The goal of this guide is to provide a step-by-step walk through of how-to setup SID History (sIDHistory) Synchronization for objects between your On-Premises Active Directory environments.
This guide will focus on sIDHistory synchronization between two on-premises Active Directory environments without a Trust enabled between two Directories. To set up Directory Sync for sIDHistory migration, four (4) configurations must be completed prior to the first synchronization.
Set up Environments
Set up Local Agents
Set up Templates
Set up Workflows
The next section will provide the list of requirements needed to successfully migration sIDHistory between two Active Directory environments.
In order to facilitate the sIDHistory migration, the following is a list of minimum requirements to get set up using Directory Sync with your On-Premises Active Directory. Directory Sync supports sIDHistory migration for environments that have an Active Directory trust configured as well as environments without a trust configured.
To prepare each source and target domain for sIDHistory Synchronization, the following configuration steps must be completed:
In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.
Notes: sIDHistory synchronization will fail if members are added to this local group.
Enable TCP/IP client support on the source domain PDC emulator:
On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.
In Open, type regedit, and then click OK.
In Registry Editor, navigate to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.
Close Registry Editor, and then restart the computer.
Enable auditing in the target domain:
Log on as an administrator to any domain controller in the target domain.
Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.
Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy
Right-click Default Domain Controllers Policy and click Edit.
In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy
In the details pane, right-click Audit account management, and then click Properties.
Click Define these policy settings, and then click Success and Failure.
Click Apply, and then click OK.
In the details pane, right-click Audit directory service access and then click Properties.
Click Define these policy settings and then click Success.
Click Apply, and then click OK.
If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”
Repeat the above steps in the source domain.
Enable Advanced Auditing in the target domain when you have advanced audit policy enabled:
Log on as an administrator to any domain controller in the target domain.
Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.
Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy
Right-click Default Domain Controllers Policy and click Edit.
In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Account Management
In the details pane, right-click Audit Application Group Management, and then click Properties.
Click Configure the following audit events, and then click Success and Failure.
Click Apply, and then click OK.
Repeat the above for the following policies under Account Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access
In the details pane, right-click Audit Detailed Directory Service Replication and then click Properties.
Click Configure the following audit events, and then click Success.
Click Apply, and then click OK.
Repeat the above for the following policies under Account Management
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type “gpupdate /force”
Repeat the above steps in the source domain.
Notes: It may also be necessary to reboot the domain controller to have auditing take effect.
Even with group policy applied on the default domain controller for the domain audit, the server audit setting on the primary domain controller (PDC) may not be enabled. Please confirm this setting is enabled for the local security policy on the PDC server. If not enabled, use the local security policy to enable this setting.
Migrate sIDHistory permissions are required on the target domain. This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:
Right-click on your target domain in Active Directory Users and Computers.
Select the Security tab and add or update the desired group or user and enable the “Migrate sIDHistory” permission.
Source credential must have administrator access to the source PDC emulator. This is typically enabled for Domain Admins and Enterprise Admins, but can be enabled for a specific group or user by following the below steps:
Navigator to Built-in organization unit in Active Directory Users and Computers.
Locate the administrators group and ensure the source service account is a member of the group.
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center