Chatee ahora con Soporte
Chat con el soporte

On Demand Migration Current - Active Directory SID History Synchronization Quick Start Guide

Introduction

This guide provides step-by-step instructions to setup (Security Identifier) SID History Synchronization for objects between your On-Premises Active Directory environments.

This guide will focus on SID History synchronization between two on-premises Active Directory environments without a trust enabled between two directories. To set up Directory Sync for SID History migration, four configurations must be completed prior to the first synchronization.

  1. Set up Environments
  2. Set up Local Agents
  3. Set up Templates
  4. Set up Workflows

The next section will provide the list of requirements needed to successfully migration SID History between two Active Directory environments.

Requirements

In order to facilitate the SID History migration, the following is a list of minimum requirements to get set up using Directory Sync with your On-Premises Active Directory.  Directory Sync supports SID History migration for environments that have an Active Directory trust configured as well as environments without a trust configured. 

Preparing the Source and Target Domains

Preparing the Source and Target Domains

To prepare each source and target domain for SID History Synchronization, the following configuration steps must be completed:

  1. In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.

    NOTE: SID History synchronization will fail if members are added to this local group.

  2. Enable TCP/IP client support on the source domain PDC emulator: 
    1. On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.
    2. In Open, type regedit, and then click OK.
    3. In Registry Editor, navigate to the following registry subkey:
    4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
    5. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.
    6. Close Registry Editor, and then restart the computer.
  3. Enable auditing in the target domain:
    1. Log on as an administrator to any domain controller in the target domain.
    2. Click Start. Select All Programs > Administrative Tools, and then click Group Policy Management.
    3. Navigate to the following node: Forest > Domains > Domain Name > Domain Controllers > Default Domain Controllers Policy
    4. Right-click Default Domain Controllers Policy and click Edit.
    5. In the Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
    6. In the details pane, right-click Audit account management, and then click Properties.
    7. Click Define these policy settings, and then click Success and Failure.
    8. Click Apply, and then click OK.
    9. In the details pane, right-click Audit directory service access and then click Properties.
    10. Click Define these policy settings and then click Success.
    11. Click Apply, and then click OK.
    12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”
    13. Repeat the above steps in the source domain.
  4. Enable Advanced Auditing in the target domain when you have advanced audit policy enabled:
    1. Log on as an administrator to any domain controller in the target domain.
    2. Click Start. Select All Programs> Administrative Tools, and then click Group Policy Management.
    3. Navigate to the following node: Forest > Domains > Domain Name > Domain Controllers > Default Domain Controllers Policy
    4. Right-click Default Domain Controllers Policy and click Edit.
    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management
    6. In the details pane, right-click Audit Application Group Management, and then click Properties.
    7. Click Configure the following audit events, and then click Success and Failure.
    8. Click Apply, and then click OK.
    9. Repeat the above for the following policies under Account Management.
      • Audit Computer Account Management
      • Audit Distribution Group Management
      • Audit Other Account Management Events
      • Audit Security Group Management
      • Audit User Account Management
    10. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access
    11. In the details pane, right-click Audit Detailed Directory Service Replication and then click Properties.
    12. Click Configure the following audit events, and then click Success.
    13. Click Apply, and then click OK.
    14. Repeat the above for the following policies under Account Management
      • Audit Directory Service Access
      • Audit Directory Service Changes
      • Audit Directory Service Replication
    15. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”
    16. Repeat the above steps in the source domain.

NOTE: It may also be necessary to reboot the domain controller to have auditing take effect. Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting.

Account Permissions

  • Migrate SID History permissions are required on the target domain.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:
    1. Right-click on your target domain in Active Directory Users and Computers.
    2. Select the Security tab and add or update the desired group or user and enable the “Migrate SID History” permission.
  • Source credential must have administrator access to the source PDC emulator.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:
    1. Navigator to Built-in organization unit in Active Directory Users and Computers.
    2. Locate the administrators group and ensure the source service account is a member of the group.
Herramientas de autoservicio
Base de conocimientos
Notificaciones y alertas
Soporte de productos
Descargas de software
Documentación técnica
Foros de usuarios
Tutoriales en video
Aviso de actualizaciones de páginas web (RSS)
Comuníquese con nosotros
Obtenga asistencia con las licencias
Soporte Técnico
Ver todos
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación