Chat now with support
Chat with Support

On Demand Migration Current - Active Directory SID History Synchronization Quick Start Guide

Introduction

 

 

The goal of this guide is to provide a step-by-step walk through of how-to setup SID History (sIDHistory) Synchronization for objects between your On-Premises Active Directory environments.

This guide will focus on sIDHistory synchronization between two on-premises Active Directory environments without a Trust enabled between two Directories. To set up Directory Sync for sIDHistory migration, four (4) configurations must be completed prior to the first synchronization.

  1. Set up Environments

  2. Set up Local Agents

  3. Set up Templates

  4. Set up Workflows

The next section will provide the list of requirements needed to successfully migration sIDHistory between two Active Directory environments.

Requirements

In order to facilitate the sIDHistory migration, the following is a list of minimum requirements to get set up using Directory Sync with your On-Premises Active Directory.  Directory Sync supports sIDHistory migration for environments that have an Active Directory trust configured as well as environments without a trust configured. 

 

Preparing the Source and Target Domains

Preparing the Source and Target Domains

To prepare each source and target domain for sIDHistory Synchronization, the following configuration steps must be completed:

  1. In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.

Notes: sIDHistory synchronization will fail if members are added to this local group.

  1. Enable TCP/IP client support on the source domain PDC emulator: 

    1. On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.

    2. In Open, type regedit, and then click OK.

    3. In Registry Editor, navigate to the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

    4. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

    5. Close Registry Editor, and then restart the computer.

  1. Enable auditing in the target domain:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

    6. In the details pane, right-click Audit account management, and then click Properties.

    7. Click Define these policy settings, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. In the details pane, right-click Audit directory service access and then click Properties.

    10. Click Define these policy settings and then click Success.

    11. Click Apply, and then click OK.

    12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    13. Repeat the above steps in the source domain.

  2. Enable Advanced Auditing in the target domain when you have advanced audit policy enabled:

    1. Log on as an administrator to any domain controller in the target domain.

    2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

    3. Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

    4. Right-click Default Domain Controllers Policy and click Edit.

    5. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Account Management

    6. In the details pane, right-click Audit Application Group Management, and then click Properties.

    7. Click Configure the following audit events, and then click Success and Failure.

    8. Click Apply, and then click OK.

    9. Repeat the above for the following policies under Account Management

    10. Audit Computer Account Management

    11. Audit Distribution Group Management

    12. Audit Other Account Management Events

    13. Audit Security Group Management

    14. Audit User Account Management

    15. In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access

    16. In the details pane, right-click Audit Detailed Directory Service Replication and then click Properties.

    17. Click Configure the following audit events, and then click Success.

    18. Click Apply, and then click OK.

    19. Repeat the above for the following policies under Account Management

    20. Audit Directory Service Access

    21. Audit Directory Service Changes

    22. Audit Directory Service Replication

    23. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”

    24. Repeat the above steps in the source domain.

Notes: It may also be necessary to reboot the domain controller to have auditing take effect.

Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting.

 

Account Permissions

  1. Migrate sIDHistory permissions are required on the target domain.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Right-click on your target domain in Active Directory Users and Computers.

    2. Select the Security tab and add or update the desired group or user and enable the “Migrate sIDHistory” permission.

  1. Source credential must have administrator access to the source PDC emulator.  This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:

    1. Navigator to Built-in organization unit in Active Directory Users and Computers.

    2. Locate the administrators group and ensure the source service account is a member of the group.

 

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating