Directory Sync Pro for Active Directory uses a browser-based user interface. We recommend using Edge, Chrome, or Firefox.
Microsoft requires an administrative account in the source domain.
In order to support synchronization of SID History from the source to the target domains, Windows requires that a specific domain local group exists and that account auditing is enabled.
The source and target domains must not have the same NETBIOS name to allow the required trust between the two environments.
Communication between a Source PDC and the configured Target GC is required for SID History Migration to successfully complete. Please note, there are additional ports that must be open between the Source PDC and the configured Target GC as defined in Section 3. Directory Sync Pro for Active Directory Advanced Network Requirement’s (Directory Sync Pro for Active Directory Profile with SID History Synchronization selected) of this document.
To prepare each source and target domain for SID History Synchronization, the following configuration steps must be completed:
In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.
|
SID History synchronization will fail if members are added to this local group. |
Enable TCP/IP client support on the source domain PDC emulator:
On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.
In Open, type regedit, and then click OK.
In Registry Editor, navigate to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.
Close Registry Editor, and then restart the computer.
Enable auditing in the target domain:
Log on as an administrator to any domain controller in the target domain.
Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.
Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy
Right-click Default Domain Controllers Policy and click Edit.
In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy
In the details pane, right-click Audit account management, and then click Properties.
Click Define these policy settings, and then click Success and Failure.
Click Apply, and then click OK.
In the details pane, right-click Audit directory service access and then click Properties.
Click Define these policy settings and then click Success.
Click Apply, and then click OK.
If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type gpupdate /force.
Repeat the above steps in the source domain.
|
It may also be necessary to reboot the domain controller to have auditing take effect. Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting. |
In order to receive the maximum benefit a trust should be in place. When a trust is present, it is necessary to ensure that the trust is properly configured to permit cross-domain verification. To do so, first identify if the trust between the source and target domain is an external trust or a forest trust. Next, following commands must be run from an administrative command prompt:
If the trust between the source and target is an external trust:
From the source domain:
Netdom trust SourceDomain /domain: TargetDomain /quarantine:No /user: domainadministratorAcct /password: domainadminpwd
From the target domain:
Netdom trust TargetDomain /domain: SourceDomain /quarantine:No /user: domainadministratorAcct /password: domainadminpwd
If the trust between the source and target is a forest trust:
From the source domain:
Netdom trust SourceDomain /domain: TargetDomain /enablesIDHistory:Yes /user: domainadministratorAcct /password: domainadminpwd
From the target domain:
Netdom trust TargetDomain /domain: SourceDomain /enablesIDHistory:Yes /user: domainadministratorAcct /password: domainadminpwd
If SID History will be synchronized, any Domain Controller listed in the Target DCs tab within a Directory Sync Pro for Active Directory profile will require access to the Domain Controller holding the PDC Emulator Active Directory FSMO role in the source. Keep in mind that even if the Domain Controller holding the PDC Emulator Active Directory FSMO role is not listed in the Source DCs tab, any SID History migration attempts will require a DC in the target to communicate with the PDC Emulator domain controller. For this reason, it is a best practice to ensure that all Domain Controllers specified in the Target DCs tab within a Directory Sync Pro for Active Directory profile has the appropriate networks access to communicate with the source Domain Controller holding the PDC Emulator Active Directory FSMO role before a SID History migration is attempted.
The domain controller with the PDC Emulator FSMO role must not be configured to run LSASS as a protected service or the password sync will fail with an access denied error.
The following conditions must be met for Password Sync:
ADMIN$ must be accessible on the domain controller from the Directory Sync server.
The Password Sync functionality requires that either a domain admin role or built-in admin role be granted to the service account for both Source and Target Domains.
Third-party anti-virus or threat prevention programs may block the execution of password tasks. These programs may need to be uninstalled from both the Domain Controller and the Directory Sync Server or otherwise carefully whitelisted to allow proper operation.
Directory Sync Pro for Active Directory and Migrator Pro for Active Directory do not validate the password policies present within your domains. Verify that the password entered as the Default Password complies with the password policy of your target environment. Objects will fail to be created if the password violates that policy.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center