Microsoft, Active Directory, 2003, SID History - Is source domain necessary for history to work?

Posted on 2007-08-09
Last Modified: 2013-11-05
I have two domains (one NT4 & one 2003) that I want to migrate into a third (2003).  I intend to use SID history to save re-permissioning all resources/file shares (will be done at a later date).

My questions is;  If I migrate with SID History (which I've tested and works okay) and then remove the source domains will the access to resources still work?  

I guess with the source domain gone, when I view the security on a resource I will not be able to view the group/user names permissioned for it but just see the SID of the now removed group/user... true?  But will access still be possible?

Hope this makes sense!


Question by:dalms

    Author Comment

    I think the solution to my situation maybe in the use of the 'Security Translation Wizard' to repalce old SID with new.

    Any thoughts welcome.
    LVL 9

    Accepted Solution

    It will continue to work with or without the original domain's presence.  The process of Authorization places implicit trust in the token and does not validate its content (at least in any way related to this), as a result, it is not even aware that one of the SIDs came from sIDHistory nor does it attempt to validate that the domain authority still exists.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    question related to SHA-1 2 30
    get ad computers 2 27
    active directory 5 21
    At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preferenc…
    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now