afct
asked on
SID filter quarantine between forests turned off yet migrated test user does not have access to source domain resources
Hi,
We are doing a inter forest migration from a single domain to a child domain in a new 2008 forest using ADMT v3.1
There is a two way forest trust between the old domain and the root domain in new forest.
I diabled SID filter quarantine in both directions:
On the source 2003 R2 domain:
F:\Program Files\Win2k3 Support Tools>netdom trust afct /domain:ads /quarantine:
No /userD:ads\administrator /passwordD:***
SID filtering is not enabled for this trust.
On the destination 2008 domain:
C:\Users\Administrator>net
administrator /passwordD:***
SID filtering is not enabled for this trust.
The command completed successfully.
SID History is definitely working, as I checked the attributes for a user and a group and the SIDHistory attribute had SIDs.
Have gone through the steps in the ADMT user guide and completed the steps for migrating user/groups with SID history.
Had lots of issues to start with but finally got a successful migration.
So far I have:
translated security of service accounts
migrated global groups
migrated all users
translated local user profile of test user
migrated a workstation that the test user used in source domain
Logged in as migrated test user in new domain.
The login script mapped the user to the drives correctly
In AD Users and Computers I verified the user is a member of all the global groups it should.
Yet I cannot access the resources (file server) that these groups give permission to.
I get "access is denied" messages when I click on folders that the user should have access to.
Any idea what could be the cause of this?
From the migration logs, the migration process was successful.
I also ensured SID quarantine was turned off between the destination forest root and child domain, as the child domain is where the users/groups are being migrated to.
Cheers :)
We are doing a inter forest migration from a single domain to a child domain in a new 2008 forest using ADMT v3.1
There is a two way forest trust between the old domain and the root domain in new forest.
I diabled SID filter quarantine in both directions:
On the source 2003 R2 domain:
F:\Program Files\Win2k3 Support Tools>netdom trust afct /domain:ads /quarantine:
No /userD:ads\administrator /passwordD:***
SID filtering is not enabled for this trust.
On the destination 2008 domain:
C:\Users\Administrator>net
administrator /passwordD:***
SID filtering is not enabled for this trust.
The command completed successfully.
SID History is definitely working, as I checked the attributes for a user and a group and the SIDHistory attribute had SIDs.
Have gone through the steps in the ADMT user guide and completed the steps for migrating user/groups with SID history.
Had lots of issues to start with but finally got a successful migration.
So far I have:
translated security of service accounts
migrated global groups
migrated all users
translated local user profile of test user
migrated a workstation that the test user used in source domain
Logged in as migrated test user in new domain.
The login script mapped the user to the drives correctly
In AD Users and Computers I verified the user is a member of all the global groups it should.
Yet I cannot access the resources (file server) that these groups give permission to.
I get "access is denied" messages when I click on folders that the user should have access to.
Any idea what could be the cause of this?
From the migration logs, the migration process was successful.
I also ensured SID quarantine was turned off between the destination forest root and child domain, as the child domain is where the users/groups are being migrated to.
Cheers :)
ASKER
An example of the resource access problem is access to the home directory.
The home drive getsd mapped to the root of the home drive share, but "access denied" trying to access the appropriate folder.
The test user of the source domain has full control on this home directory.
The home drive getsd mapped to the root of the home drive share, but "access denied" trying to access the appropriate folder.
The test user of the source domain has full control on this home directory.
If you run the command:
netdom trust afct /domain:ads /enablesidhistory /userD:ads\administrator /passwordD:***
Does is state sIDHistory is enabled or disabled?
netdom trust afct /domain:ads /enablesidhistory /userD:ads\administrator /passwordD:***
Does is state sIDHistory is enabled or disabled?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
FANTASTIC!!
Thanks Pete.
There was no mention in the Migration Users Guide about this as far as I could see.
I was under the impression it was turned on by ADMT during the initial test migrate of a global group.
Permissions work fine now!
Best wishes to you
Thanks Pete.
There was no mention in the Migration Users Guide about this as far as I could see.
I was under the impression it was turned on by ADMT during the initial test migrate of a global group.
Permissions work fine now!
Best wishes to you
You're most welcome, both steps are required to use the sID History attribute from any foreign domain account: Enabling sID History, and Disabling sID Filtering/Quarantine.
Glad you're all up and running now! :)
Pete
Glad you're all up and running now! :)
Pete
ASKER
So far I have:
translated security of service accounts
migrated global groups
migrated all users
translated local user profile of test user
migrated a workstation that the test user used in source domain
*** then I remigrated the test user account as instructed on pg 90-91 of the ADMT user guide. ***