Dirsync SID History Error during sync - "Write: Access is denied" (4346387)

Dirsync SID History Error during sync - "Write: Access is denied"

• When migrating SIDHistory with the On Demand Migration (ODM) Active Directory on-premise directory synchronization agent, you may encounter the following error in the target agent logs:

Write: Access is denied

Note: This article assumes that all other prerequisites have been met.

* These are listed below the Resolution

One ore more environmental prerequisites have not been met.

In this particular situation, the issue was that the target agent service account did not have access to the source Active Directory environment. There are two methods of migrating SID History with the On Demand Migration (ODM) Active Directory directory sync agent:
 

1.) When installing the target directory sync agent, provide admin credentials to the source Active Directory domain (trust not required).

2.) Ensure that the target agent service account has been is a member of the build-in\Administrators group in the source Active Directory domain (trust required).

3.) An Internet Protocol Security (IPSec) tunnel may need to be configured to allow the target access to the source. Work with the network administrators to ensure the target service account has access to the source.

4.) Change the PDC Emulator role to another DC and update the ODM-Dirsync Environment setting to ensure this DC is listed in Domain Controllers tab and is listed as Priority 1.

5.) Run auditpol /get /category:* command to very both Computer Account Management and Distribution Group Management are recorded as Success and Failure.

6.) If the above fail, create a new agent in Dirsync, copy the new Registration key, uninstall and install the agent with the new key. Always write the password in notepad then copy and paste into the install wizard credentials sections to ensure there are no typos.

SID History Prerequisites

Online Documentation: https://support.quest.com/technical-documents/on-demand-migration/current/active-directory-user-guide/6#TOPIC-1676287

A trust between that source and target domain is not required to populate SID History on target objects, but is required to make use of the SID History when attempting to access source side resources. Typically, a trust is created by establishing a Forest level trust, but can also be done as a domain trust.

        The target account must have administrator permissions in the source domain. To enable this, the target account of the Directory Sync agent should be added to the source PDC's built-in administrator group.

        Auditing of the source and target domain must be enabled. This can be enabled as a global policy for all domain controllers or as a local policy on the specific source and target DCs involved. To enable auditing as a local policy, go to gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy and enable the “Audit account management” and “Audit directory service access” settings.

        Local Group Policy Editor

        ‘Account Management’ and ‘DS Access’ Advance Audit policies of the source and target domain should be configured if Advance Auditing is configured in the environments. These settings can be enabled as a global policy for all domain controllers or as a local policy on the specific source and target DCs involved.

                To enable advanced audit policy for Account Management, go to gpedit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management enable Success and Failure audit for the below policies.

•  Audit Application Group Management
•  Audit Computer Account Management
• Audit Distribution Group Management
• Audit Other Account Management Events
• Audit Security Group Management
• Audit User Account Management

                To enable the advanced audit policy for DS Access, go to gpedit.msc > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access and enable Success audit for the below policies.

• Audit Directory Service Access
• Audit Directory Service Changes
• Audit Directory Service Replication
• Audit Detailed Directory Service Replication

        An empty Domain Local security group must be created in each source domain and named {SourceNetBIOSDomain}$$$.

        The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport registry key must be set to 1 on the source domain primary domain controller. You must restart the source domain primary domain controller after the registry configuration.

        Migrate sIDHistory permissions are required on the target domain. This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

• Right-click on your target domain in Active Directory Users and Computers.
• Select the Security tab and add or update the desired group or user and enable the “Migrate SID History” permissions
• Security tab of Properties

Important Tip: For further guidance from Microsoft about Using DsAddSidHistory, click here .

It's important to populate a source SIDHistory account during the target dirsync agent installation even when it's relying on the target admin account over the trust. Please do not leave it empty by clicking on Next without clicking on Add Account button underneath.