Migrated Target User Cannot Access Source User's Files In Source Domain

Source 2003 R2 domain HQ and target 2008 R2 domain AD are in separate, external forests that have a working two-way trust relationship. I've installed ADMT 3.2 on a member server in AD and also installed and configured PES in HQ. Migrating HQ\TestUser to AD with ADMT 3.2 seems to work OK, and the ADMT log contains the line "SID for HQ\TestUser added to the SID History of AD\TestUser".

But AD\TestUser gets an "Access is denied" error when trying to access files in HQ that HQ\TestUser owns and has Full Control permissions for.

What could be the problem? How can I diagnose it?

Thanks for your attention!
LVL 1
jeff1946Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony MassaCommented:
There are really two things that prevent this;

1.  The objectSid of the source user wasn't added to the sIDHistory of the target user, but a quick ADSIEdit/ADFind will quickly tell you that. Check the target user's account for the SID.

2.  The AD trust was set up, but you did not disable the sIDHistory filter that is on the trust.  This prevents the sIDHistory from working and is enabled by default.
http://technet.microsoft.com/en-us/library/cc772816(WS.10).aspx

More info:  http://technet.microsoft.com/en-us/library/cc772633(v=WS.10).aspx

Just disable the sIDHistory filtering and you should be good.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jeff1946Author Commented:
tmassa99: Thank you for your reply.  You were right -- I needed to disable SID filtering. But I had a lot of trouble actually doing it -- I got "access denied" errors when I did it as a source domain admin on a source DC. I had to make the source domain admin a member of the target domain's builtin administrators group and run the netdom commands as the source admin logged on to a target DC.

I also had to "netdom trust ... enablesidehistory:Yes" and enable the "anonymous SID/Name translation" group policy. But then it worked. Finally!

Thanks for putting me on the right track. Is any of this stuff documented anywhere? And why doesn't ADMT do all this stuff for you?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.