Write: Access is denied when migrating SIDHistory (4180811)

Write: Access is denied when migrating SIDHistory

When migrating SIDHistory with the On Demand Migration (ODM) Active Directory on-premise directory synchronization agent, you may encounter the following error in the target agent logs:

Write: Access is denied

This issue assumes that all other prerequisites have been met.

In this particular situation, the issue was that the target agent service account did not have access to the source Active Directory environment. There are two methods of migrating SID History with the On Demand Migration (ODM) Active Directory directory sync agent.

The issue can also be caused by antivirus solution. The fix is adding Quest agent folder and its executables to antivirus exclusions' list.

1) When installing the target directory sync agent, provide admin credentials to the source Active Directory domain (trust is not required).
2) Ensure that the target agent service account has been  a member of the build-in\Administrators group in the source Active Directory domain (trust is required).
3) An Internet Protocol Security (IPSec) tunnel may need to be configured to allow the target access to the source. Work with the network administrators to ensure the target service account has access to the source.
4) Change the PDC Emulator role to another DC and update the ODM-Dirsync Environment setting to ensure this DC is listed in Domain Controllers tab and is listed as Priority 1.
5) Change the service account UPN suffix to use the correct domain suffix.
6) Add Quest agent folder and its executables to antivirus exclusions' list. Some AV solutions rely on EXE checksums, so these exclusions should be renewed every time Quest agent version is being updated

 

Make sure to whitelist the following entries through your antivirus solution: C:\Program Files (x86)\Quest* C:\Program Files (x86)\Quest\On Demand Migration Directory Sync Agent\bin\BTPass* In addition for password Sync with certain encryption and antivirus product we whitelist the following individually: C:\Program Files (x86)\Quest\On Demand Migration Directory Sync Agent\bin\BTPass\x64\BTPassSvc.exe C:\Program Files (x86)\Quest\On Demand Migration Directory Sync Agent\bin\BTPass\x86\BTPassSvc.exe C:\Windows\BTPass\x64\BTPassSvc.exe C:\Windows\BTPass\x86\BTPassSvc.exe