Solved

2008 2003 SIDs and Trusts

Posted on 2009-07-13
7
458 Views
Last Modified: 2012-05-07
I am migrating to a new 2008 domain from an old one.   There is a trust between the two.  There are many groups were the SID is translating correctly.
but
in the 2008 domain I find this sid not resolving (hence denying access) s-blah blah-1201

from the 2003 domain;
If I do a SID look up on s-blah blah-1201 I get GROUP1
If I do a reverse on GROUP 1 it gives me s-blah blah-1413

This is telling me that there are TWO sid's connected to this group

2008 only sees the old 1201 SID, and is not translating it into the 1413 sid.  This results in people not being able to access their files.

I am really stumped :(
0
Comment
Question by:loftyworm
  • 4
  • 3
7 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24847504

Is 1413 in the sidHistory of Group1 in the 2003 domain? I wonder if it's been migrated before and if t he ACLs refer to the SID from an even older domain.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24847510

Er sorry, is 1201 in the sidHistory ...

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24851198
That si what I suspect, but I don't know what to do about it.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 24851258

Not much you can do other than see if it is the case (ADSIEdit.msc would do for checking). Unfortunately you can't write to the sidHistory field directly (due to the way it's protected).

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24862294
I am finding this is a SID History issue, and trust between the domains.

but even after useing the netdom command to disable sid history, quarantine, and enableSIDHistory, I am still having issues.  
I am checking my DCDIAG's now....
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24862326

Could do with verifying that the second SID for the group (on the old domain) is in the sidHistory on the new domain as well if possible.

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24973323
Yes, the SIDS were verified  Turns out the problem was with the domain trust.  needed to set it up for sid filtering and enabledsidhistory.  Thanks for your help :)

0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now