Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

SID filter quarantine between forests turned off yet migrated test user does not have access to source domain resources

Avatar of afct
afct asked on
Active Directory
6 Comments1 Solution1622 ViewsLast Modified:
We are doing a inter forest migration from a single domain to a child domain in a new 2008 forest using ADMT v3.1

There is a two way forest trust between the old domain and the root domain in new forest.
I diabled SID filter quarantine in both directions:

On the source 2003 R2 domain:
F:\Program Files\Win2k3 Support Tools>netdom trust afct /domain:ads /quarantine:
No /userD:ads\administrator /passwordD:***
SID filtering is not enabled for this trust.

On the destination 2008 domain:
C:\Users\Administrator>netdom trust ads /domain:afct /quarantine:No /userD:afct\
administrator /passwordD:***
SID filtering is not enabled for this trust.
The command completed successfully.

SID History is definitely working, as I checked the attributes for a user and a group and the SIDHistory attribute had SIDs.

Have gone through the steps in the ADMT user guide and completed the steps for migrating user/groups with SID history.
Had lots of issues to start with but finally got a successful migration.
So far I have:

translated security of service accounts
migrated global groups
migrated all users
translated local user profile of test user
migrated a workstation that the test user used in source domain

Logged in as migrated test user in new domain.
The login script mapped the user to the drives correctly
In AD Users and Computers I verified the user is a member of all the global groups it should.
Yet I cannot access the resources (file server) that these groups give permission to.
I get "access is denied" messages when I click on folders that the user should have access to.

Any idea  what could be the cause of this?
From the migration logs, the migration process was successful.
I also ensured SID quarantine was turned off between the destination forest root and child domain, as the child domain is where the users/groups are being migrated to.

Cheers :)
Avatar of PeteJThomas
PeteJThomasFlag of United Kingdom of Great Britain and Northern Ireland image

Our community of experts have been thoroughly vetted for their expertise and industry experience.

This problem has been solved!
Unlock 1 Answer and 6 Comments.
See Answers