User migration error: SID History Not Enabled (0x80004005)

Last updated on:

In this article:

Issue description

When attempting to migrate users between Active Directory domains using ADManager Plus, you may encounter the following error:

Unable to migrate users. The following configuration required for SID history has not been performed. Auditing has not been enabled in the source domain. Unspecified error (0x80004005).

This error indicates that the necessary auditing settings required for SID history migration have not been enabled in the source domain.

Possible causes

  1. SID history auditing is not enabled in the source domain.
  2. Required permissions are missing for the service account performing the migration.
  3. Trust relationship issues between source and target domains.

Prerequisites

Ensure the following configurations are in place before troubleshooting:

  • You have Domain Admin or equivalent privilege in both the domains.
  • The service account used for migration has Enterprise admin permissions in both Domains.
  • The source and target domains have a functional trust relationship (if SID history migration is required).
  • ADMT (Active Directory Migration Tool) is installed and configured in both the source and destination domains.

Resolution

Step 1: Enable auditing for SID history in the source domain

  1. Open Group Policy Management on a domain controller.
  2. Edit the Default Domain Policy GPO (If not a winning GPO linked to the root domain that takes precedence for the below-mentioned settings).
  3. Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > DS Access.
  4. Enable Audit Directory Service Changes and Audit Directory Service Access.
  5. Run gpupdate/force to apply the settings through the modified GPO.

Step 2: Assign required permissions to the migration service account

  1. Open Active Directory Users and Computers (ADUC).
  2. Right-click the source domain and select Delegate Control.
  3. Add the migration service account and grant the following permissions:
    • Migrate SID History
    • Replicating Directory Changes
    • Replicating Directory Changes All
  4. Click OK and apply the changes.

Step 3: Verify source and target domain trusts

  1. Open Command Prompt on a domain controller.
  2. Run the following command to check domain trusts:
    • nltest /domain_trusts
  3. Ensure there is a two-way transitive trust between the source and target domains.
  4. If necessary, establish a trust using Active Directory Domains and Trusts.

Step 4: Check ADMT installation on both domains

  1. Ensure that Active Directory Migration Tool (ADMT) is installed on both the source and destination domain controllers.
  2. If ADMT is not installed, download and install it from Microsoft's official site.
  3. Run ADMT and confirm that SID history migration options are available.

Tips

  • Backup user data before performing migrations.
  • Test with a small batch before migrating all users.
  • Check group memberships after migration, as some may need to be reassigned.

How to reach support

If the issue persists, contact our support team here.