Solved

2008 2003 SIDs and Trusts

Posted on 2009-07-13
7
456 Views
Last Modified: 2012-05-07
I am migrating to a new 2008 domain from an old one.   There is a trust between the two.  There are many groups were the SID is translating correctly.
but
in the 2008 domain I find this sid not resolving (hence denying access) s-blah blah-1201

from the 2003 domain;
If I do a SID look up on s-blah blah-1201 I get GROUP1
If I do a reverse on GROUP 1 it gives me s-blah blah-1413

This is telling me that there are TWO sid's connected to this group

2008 only sees the old 1201 SID, and is not translating it into the 1413 sid.  This results in people not being able to access their files.

I am really stumped :(
0
Comment
Question by:loftyworm
  • 4
  • 3
7 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24847504

Is 1413 in the sidHistory of Group1 in the 2003 domain? I wonder if it's been migrated before and if t he ACLs refer to the SID from an even older domain.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24847510

Er sorry, is 1201 in the sidHistory ...

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24851198
That si what I suspect, but I don't know what to do about it.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24851258

Not much you can do other than see if it is the case (ADSIEdit.msc would do for checking). Unfortunately you can't write to the sidHistory field directly (due to the way it's protected).

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24862294
I am finding this is a SID History issue, and trust between the domains.

but even after useing the netdom command to disable sid history, quarantine, and enableSIDHistory, I am still having issues.  
I am checking my DCDIAG's now....
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24862326

Could do with verifying that the second SID for the group (on the old domain) is in the sidHistory on the new domain as well if possible.

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24973323
Yes, the SIDS were verified  Turns out the problem was with the domain trust.  needed to set it up for sid filtering and enabledsidhistory.  Thanks for your help :)

0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now