain when you have advanced audit policy enabled:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Account Management

    6. In the details pane, right-click Audit Application Group Management, and then click Properties.

    7. Click Configure the following audit events, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. Repeat the above for the following policies under Account Management

      1. Audit Computer Account Management

      2. Audit Distribution Group Management

      3. Audit Other Account Management Events

      4. Audit Security Group Management

      5. Audit User Account Management

    10. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access

    11. In the details pane, right-click Audit Detailed Directory Service Replication and then click Properties.

    12. Click Configure the following audit events, and then click Success.

    13. Click Apply, and then click OK.

    14. Repeat the above for the following policies under Account Management

      1. Audit Directory Service Access

      2. Audit Directory Service Changes

      3. Audit Directory Service Replication

    15. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    16. Repeat the above steps in the source domain.

      Notes: It may also be necessary to reboot the domain controller to have auditing take effect.

      Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting.

Account Permissions

  1. Migrate sIDHistory permissions are required on the target domain.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Right-click on your target domain in Active Directory Users and Computers.

    2. Select the Security tab and add or update the desired group or user and enable the “Migrate sIDHistory” permission.

  2. Source credential must have administrator access to the source PDC emulator.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Navigator to Built-in organization unit in Active Directory Users and Computers.

    2. Locate the administrators group and ensure the source service account is a member of the group.

Requirements

The goal of this guide is to provide a step-by-step walk through of how-to setup SID History (sIDHistory) Synchronization for objects between your On-Premises Active Directory environments.

This guide will focus on sIDHistory synchronization between two on-premises Active Directory environments without a Trust enabled between two Directories. To set up Power365 Directory Sync for sIDHistory migration, four (4) configurations must be completed prior to the first synchronization.

  1. Set up Environments

  2. Set up Local Agents

  3. Set up Templates

  4. Set up Workflows

    The next section will provide the list of requirements needed to successfully migration sIDHistory between two Active Directory environments.

In order to facilitate the sIDHistory migration, the following is a list of minimum requirements to get set up using Power365 Directory Sync with your On-Premises Active Directory.  Power365 Directory Sync supports sIDHistory migration for environments that have an Active Directory trust configured as well as environments without a trust configured. 

Preparing the Source and Target Domains

To prepare each source and target domain for sIDHistory Synchronization, the following configuration steps must be completed:

  1. In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.

    Notes: sIDHistory synchronization will fail if members are added to this local group.

  2. Enable TCP/IP client support on the source domain PDC emulator: 

    1. On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.

    2. In Open, type regedit, and then click OK.

    3. In Registry Editor, navigate to the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

    4. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

    5. Close Registry Editor, and then restart the computer.

  3. Enable auditing in the target domain:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    6. In the details pane, right-click Audit account management, and then click Properties.

    7. Click Define these policy settings, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. In the details pane, right-click Audit directory service access and then click Properties.

    10. Click Define these policy settings and then click Success.

    11. Click Apply, and then click OK.

    12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    13. Repeat the above steps in the source domain.

  4. Enable Advanced Auditing in the target domain when you have advanced audit policy enabled:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Account Management

    6. In the details pane, right-click Audit Application Group Management, and then click Properties.

    7. Click Configure the following audit events, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. Repeat the above for the following policies under Account Management

      1. Audit Computer Account Management

      2. Audit Distribution Group Management

      3. Audit Other Account Management Events

      4. Audit Security Group Management

      5. Audit User Account Management

    10. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access

    11. In the details pane, right-click Audit Detailed Directory Service Replication and then click Properties.

    12. Click Configure the following audit events, and then click Success.

    13. Click Apply, and then click OK.

    14. Repeat the above for the following policies under Account Management

      1. Audit Directory Service Access

      2. Audit Directory Service Changes

      3. Audit Directory Service Replication

    15. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    16. Repeat the above steps in the source domain.

      Notes: It may also be necessary to reboot the domain controller to have auditing take effect.

      Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting.

Account Permissions

  1. Migrate sIDHistory permissions are required on the target domain.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Right-click on your target domain in Active Directory Users and Computers.

    2. Select the Security tab and add or update the desired group or user and enable the “Migrate sIDHistory” permission.

  2. Source credential must have administrator access to the source PDC emulator.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Navigator to Built-in organization unit in Active Directory Users and Computers.

    2. Locate the administrators group and ensure the source service account is a member of the group.

Preparing the Source and Target Domains

The goal of this guide is to provide a step-by-step walk through of how-to setup SID History (sIDHistory) Synchronization for objects between your On-Premises Active Directory environments.

This guide will focus on sIDHistory synchronization between two on-premises Active Directory environments without a Trust enabled between two Directories. To set up Power365 Directory Sync for sIDHistory migration, four (4) configurations must be completed prior to the first synchronization.

  1. Set up Environments

  2. Set up Local Agents

  3. Set up Templates

  4. Set up Workflows

    The next section will provide the list of requirements needed to successfully migration sIDHistory between two Active Directory environments.

Requirements

In order to facilitate the sIDHistory migration, the following is a list of minimum requirements to get set up using Power365 Directory Sync with your On-Premises Active Directory.  Power365 Directory Sync supports sIDHistory migration for environments that have an Active Directory trust configured as well as environments without a trust configured. 

Preparing the Source and Target Domains

To prepare each source and target domain for sIDHistory Synchronization, the following configuration steps must be completed:

  1. In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.

    Notes: sIDHistory synchronization will fail if members are added to this local group.

  2. Enable TCP/IP client support on the source domain PDC emulator: 

    1. On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.

    2. In Open, type regedit, and then click OK.

    3. In Registry Editor, navigate to the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

    4. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

    5. Close Registry Editor, and then restart the computer.

  3. Enable auditing in the target domain:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    6. In the details pane, right-click Audit account management, and then click Properties.

    7. Click Define these policy settings, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. In the details pane, right-click Audit directory service access and then click Properties.

    10. Click Define these policy settings and then click Success.

    11. Click Apply, and then click OK.

    12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    13. Repeat the above steps in the source domain.

  4. Enable Advanced Auditing in the target domain when you have advanced audit policy enabled:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Account Management

    6. In the details pane, right-click Audit Application Group Management, and then click Properties.

    7. Click Configure the following audit events, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. Repeat the above for the following policies under Account Management

      1. Audit Computer Account Management

      2. Audit Distribution Group Management

      3. Audit Other Account Management Events

      4. Audit Security Group Management

      5. Audit User Account Management

    10. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access

    11. In the details pane, right-click Audit Detailed Directory Service Replication and then click Properties.

    12. Click Configure the following audit events, and then click Success.

    13. Click Apply, and then click OK.

    14. Repeat the above for the following policies under Account Management

      1. Audit Directory Service Access

      2. Audit Directory Service Changes

      3. Audit Directory Service Replication

    15. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    16. Repeat the above steps in the source domain.

      Notes: It may also be necessary to reboot the domain controller to have auditing take effect.

      Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting.

Account Permissions

  1. Migrate sIDHistory permissions are required on the target domain.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Right-click on your target domain in Active Directory Users and Computers.

    2. Select the Security tab and add or update the desired group or user and enable the “Migrate sIDHistory” permission.

  2. Source credential must have administrator access to the source PDC emulator.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Navigator to Built-in organization unit in Active Directory Users and Computers.

    2. Locate the administrators group and ensure the source service account is a member of the group.

Account Permissions

The goal of this guide is to provide a step-by-step walk through of how-to setup SID History (sIDHistory) Synchronization for objects between your On-Premises Active Directory environments.

This guide will focus on sIDHistory synchronization between two on-premises Active Directory environments without a Trust enabled between two Directories. To set up Power365 Directory Sync for sIDHistory migration, four (4) configurations must be completed prior to the first synchronization.

  1. Set up Environments

  2. Set up Local Agents

  3. Set up Templates

  4. Set up Workflows

    The next section will provide the list of requirements needed to successfully migration sIDHistory between two Active Directory environments.

Requirements

In order to facilitate the sIDHistory migration, the following is a list of minimum requirements to get set up using Power365 Directory Sync with your On-Premises Active Directory.  Power365 Directory Sync supports sIDHistory migration for environments that have an Active Directory trust configured as well as environments without a trust configured. 

Preparing the Source and Target Domains

To prepare each source and target domain for sIDHistory Synchronization, the following configuration steps must be completed:

  1. In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.

    Notes: sIDHistory synchronization will fail if members are added to this local group.

  2. Enable TCP/IP client support on the source domain PDC emulator: 

    1. On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.

    2. In Open, type regedit, and then click OK.

    3. In Registry Editor, navigate to the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

    4. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

    5. Close Registry Editor, and then restart the computer.

  3. Enable auditing in the target domain:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    6. In the details pane, right-click Audit account management, and then click Properties.

    7. Click Define these policy settings, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. In the details pane, right-click Audit directory service access and then click Properties.

    10. Click Define these policy settings and then click Success.

    11. Click Apply, and then click OK.

    12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    13. Repeat the above steps in the source domain.

  4. Enable Advanced Auditing in the target domain when you have advanced audit policy enabled:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Account Management

    6. In the details pane, right-click Audit Application Group Management, and then click Properties.

    7. Click Configure the following audit events, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. Repeat the above for the following policies under Account Management

      1. Audit Computer Account Management

      2. Audit Distribution Group Management

      3. Audit Other Account Management Events

      4. Audit Security Group Management

      5. Audit User Account Management

    10. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access

    11. In the details pane, right-click Audit Detailed Directory Service Replication and then click Properties.

    12. Click Configure the following audit events, and then click Success.

    13. Click Apply, and then click OK.

    14. Repeat the above for the following policies under Account Management

      1. Audit Directory Service Access

      2. Audit Directory Service Changes

      3. Audit Directory Service Replication

    15. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    16. Repeat the above steps in the source domain.

      Notes: It may also be necessary to reboot the domain controller to have auditing take effect.

      Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting.

  1. Migrate sIDHistory permissions are required on the target domain.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Right-click on your target domain in Active Directory Users and Computers.

    2. Select the Security tab and add or update the desired group or user and enable the “Migrate sIDHistory” permission.

  2. Source credential must have administrator access to the source PDC emulator.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Navigator to Built-in organization unit in Active Directory Users and Computers.

    2. Locate the administrators group and ensure the source service account is a member of the group.

Self-Service-Tools
Knowledge Base
Benachrichtigungen und Warnmeldungen
Produkt-Support
Software-Downloads
Technische Dokumentationen
Benutzerforen
Videoanleitungen
RSS Feed
Kontakt
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen