Not able to migrate SID using ADMT.

I am not able to migrate the SID to the target domain using ADMT, but the user accounts get successfully migrated. In the target domain the migrated user's SID is different compared to the user's SID into the source domain.

Source Domain : test.com
Target Domain : xyz.com

Source Domain and Target Domain running Windows 2003.

I have already gone through the Microsoft KB and  various articles with full of information, but I need specific reason to solve this problem. Need your help.
hchabriaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hchabriaAuthor Commented:
Anyone who can help me?
0
Toni UranjekConsultant/TrainerCommented:
Hi!

You can not migrate SID from one domain to another. When object is copied between domains in the same forest, new SID is created, GUID does not change. When object is copied between domains in different forests, both change. However, you should be able to locate old SID under SIDHistory property of user account.

HTH

Toni
0
hchabriaAuthor Commented:
Hi,

You mean that, when object is copied :

Domains in the same forest --> SID changes in the Target Domain
Domains in different forests  -->  SID changes in the Target Domain

Am I correct?

Please tell me in which case SID does not change?

I am using two different forests for SID Migration.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Toni UranjekConsultant/TrainerCommented:
Yes, new SID is created in target domain. Old SID is added to SIDHistory attribute.

Technically, SID does not change ii case you move object within domain. When moving object accross domains new SID is always created.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:

> Please tell me in which case SID does not change?

Moves within the current domain only.

The current SID is copied to the SIDHistory attribute as Toniur said for both inter-forest and cross-forest moves.

Chris
0
Chris DentPowerShell DeveloperCommented:

Sorry Toniur, popped up as question alert and neglected to refresh before posting.

Chris
0
hchabriaAuthor Commented:
Yes, I am getting the SID History in the Target Domain, but what is the purpose of it if I can't use that SID?

Is there any wayout so that I can keep my SID in case of cross forest migration?
0
Chris DentPowerShell DeveloperCommented:

That is the entire point of SIDHistory, both the SID and SIDHistory are enumerated when evaluating entries in access control lists.

So what do you mean by "can't use that SID"? Perhaps you have SID Filtering running on a trust and that's preventing a migrated account from accessing resources with the entry in SIDHistory?

Chris
0
hchabriaAuthor Commented:
OK. I think it is not possible to use the SID History in the Target Domain. Am I right?

However, please tell me is there any wayout so that I can keep my SID in case of cross forest migration?
0
Chris DentPowerShell DeveloperCommented:

What do you mean by use it? How would you use it? Can you give an example?

Chris
0
hchabriaAuthor Commented:
I mean to say the use of SID History on the target domain. The SID History in the Target Domain is showing the same SID in the Source Domain.
0
Chris DentPowerShell DeveloperCommented:

That's what it's supposed to do if you use a tool like ADMT, it copies the SID from the source domain into the SID history on the target domain.

You shouldn't need to actively do anything with that, it allows the user in the target domain to use the old SID when accessing resources in the source domain. Without that functionality you would have to re-write all access control in the source domain to allow a migrated user in.

Chris
0
hchabriaAuthor Commented:
Thanks Crhris for your inputs.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.