DsAddSidHistory function

The DsAddSidHistory function retrieves the primary account security identifier (SID) of a security principal from one domain and adds it to the sIDHistory attribute of a security principal in another domain in a different forest. When the source domain is in Windows 2000 native mode, this function also retrieves the sIDHistory values of the source principal and adds them to the destination principal sIDHistory.

The DsAddSidHistory function performs a security-sensitive function by adding the primary account SID of an existing security principal to the sIDHistory of a principal in a domain in a different forest, effectively granting to the latter access to all resources accessible to the former. For more information about the use and security implications of this function, see Using DsAddSidHistory.


  _In_ HANDLE                   hDS,
  _In_ DWORD                    Flags,
  _In_ LPCTSTR                  SrcDomain,
  _In_ LPCTSTR                  SrcPrincipal,
  _In_ LPCTSTR                  SrcDomainController,
  _In_ LPCTSTR                  DstDomain,
  _In_ LPCTSTR                  DstPrincipal


hDS [in]

Contains a directory service handle obtained from either the DSBind or DSBindWithCred function.

Flags [in]

Reserved for future use. Set to NULL.

SrcDomain [in]

Pointer to a null-terminated string that specifies the name of the domain to query for the SID of SrcPrincipal.

If the source domain runs on Windows Server operating systems, SrcDomain can be either a domain name system (DNS) name, for example, fabrikam.com, or a flat NetBIOS, for example, Fabrikam, name. DNS names should be used when possible.

SrcPrincipal [in]

Pointer to a null-terminated string that specifies the name of a security principal, user or group, in the source domain. This name is a domain-relative Security Account Manager (SAM) name, for example: evacorets.

SrcDomainController [in]

Pointer to a null-terminated string that specifies the name of the primary domain controller (PDC) Emulator in the source domain to use for secure retrieval of the source principal SID and audit generation. If this parameter is NULL, DSBindWithCred will select the primary domain controller.

SrcDomainController can be either a DNS name or a flat NetBIOS name. DNS names should be used when possible.

SrcDomainCreds [in]

Contains an identity handle that represents the identity and credentials of a user with administrative rights in the source domain. To obtain this handle, call DsMakePasswordCredentials. This user must be a member of either the Administrators or the Domain Administrators group. If this call is made from a remote computer to the destination DC, then both the remote computer and the destination DC must support 128-bit encryption to privacy-protect the credentials. If 128-bit encryption is unavailable and SrcDomainCreds are provided, then the call must be made on the destination DC.

If this parameter is NULL, the credentials of the caller are used for access to the source domain.

DstDomain [in]

Pointer to a null-terminated string that specifies the name of the destination domain in which DstPrincipal resides. This name can either be a DNS name, for example, fabrikam.com, or a NetBIOS name, for example, Fabrikam. The destination domain must run Windows 2000 native mode.

DstPrincipal [in]

Pointer to a null-terminated string that specifies the name of a security principal, user or group, in the destination domain. This domain-relative SAM name identifies the principal whose sIDHistory attribute is updated with the SID of the SrcPrincipal.

Return value

Returns a Win32 error codes including the following.


The function succeeded.


The source domain controller is a obsolete server and SrcDomain contains a NetBIOS name.


The operation cannot locate a domain controller for the source domain.


Auditing was not enabled prior to operation. The operation requires that destination domain auditing be enabled for Success/Failure auditing of account management operations.


The destination domain must be in Windows 2000 native mode.


Inappropriate authorization credentials were supplied. This typically means that a call to ldap_bind_s to the source domain controller failed.


The caller has insufficient access rights to perform the operation. This error typically occurs because the caller is not a member of the Domain Administrators group in the destination domain.


The directory service encountered an internal error.


The operation must be performed at a master directory service agent (DSA) (writable DC).


For security purposes, the operation must be run on a destination DC. Specifically, the connection between the client and server (destination domain controller) requires 128-bit encryption when credentials for the source domain are supplied. 128 bit encryption is the same as 128-bit Kerberos encryption. This value may also be returned if the 128-bit support is not installed on both client and server. This value may also be returned if hDC was bound with NTLM instead of Kerberos; possibly because the server DNS name was not used for the call to DSBind or DSBindWithCred.


The input name mapped to more than one output name. Typically, the destination principal mapped to more than one fully qualified domain name in the destination domain.


The connection between client and server requires packet privacy or better.


The requested operation did not satisfy one or more constraints associated with the class of the object. Typically, the destination principal is not a user or group.


Directory object not found. Typically, the fully qualified domain name of the destination principal cannot be found in the destination domain.


The operation requires that source domain auditing be enabled for Success/Failure auditing of account management operations.


The source domain is not in the same forest as the destination domain.


The source and destination object must be of the same type.


The source domain controller is running an unsupported OS.


The source object must be a group or user.


The source object SID exists in the destination forest.


The directory service is unavailable.


The user account is not one of the following: UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT, or UF_SERVER_TRUST_ACCOUNT.

This error can also occur because the source principal is a well-known relative identifier added to a destination principal that has a different relative identifier. Administrators of the source domain can be assigned only to the Administrators group of the destination domain.


The secure connection to the source domain controller requires that the following registry value on the source domain controller is a REG_DWORD with a value of 1.



One or more parameters are invalid.


Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2008







Unicode and ANSI names

DsAddSidHistoryW (Unicode) and DsAddSidHistoryA (ANSI)

See also

Domain Controller and Replication Management Functions
Using DsAddSidHistory