SID filter quarantine between forests turned off yet migrated test user does not have access to source domain resources

afct
afct used Ask the Experts™
on
Hi,
We are doing a inter forest migration from a single domain to a child domain in a new 2008 forest using ADMT v3.1

There is a two way forest trust between the old domain and the root domain in new forest.
I diabled SID filter quarantine in both directions:

On the source 2003 R2 domain:
F:\Program Files\Win2k3 Support Tools>netdom trust afct /domain:ads /quarantine:
No /userD:ads\administrator /passwordD:***
SID filtering is not enabled for this trust.

On the destination 2008 domain:
C:\Users\Administrator>netdom trust ads /domain:afct /quarantine:No /userD:afct\
administrator /passwordD:***
SID filtering is not enabled for this trust.
The command completed successfully.

SID History is definitely working, as I checked the attributes for a user and a group and the SIDHistory attribute had SIDs.


Have gone through the steps in the ADMT user guide and completed the steps for migrating user/groups with SID history.
Had lots of issues to start with but finally got a successful migration.
So far I have:

translated security of service accounts
migrated global groups
migrated all users
translated local user profile of test user
migrated a workstation that the test user used in source domain

Logged in as migrated test user in new domain.
The login script mapped the user to the drives correctly
In AD Users and Computers I verified the user is a member of all the global groups it should.
Yet I cannot access the resources (file server) that these groups give permission to.
I get "access is denied" messages when I click on folders that the user should have access to.

Any idea  what could be the cause of this?
From the migration logs, the migration process was successful.
I also ensured SID quarantine was turned off between the destination forest root and child domain, as the child domain is where the users/groups are being migrated to.

Cheers :)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Sorry, missed a step in my question above

So far I have:

translated security of service accounts
migrated global groups
migrated all users
translated local user profile of test user
migrated a workstation that the test user used in source domain
***  then I remigrated the test user account as instructed on pg 90-91 of the ADMT user guide. ***

Author

Commented:
An example of the resource access problem is access to the home directory.
The home drive getsd mapped to the root of the home drive share, but "access denied" trying to access the appropriate folder.
The test user of the source domain has full control on this home directory.
If you run the command:

netdom trust afct /domain:ads /enablesidhistory /userD:ads\administrator /passwordD:***

Does is state sIDHistory is enabled or disabled?

Oh and if this comes back telling you SIDHistory is not enabled, just run:

netdom trust afct /domain:ads /enablesidhistory:yes /userD:ads\administrator /passwordD:***

Author

Commented:
FANTASTIC!!

Thanks Pete.

There was no mention in the Migration Users Guide about this as far as I could see.
I was under the impression it was turned on by ADMT during the initial test migrate of a global group.

Permissions work fine now!
Best wishes to you
You're most welcome, both steps are required to use the sID History attribute from any foreign domain account: Enabling sID History, and Disabling sID Filtering/Quarantine.

Glad you're all up and running now! :)

Pete

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial