i'm writing an AD sync tool, which takes an LDIF file exported from an AD A, applies some replaceing and skip rules and creates another LDIF file that can then be applied to an AD B. During the creation, i have read access on the AD B, so i can get the Schema to know what attribute-value pairs i can or can not set, and to see if there are allready objects that already exist in B that i only have to modify , but not to create. So far so good.
Right now, my rules do not copy the objectSid (and others), since they won't be right. As far as i checked, a SID is always composed of the domainSid and and an ID, like SOME-DOMAIN-SID-513 which is the SID of the Domain Users of that domain. So IDs < then 1024 seem to be reserved for internal use while IDs > 1024 will be part of objects that where created on the way.
My question is now, can i create own objectSIDs for new entries that i want to create and set them in the LDIF file?
Any hints on that?
I don't think you can. I'm intrigued as to why you'd want to.