Migrate SIDHistory for Domain Admins and Domain Users cross forest

Today I needed to migrate Domain Admins and Domain Users SID to SIDHistory from an old forest to a new built. To be able to to this you need the "Windows 2003 SP2 Support Tools" (link). In my situation I needed to run the utils on a Windows 2008 R2 (x64) OS - so the following guide needs to be followed:

  • Create a trust between your forests
  • Get the PDC Emulators for both forests
  • Extract sidhist.vbs and clonepr.dll from the CAB files
  • Logon to the PDC Emulator in the target forest (where SIDHistory is to be migrated to)
    • Edit the HOSTS file with IP and hostname för the PDC Emulator in the source domain SOURCEPDC
    • Register the clonepr.dll using the 32-bit regsvr32.dll
      c:\windows\syswow64\regsvr32.exe clonepr.dll
  • Create a script.cmd file with your commands
    c:\windows\syswow64\cscript.exe sidhist.vbs "/srcsam:domain users" "/dstsam:domain users" /srcdom:NetBIOS_Source_Domain /dstdom:NetBIOS_Target_Domain /srcdc:NetBIOS_Source_PDC /dstdc:NetBIOS_Target_PDC
  • Run your script
Your output should be something like:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.


Anonymous said...

Nice! Would this work when migrating a child domain into a parent domain in the same forest?

RikardStrand said...


This should work between a child domain to a parent domain (but I haven't tried it myself).

A very recommended read is the following guide:

Anonymous said...

Hi DaddyR,

We are migrating from a 2003 domain to a 2008 R2 domain. I have succesfully copied the SID from the source to the target domain (domain users) via the sidhist. But i'm still not able to access resources which use the domain users group to give permissions. I stumbled upon this post from MS (http://support.microsoft.com/kb/893191). The last sentence states that built-in SID's are always filtered out. Is there a way to disable this filtering of built-in groups? Or is it possible to make it work?

Kind regards,

RikardStrand said...


I wasn't aware of the built in "standard filtering". Does other groups work for you ?

Can you verify that SIDFiltering is allowed between the forests:
netdom.exe trust TRUSTINGDOMAIN /domain TRUSTEDDOMAIN /enablesidhistory

I have in most cases worked with moving the fileserver or files (with robocopy and copying ACL's) to the new domain and SIDFiltering doesn't happen within the domain (so I can use the SIDHistory for the built-in groups).

I haven't access to a lab environment at the moment but wish you good luck testing.

Unknown said...

Does this work? I haven't been able to get it to work and I've read that as of 2003 the SIDHistory doesn't make the trip regardless of your turning off SID Filtering, or not.

Did you actually put this to the test? I got the SID over there, but it did not work.

Unknown said...

This does not work. I have tested this out previously and have just tested it out again to make sure it hasn't changed.

Tested it between Windows 2008R2 AD and Windows 2012 AD.

An account with a well known RID can be cloned only onto a destination account with the same well known RID. Accounts with well known RIDs include the following users:
and the following global groups:
Domain Admins
Domain Guests
Domain Users

An account with a well known SID cannot be cloned. Listed below
Account Operators
Backup Operators
Power Users
Print Operators
Server Operators

Unknown said...

Type this in word for word. Getting the following:

C:\temp>c:\windows\syswow64\cscript.exe c:\temp\sidhist.vbs "/srcsam:Domain User
s" "/dstsam:Domain Users" /srcdom:DESTFOREST /dstdom:DESTFOREST /srcdc:SOURCEDC /dstdc:DESTDC
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Error 0x80070005 occurred.
Error Description: Unable to read the configuration information of the computer
"DESTDC". The error was: "Access is denied."
Error HelpContext: 0
Error HelpFile :
Error Source : DSUtils.ClonePrincipal.1

Unknown said...

... Bit more information: So two forests, 2-way trust in place. Followed instructions in the post to the letter, including the enable SIDHistory (which worked).

Forests/Domain Functional levels both set the same 2008R2.
From both forests I can resolve DCs by hostname and FQDN.

Any assistance would be most welcome.