This is a tough question, but not an uncommon one. There are two methods you can use:
If you upgrade domains, the SIDs of security principals do not change. If you can get away with upgrading the BDC (backup domain controller), this would be your best bet.
If you must restructure domains in a way that requires you to migrate security principals between domains, then the SID will change. However, the old SID will be maintained in an attribute on security principals in Active Directory known as "sIDHistory." These SIDs in sIDHistory are added to user access tokens and thus resource access is maintained.
If the sIDHistory attribute cannot be used, then tools such as the Active Directory Migration Tool (ADMT) and third-party tools can replace the old SIDs on resources with the new ones.
Hope this helps.
This was first published in January 2002