Can an Active Directory migration use Password Sync and migrate SID History without a Domain Trust? (4328995)

Can Binary Tree Power365 (P365) Directory Sync Pro for Active Directory or On Demand Migration for Active Directory (ODM AD) to use Password Sync and migrate SID History without a Domain Trust?

A Domain Trust is not required for using Password Sync but is required for using SID History. For users to be able to access source domain content, the SID History will need to be migrated. It is required that the target domain can resolve the source domain and make an inbound connection to it.

ODM AD User Guide: https://support.quest.com/technical-documents/on-demand-migration/current/active-directory-user-guide/6#TOPIC-1676287

Binary Tree Power365 Help Center: https://support.quest.com/technical-documents/binary-tree-power365/current/help-center/16#TOPIC-1564814

Binary Tree Power365 - Directory Sync Pro for Active Directory has an additional requirement for synchronizing passwords.

• In using the P365 Password Copy functionality, PsExec must be installed in the program directory (C:\Program Files\Binary Tree\DirSync). Ignore the PSExec Installation Guide concerning the proper installation location. PsExec is available at: https://technet.microsoft.com/en-us/sysinternals/bb897553

Note: ODM AD can skip this step as it is not required.
 

Password Synchronization

The following conditions must be met for Password Sync:

• ADMIN$ must be accessible on the domain controller from the Directory Sync agent server.
• The Password Sync functionality requires that either a domain admin role or built-in admin role be granted to the service account.
• Third-party anti-virus or threat prevention programs may block the execution of password tasks. These programs may need to be uninstalled from both the Domain Controller and the Directory Sync Agent Server or otherwise carefully whitelisted to allow proper operation.
• The RC4 encryption (Rivest Cipher 4 or RC4-HMAC) is an element of Microsoft Kerberos authentication that Quest migration products require to sync Active Directory passwords between Source and Target environments. Disabling the use of the RC4 protocol enabled makes password syncing between environments impossible.

SID History

A Domain Trust relationship must exist between the source and target domain. Typically, this is done by establishing a Forest level trust, but can also be done as a domain trust.

• A trust between the source and target domain is not required to populate SID History on target objects, but is required to make use of the SID History when attempting to access source side resources. Typically, a trust is created by establishing a Forest level trust, but can also be done as a domain trust.
• The target account must have administrator permissions in the source domain. To enable this, the target account of the Directory Sync agent should be added to the source PDC's built-in administrator group.
• Auditing of the source and target domain must be enabled. This can be enabled as a global policy for all domain controllers or as a local policy on the specific source and target DCs involved.
• 'Account Management' and 'DS Access' Advance Audit policies of the source and target domain should be configured if Advance Auditing are configured in the environments.
• An empty Domain Local security group must be created in each source domain and named {SourceNetBIOSDomain}$$$.
• The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport registry key must be set to 1 on the source domain primary domain controller. You must restart the source domain primary domain controller after the registry configuration.
• MigratesIDHistory permissions are required on the target domain. This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user
• Further guidance from Microsoft about Using DsAddSidHistory. https://learn.microsoft.com/en-us/windows/win32/ad/using-dsaddsidhistory

• The authorized account(s) that allow changes to your local and/or cloud directories.
• At least one (1) local on-premises server to host the local agent (if applicable).

• Copying SIDHistory is an operation initiated by the agent and performed by the domain controllers.
• Source/Target Domain Controller FQDNs must be resolvable by each other.
• Open TCP ports 88, 135, 137-139, 389 (UDP), 445, 1027, 3268 and 49152-65535.

When preparing the Target DirSync agent server, the agent will be configured with the source admin account credentials on the SID History Migration screen.

• Enter the Source Domain, Email Address and Password, for the source Domain. 
• Click Add Account (Not clicking the Add Account button will cause it to not work)
• Then click Next and the fields should blank out with the email address