Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Not able to migrate SID using ADMT.

Posted on 2009-07-06
13
Medium Priority
?
614 Views
Last Modified: 2012-05-07
I am not able to migrate the SID to the target domain using ADMT, but the user accounts get successfully migrated. In the target domain the migrated user's SID is different compared to the user's SID into the source domain.

Source Domain : test.com
Target Domain : xyz.com

Source Domain and Target Domain running Windows 2003.

I have already gone through the Microsoft KB and  various articles with full of information, but I need specific reason to solve this problem. Need your help.
0
Comment
Question by:hchabria
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
13 Comments
 

Author Comment

by:hchabria
ID: 24791174
Anyone who can help me?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24792060
Hi!

You can not migrate SID from one domain to another. When object is copied between domains in the same forest, new SID is created, GUID does not change. When object is copied between domains in different forests, both change. However, you should be able to locate old SID under SIDHistory property of user account.

HTH

Toni
0
 

Author Comment

by:hchabria
ID: 24792395
Hi,

You mean that, when object is copied :

Domains in the same forest --> SID changes in the Target Domain
Domains in different forests  -->  SID changes in the Target Domain

Am I correct?

Please tell me in which case SID does not change?

I am using two different forests for SID Migration.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 2000 total points
ID: 24792485
Yes, new SID is created in target domain. Old SID is added to SIDHistory attribute.

Technically, SID does not change ii case you move object within domain. When moving object accross domains new SID is always created.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24792497

> Please tell me in which case SID does not change?

Moves within the current domain only.

The current SID is copied to the SIDHistory attribute as Toniur said for both inter-forest and cross-forest moves.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24792503

Sorry Toniur, popped up as question alert and neglected to refresh before posting.

Chris
0
 

Author Comment

by:hchabria
ID: 24794812
Yes, I am getting the SID History in the Target Domain, but what is the purpose of it if I can't use that SID?

Is there any wayout so that I can keep my SID in case of cross forest migration?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24794845

That is the entire point of SIDHistory, both the SID and SIDHistory are enumerated when evaluating entries in access control lists.

So what do you mean by "can't use that SID"? Perhaps you have SID Filtering running on a trust and that's preventing a migrated account from accessing resources with the entry in SIDHistory?

Chris
0
 

Author Comment

by:hchabria
ID: 24796009
OK. I think it is not possible to use the SID History in the Target Domain. Am I right?

However, please tell me is there any wayout so that I can keep my SID in case of cross forest migration?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24796027

What do you mean by use it? How would you use it? Can you give an example?

Chris
0
 

Author Comment

by:hchabria
ID: 24796304
I mean to say the use of SID History on the target domain. The SID History in the Target Domain is showing the same SID in the Source Domain.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24798472

That's what it's supposed to do if you use a tool like ADMT, it copies the SID from the source domain into the SID history on the target domain.

You shouldn't need to actively do anything with that, it allows the user in the target domain to use the old SID when accessing resources in the source domain. Without that functionality you would have to re-write all access control in the source domain to allow a migrated user in.

Chris
0
 

Author Comment

by:hchabria
ID: 24837270
Thanks Crhris for your inputs.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question