MichaelGrafnetter
diff --git a/‎Documentation/CHANGELOG.md‎
Lines changed: 7 additions & 1 deletion b/‎Documentation/CHANGELOG.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Documentation/PowerShell/Add-ADReplSidHistory.md‎
Lines changed: 227 additions & 0 deletions b/‎Documentation/PowerShell/Add-ADReplSidHistory.md‎
Lines changed: 227 additions & 0 deletions
diff --git a/‎Documentation/PowerShell/Readme.md‎
Lines changed: 3 additions & 0 deletions b/‎Documentation/PowerShell/Readme.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎Src/DSInternals.ADSI/DSInternals.ADSI.csproj‎
Lines changed: 1 addition & 1 deletion b/‎Src/DSInternals.ADSI/DSInternals.ADSI.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Src/DSInternals.Common/DSInternals.Common.csproj‎
Lines changed: 3 additions & 3 deletions b/‎Src/DSInternals.Common/DSInternals.Common.csproj‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎Src/DSInternals.DataStore/DSInternals.DataStore.csproj‎
Lines changed: 2 additions & 2 deletions b/‎Src/DSInternals.DataStore/DSInternals.DataStore.csproj‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec‎
Lines changed: 4 additions & 4 deletions b/‎Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec‎
Lines changed: 4 additions & 4 deletions
@@ -7,8 +7,13 @@ All notable changes to this project will be documented in this file. The format
 
 ## [Unreleased]
 
+- Nothing yet.
+
+## [6.3] - 2026-02-08
+
 ### Added
 
+- The [Add-ADReplSidHistory](PowerShell/Add-ADReplSidHistory.md#add-adreplsidhistory) cmdlet for principal SID history migration through the MS-DRSR protocol.
 - Instructions and prompts for GitHub Copilot.
 
 ### Changed
@@ -699,7 +704,8 @@ This is a [Chocolatey](https://chocolatey.org/packages/dsinternals-psmodule)-onl
 ## 1.0 - 2015-01-20
 Initial release!
 
-[Unreleased]: https://github.com/MichaelGrafnetter/DSInternals/compare/v6.2...HEAD
+[Unreleased]: https://github.com/MichaelGrafnetter/DSInternals/compare/v6.3...HEAD
+[6.3]: https://github.com/MichaelGrafnetter/DSInternals/compare/v6.2...v6.3
 [6.2]: https://github.com/MichaelGrafnetter/DSInternals/compare/v6.1.1...6.2
 [6.1.1]: https://github.com/MichaelGrafnetter/DSInternals/compare/v6.1...v6.1.1
 [6.1]: https://github.com/MichaelGrafnetter/DSInternals/compare/v6.0.1...v6.1
 
@@ -0,0 +1,227 @@
+---
+external help file: DSInternals.PowerShell.dll-Help.xml
+Module Name: DSInternals
+online version: https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Add-ADReplSidHistory.md
+schema: 2.0.0
+---
+
+# Add-ADReplSidHistory
+
+## SYNOPSIS
+Adds SID history from a source principal to a destination principal through the MS-DRSR protocol.
+
+## SYNTAX
+
+### CrossForest
+```
+Add-ADReplSidHistory -SourceDomain <String> -SourcePrincipal <String> [-SourceDomainController <String>]
+ [-SourceCredential <PSCredential>] -DestinationDomain <String> -DestinationPrincipal <String> -Server <String>
+ [-Credential <PSCredential>] [<CommonParameters>]
+```
+
+### IntraDomain
+```
+Add-ADReplSidHistory -SourcePrincipal <String> -DestinationPrincipal <String> [-DeleteSourceObject]
+ -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
+```
+
+### CheckSecureChannel
+```
+Add-ADReplSidHistory [-CheckSecureChannel] -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+This cmdlet wraps the IDL_DRSAddSidHistory RPC call. It passes source and destination principal information to the domain controller and can optionally validate the secure channel or delete the source object.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> Add-ADReplSidHistory -SourceDomain 'CONTOSO' -SourcePrincipal 'LegacyUser' -SourceDomainController 'CONTOSO-PDC'
+ -SourceCredential (Get-Credential 'CONTOSO\Administrator') -DestinationDomain 'FABRIKAM'
+ -DestinationPrincipal 'MigratedUser' -Server 'FABRIKAM-DC1'
+```
+
+Adds the SID history of *LegacyUser* from the CONTOSO domain to *MigratedUser* in the FABRIKAM domain.
+
+### Example 2
+```powershell
+PS C:\> Add-ADReplSidHistory -SourcePrincipal 'CN=LegacyUser,CN=Users,DC=contoso,DC=com'
+ -DestinationPrincipal 'CN=MigratedUser,CN=Users,DC=contoso,DC=com' -DeleteSourceObject -Server 'CONTOSO-DC1'
+```
+
+Adds the SID history of the source object to the destination object in the same domain and deletes the source object.
+
+### Example 3
+```powershell
+PS C:\> Add-ADReplSidHistory -CheckSecureChannel -Server 'FABRIKAM-DC1'
+```
+
+Verifies that the RPC connection to the destination DC is secure.
+
+## PARAMETERS
+
+### -CheckSecureChannel
+Verifies whether the channel is secure and returns the result of the verification.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: CheckSecureChannel
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies a user account that has permission to connect to the destination domain controller. The default is the current user.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DeleteSourceObject
+Appends the source object's SID history to the destination and deletes the source object from the source domain.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: IntraDomain
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DestinationDomain
+Specifies the destination domain in which the destination principal resides. The domain name can be an FQDN or a NetBIOS name.
+
+```yaml
+Type: String
+Parameter Sets: CrossForest
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DestinationPrincipal
+Specifies the destination security principal that receives the source SID history.
+
+```yaml
+Type: String
+Parameter Sets: CrossForest, IntraDomain
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies the target domain controller for the operation. Enter a fully qualified domain name (FQDN), a NetBIOS name, or an IP address.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Host, DomainController, DC
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SourceCredential
+Specifies the credentials to be used in the source domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: CrossForest
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SourceDomain
+Specifies the source domain to query for the SID of the source principal. The domain name can be an FQDN or a NetBIOS name.
+
+```yaml
+Type: String
+Parameter Sets: CrossForest
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SourceDomainController
+Specifies the primary domain controller (PDC) or PDC role owner in the source domain.
+
+```yaml
+Type: String
+Parameter Sets: CrossForest
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SourcePrincipal
+Specifies the source security principal whose SID history is to be added. If -DeleteSourceObject is specified, this value should be a DN; otherwise, it should be a domain-relative SAM name.
+
+```yaml
+Type: String
+Parameter Sets: CrossForest, IntraDomain
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+
+## OUTPUTS
+
+### None
+
+## NOTES
+
+## RELATED LINKS
@@ -101,6 +101,9 @@ Fetches the specified KDS Root Key through the MS-DRSR protocol.
 ### [Add-ADReplNgcKey](Add-ADReplNgcKey.md#add-adreplngckey)
 Composes and updates the msDS-KeyCredentialLink value on an object through the MS-DRSR protocol.
 
+### [Add-ADReplSidHistory](Add-ADReplSidHistory.md#add-adreplsidhistory)
+Adds SID history from a source principal to a destination principal through the MS-DRSR protocol.
+
 ### [Get-SamPasswordPolicy](Get-SamPasswordPolicy.md#get-sampasswordpolicy)
 Queries Active Directory for the default password policy.
 
 
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <Version>6.2</Version>
+    <Version>6.3</Version>
     <AssemblyTitle>DSInternals ADSI Library</AssemblyTitle>
   </PropertyGroup>
 
 
@@ -2,12 +2,12 @@
   <!-- NuGet package metadata -->
   <PropertyGroup>
     <IsPackable>true</IsPackable>
-    <Version>6.2</Version>
+    <Version>6.3</Version>
     <AssemblyTitle>DSInternals Common Library</AssemblyTitle>
     <Title>$(AssemblyTitle)</Title>
     <Description>This package is shared between all other DSInternals packages. Its main features are Azure AD Graph API and ADSI clients for for retrieval of cryptographic material. It contains implementations of common hash functions used by Windows, including NT hash, LM hash and OrgId hash. It also contains methods for SysKey/BootKey retrieval.</Description>
-    <PackageReleaseNotes>- Migrated from Newtonsoft.Json to System.Text.Json.
-- Ported RSA public key operations from .NET Framework to .NET.</PackageReleaseNotes>
+    <PackageReleaseNotes>- Improved generation of NGC keys to meet January 2026 Windows validation changes.
+  - Removed Azure AD Graph API-related code.</PackageReleaseNotes>
     <PackageTags>ActiveDirectory Security Entra AD AAD Identity Active Directory</PackageTags>
   </PropertyGroup>
 
 
@@ -2,11 +2,11 @@
   <!-- NuGet package metadata -->
   <PropertyGroup>
     <IsPackable>true</IsPackable>
-    <Version>6.2</Version>
+    <Version>6.3</Version>
     <AssemblyTitle>DSInternals DataStore Library</AssemblyTitle>
     <Title>$(AssemblyTitle)</Title>
     <Description>DSInternals DataStore is an advanced framework for offline ntds.dit file manipulation. It can be used to extract password hashes from Active Directory backups or to modify the sIDHistory and primaryGroupId attributes.</Description>
-    <PackageReleaseNotes>- Fixed a bug in prefix table parsing.</PackageReleaseNotes>
+    <PackageReleaseNotes>- Updated assembly dependencies.</PackageReleaseNotes>
     <PackageTags>ActiveDirectory Security NTDS AD Identity Active Directory</PackageTags>
   </PropertyGroup>
 
 
@@ -36,10 +36,10 @@ The DSInternals PowerShell Module has these main features:
 ## Disclaimer
 Features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.</description>
     <releaseNotes>
-* The New-ADDBRestoreFromMediaScript cmdlet should no longer be throwing the NullReferenceException.
-* Disabled DES_CBC_MD5 Kerberos key derivation support due to recent Windows API changes.
-* Removed the broken -Protocol parameter from replication cmdlets.
-* Due to unexpected delays in code signing certificate renewal, this release is not digitally signed.
+* Added the Add-ADReplSidHistory cmdlet for SID history migration via MS-DRSR.
+* Improved generation of NGC keys to meet January 2026 Windows validation changes.
+* Removed Azure AD Graph API-related cmdlets.
+* Merged the *.psm1 script bootstrapper of the binary PowerShell module into the *.psd1 module manifest.
     </releaseNotes>
     <dependencies>
       <!-- Windows Management Framework 5.1+. For OS prior to Windows 10 and Windows Server 2016. -->