Solved

Copying an account to child domain keeping SID history

Posted on 2012-04-11
4
721 Views
Last Modified: 2013-12-17
I have a forest with a parent domain which we will call "Shared" and three child domains (Field Test, Production, and Production Test) I want to use Production Test as a debug environment for Production. One of the applications I run requires a service account in AD and it looks at the SID on the account so for it to work in Production Test I need to copy the user and the SID history. I have tried using the ADMT 3.2 Account Migration Wizard but when it runs in the same forest it moves the account not copies. I need the account to exist in each child domain and have the same SID history. Is there a way to copy the account with SID? Import/Export options? Or is there a way to copy SID history and apply it to a user in the other domain? OS on all servers is Windows Server 2008 R2.

Shared Domain manages Admin User access for users like sys admins and support servers like AV and WSUS.

Child Domains Field Test, Production, and Production Test contain end user accounts and service accounts specific to each environment.

Thanks for any help!!!
0
Comment
Question by:Sparcedge
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37834057
Clone principal can help in copying the account information..

Note:--- it duplicates the object from source domain to target domain... does not delete..

you can  find more details in below link if it fullfills your requirement..

http://technet.microsoft.com/en-us/library/cc773393(v=ws.10).aspx
0
 

Author Comment

by:Sparcedge
ID: 37834072
Clone Principal is from Server 2000 and 2003, do they still make it or include it in support tools for 2008 R2? Or would the 2003 version work on a 2008 R2 domain?
0
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37834191
it may require some testing. in below link they are providing how to run on windows 2008 machine..but again test in lab first..

http://daddyr.blogspot.com/2011/09/migrate-sidhistory-for-domain-admins.html

http://www.rutter-net.com/news/tips-tricks/migrate-sidhistory-for-domain-admins-and-domain-users-cross-forest/
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 37834346
First link is correct, but you need to use the sidHistory script (from clone principal tool) to copy it.
Sidhist.vbs. Sample script that adds the SID of a source account to the SIDHistory of a destination account.
See Also: http://msdn.microsoft.com/en-us/library/ms677982%28v=vs.85%29.aspx

Apparently, you can use ADMT to do this though:
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/c0bf3fa8-e379-4241-bf82-7dae2ea2a8fc
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question