Requirements for moving Security Identifier (SID) attributes from source to target domain.

objectSid and sIDHistory are two attributes associated with AD user accounts that help accounts retain access to various resources when migrated from one domain to another. When a user account is migrated from one domain to another, a new user account is created in the target domain and the source user’s SID is added to the target user’s sIDHistory attribute. This ensures that the target user can still access resources in the source domain. Efflux allows the mapping of the source SID to the target user’s sIDHistory attribute during the move.
But before SID can be moved there are some pre-requisites to be met. The article lists in detail the pre-requisites for mapping the source user’s SID to the target. Following are the requisites:
  1. A trust relationship must exist between the source and the target domain.
  2. Source and target domains must not be in the same Active Directory forest.
  3. A domain-local group “domain$$$” must be created in the source domain.
  4. A special registry key must be created on PDC Emulator DC in the source domain. The registry path will be HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\TcpipClientSupport.

  5. The Security Identifier (SID) you want transferred must not already exist in any of the sIDHistory attributes of objects in the target domain. 
  6. Auditing must be enabled on source domain. In addition Audit Mode must be turned on in each domain and Success/Failure events must be turned on for the Audit account management attribute in both source and target forests.

Note: There is no need to move the Security Identifier (SID) in case resources are not required to be accessed in the source domain. 

Add Feedback