Solved

2008 2003 SIDs and Trusts

Posted on 2009-07-13
7
461 Views
Last Modified: 2012-05-07
I am migrating to a new 2008 domain from an old one.   There is a trust between the two.  There are many groups were the SID is translating correctly.
but
in the 2008 domain I find this sid not resolving (hence denying access) s-blah blah-1201

from the 2003 domain;
If I do a SID look up on s-blah blah-1201 I get GROUP1
If I do a reverse on GROUP 1 it gives me s-blah blah-1413

This is telling me that there are TWO sid's connected to this group

2008 only sees the old 1201 SID, and is not translating it into the 1413 sid.  This results in people not being able to access their files.

I am really stumped :(
0
Comment
Question by:loftyworm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24847504

Is 1413 in the sidHistory of Group1 in the 2003 domain? I wonder if it's been migrated before and if t he ACLs refer to the SID from an even older domain.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24847510

Er sorry, is 1201 in the sidHistory ...

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24851198
That si what I suspect, but I don't know what to do about it.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 24851258

Not much you can do other than see if it is the case (ADSIEdit.msc would do for checking). Unfortunately you can't write to the sidHistory field directly (due to the way it's protected).

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24862294
I am finding this is a SID History issue, and trust between the domains.

but even after useing the netdom command to disable sid history, quarantine, and enableSIDHistory, I am still having issues.  
I am checking my DCDIAG's now....
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24862326

Could do with verifying that the second SID for the group (on the old domain) is in the sidHistory on the new domain as well if possible.

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24973323
Yes, the SIDS were verified  Turns out the problem was with the domain trust.  needed to set it up for sid filtering and enabledsidhistory.  Thanks for your help :)

0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question