Solved

2008 2003 SIDs and Trusts

Posted on 2009-07-13
7
459 Views
Last Modified: 2012-05-07
I am migrating to a new 2008 domain from an old one.   There is a trust between the two.  There are many groups were the SID is translating correctly.
but
in the 2008 domain I find this sid not resolving (hence denying access) s-blah blah-1201

from the 2003 domain;
If I do a SID look up on s-blah blah-1201 I get GROUP1
If I do a reverse on GROUP 1 it gives me s-blah blah-1413

This is telling me that there are TWO sid's connected to this group

2008 only sees the old 1201 SID, and is not translating it into the 1413 sid.  This results in people not being able to access their files.

I am really stumped :(
0
Comment
Question by:loftyworm
  • 4
  • 3
7 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24847504

Is 1413 in the sidHistory of Group1 in the 2003 domain? I wonder if it's been migrated before and if t he ACLs refer to the SID from an even older domain.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24847510

Er sorry, is 1201 in the sidHistory ...

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24851198
That si what I suspect, but I don't know what to do about it.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 24851258

Not much you can do other than see if it is the case (ADSIEdit.msc would do for checking). Unfortunately you can't write to the sidHistory field directly (due to the way it's protected).

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24862294
I am finding this is a SID History issue, and trust between the domains.

but even after useing the netdom command to disable sid history, quarantine, and enableSIDHistory, I am still having issues.  
I am checking my DCDIAG's now....
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24862326

Could do with verifying that the second SID for the group (on the old domain) is in the sidHistory on the new domain as well if possible.

Chris
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24973323
Yes, the SIDS were verified  Turns out the problem was with the domain trust.  needed to set it up for sid filtering and enabledsidhistory.  Thanks for your help :)

0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question