Stay organized with collectionsSave and categorize content based on your preferences.
This page explains how Google Cloud can help you migrate an existing Active
Directory domain from on-premises to Managed Service for Microsoft Active Directory while preserving SID
history.
Overview
If you want to use Managed Microsoft AD instead of your on-premises Active
Directory environment, you can use the following approaches:
Create a Managed Microsoft AD domain and establish a trust relationship
with the on-premises domain. However, you must continue maintaining the
on-premises Active Directory environment for this approach to work.
Create and set up a new Managed Microsoft AD domain that is similar to your
on-premises domain. In this approach, you must create and configure all the
users, groups, and other AD objects from your on-premises domain again on
the new Managed Microsoft AD domain. This approach is time-consuming
and requires substantial manual effort.
However, if you want to use the same users from your on-premises domain in
Managed Microsoft AD, you can use Active Directory Migration Toolkit
(ADMT) that helps you automate the migration of AD objects between two
trusted domains. For more information about ADMT, seeActive Directory
Migration Tool version
3.2
Why preserve SID history during migration
SID history helps you maintain user access to resources without having to modify
resource permissions after migrating Active Directory domains. Active Directory
migration using ADMT involves creating a trust relationship between on-premises
and Managed Microsoft AD domains. After you create the trust, you need to
move the AD objects such as groups, users, and servers, one after another in the
required sequence. If you don't preserve SID history during this migration, the
existing users can't access the resources using the migrated Active Directory
domain.
When you create a user account, the system automatically assigns the user asecurity identifier
(SID),
which is globally unique within the AD forest. After you migrate a domain, the
system assigns a new SID to the same user in the new domain. However, thesIDHistoryattributestores the SID of a user from the previous domain as well. When the user logs
on to the new domain and attempts to authenticate against an existing resource,
Active Directory grants access to the resource by evaluating the user's
permissions based on their current and previous SIDs available in the SID
history.
However, you must import the relevant user properties and disableSID
filteringto preserve SID history while migrating your domain. We recommend that you disable
SID filtering only until you complete the domain migration. After you migrate
the domain, you must enable SID filtering because the groups, users, and
resources reside in the same domain. For more information about enabling SID
filtering, seeDisable permissions on the Managed Microsoft AD
domain.
Security implications
Before you enable the permissions for migrating your on-premises domain, read
the following security implications:
Users can get the SID of a domain administrator or privileged account by
looking at the access control lists (ACLs) on the resources in the trusting
domain.
Users with domain administrator or equivalent rights can get the harvested
or well-known SID values. They can attach these SID values to a user
account's object in the trusted domain, specifically to itssIDHistoryattribute. When this modified user account crosses an existing trust
relationship from the trusted domain into the trusting domain, the user
account will effectively have all the privileges of the compromised user
account. These privileges can elevate all the way up to the domain
administrator or enterprise administrator level.
After you complete the migration, to ensure security, you mustdisable the
permissionsthat are provided for migrating the existing domain.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Existing domain migration overview\n\n| **Preview\n| --- Existing domain migration**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page explains how Google Cloud can help you migrate an existing Active\nDirectory domain from on-premises to Managed Service for Microsoft Active Directory while preserving SID\nhistory.\n\nOverview\n--------\n\nIf you want to use Managed Microsoft AD instead of your on-premises Active\nDirectory environment, you can use the following approaches:\n\n- Create a Managed Microsoft AD domain and establish a trust relationship\n with the on-premises domain. However, you must continue maintaining the\n on-premises Active Directory environment for this approach to work.\n\n- Create and set up a new Managed Microsoft AD domain that is similar to your\n on-premises domain. In this approach, you must create and configure all the\n users, groups, and other AD objects from your on-premises domain again on\n the new Managed Microsoft AD domain. This approach is time-consuming\n and requires substantial manual effort.\n\n- However, if you want to use the same users from your on-premises domain in\n Managed Microsoft AD, you can use Active Directory Migration Toolkit\n (ADMT) that helps you automate the migration of AD objects between two\n trusted domains. For more information about ADMT, see [Active Directory\n Migration Tool version\n 3.2](https://www.microsoft.com/en-us/download/details.aspx?id=56570)\n\nWhy preserve SID history during migration\n-----------------------------------------\n\nSID history helps you maintain user access to resources without having to modify\nresource permissions after migrating Active Directory domains. Active Directory\nmigration using ADMT involves creating a trust relationship between on-premises\nand Managed Microsoft AD domains. After you create the trust, you need to\nmove the AD objects such as groups, users, and servers, one after another in the\nrequired sequence. If you don't preserve SID history during this migration, the\nexisting users can't access the resources using the migrated Active Directory\ndomain.\n\nWhen you create a user account, the system automatically assigns the user a\n[security identifier\n(SID)](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/understand-security-identifiers),\nwhich is globally unique within the AD forest. After you migrate a domain, the\nsystem assigns a new SID to the same user in the new domain. However, the\n[`sIDHistory`\nattribute](https://docs.microsoft.com/windows/win32/adschema/a-sidhistory)\nstores the SID of a user from the previous domain as well. When the user logs\non to the new domain and attempts to authenticate against an existing resource,\nActive Directory grants access to the resource by evaluating the user's\npermissions based on their current and previous SIDs available in the SID\nhistory.\n\nHowever, you must import the relevant user properties and disable [SID\nfiltering](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc772633(v=ws.10))\nto preserve SID history while migrating your domain. We recommend that you disable\nSID filtering only until you complete the domain migration. After you migrate\nthe domain, you must enable SID filtering because the groups, users, and\nresources reside in the same domain. For more information about enabling SID\nfiltering, see [Disable permissions on the Managed Microsoft AD\ndomain](/managed-microsoft-ad/docs/manage-migrate-permissions#disable-permissions).\n\nSecurity implications\n---------------------\n\nBefore you enable the permissions for migrating your on-premises domain, read\nthe following security implications:\n\n- Users can get the SID of a domain administrator or privileged account by looking at the access control lists (ACLs) on the resources in the trusting domain.\n- Users with domain administrator or equivalent rights can get the harvested or well-known SID values. They can attach these SID values to a user account's object in the trusted domain, specifically to its `sIDHistory` attribute. When this modified user account crosses an existing trust relationship from the trusted domain into the trusting domain, the user account will effectively have all the privileges of the compromised user account. These privileges can elevate all the way up to the domain administrator or enterprise administrator level.\n\nAfter you complete the migration, to ensure security, you must [disable the\npermissions](/managed-microsoft-ad/docs/manage-migrate-permissions#disable-permissions)\nthat are provided for migrating the existing domain.\n\nWhat's next\n-----------\n\n- [Enable permissions for migrating an on-premises domain with SID history](/managed-microsoft-ad/docs/enable-migrate-permissions)\n- [Manage permissions required for migrating an on-premises domain](/managed-microsoft-ad/docs/manage-migrate-permissions)"]]
