Configuring the Source and Target Domains for SID History Migration

Updated: September 29, 2013

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

You can manually configure the source and target domains to migrate the security identifier (SID) history before you begin an interforest migration, or you can allow the Active Directory Migration Tool (ADMT) to configure the domains automatically the first time that it runs.

To configure the source and target domains manually, complete the following procedures:

  • Create a local group in the source domain to support auditing.

  • Enable TCP/IP client support on the source domain primary domain controller (PDC) emulator.

    If you are migrating from a domain with domain controllers that run Windows Server 2003 or later to another domain with domain controllers that run Windows Server 2003 or later, the TcpipClientSupport registry entry does not have to be modified.

  • Enable auditing of account management in the source and target domains. For Windows Server 2008 and later, you need to also enable auditing for directory service access in order to migrate users with SID history between forests.

  • In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain, for example, Boston$$$. Do not add members to this group; if you do, SID history migration will fail.

  1. On the domain controller in the source domain that holds the PDC emulator operations master (also known as flexible single master operations or FSMO) role, click Start, and then click Run.

  2. In Open, type regedit, and then click OK.

    Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after you make changes.

  3. In Registry Editor, navigate to the following registry subkey:


  4. Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

  5. Close Registry Editor, and then restart the computer.

  1. Log on as an administrator to any domain controller in the target domain.

  2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

  3. Navigate to the following node:

    Forest | Domains | Domain | Domain Controllers | Default Domain Controllers Policy

  4. Right-click Default Domain Controllers Policy and click Edit.

  5. In Group Policy Management Editor, in the console tree, navigate to the following node:

    Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

  6. In the details pane, right-click Audit account management, and then click Properties.

  7. Click Define these policy settings, and then click Success and Failure.

  8. Click Apply, and then click OK.

  9. In the details pane, right-click Audit directory service access and then click Properties.

  10. Click Define these policy settings and then click Success.

  11. Click Apply, and then click OK.

  12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type gpupdate /force.

  13. Repeat steps 1 through 12 in the source domain.

Community Additions