Solved

Migrated users cannot access resources in source domain even though sid history is enabled.

Posted on 2014-01-22
2
4,490 Views
Last Modified: 2014-01-27
This is a similar situation to the question asked by WeirdFishes in 2011.  I'm working on cross-forest migration, with one domain per forest.  A test user has been migrated to the target domain (Windows 2008) but cannot access resources now in the source domain (Windows 2003).  I have a two-way forest trust setup.  Using the test user in the target domain, I can access resources in the source domain where all users have permissions, but a folder where the test user account in the source domain has specific permission cannot be accessed.

I've confirmed that the test user account in the target domain has the correct SID history.

Can you help?
0
Comment
Question by:vphul
2 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Have you disabled SID Filtering and enabled SID History across the forest trust ?
If its not done source domain SID will get dropped by source domain when accessing resources from target domain over trust.
If not please enable SID history and disable SID filtering across forest trust from target domain controller
You must be run below command through elevated command prompt and you must be logged on as root domain "domain administrator in target domain
Also your account must be present in source domain built-in administrators group

To disable SID filtering:
netdom trust <source domain FQDN> /domain:<trusted domain> /Quarantine:NO

To Enable SID filtering:
netdom trust <source domain FQDN> /domain:<trusted domain> /EnableSIDHistory:yes

http://blogs.technet.com/b/csstwplatform/archive/2010/05/06/how-to-disabling-sid-filter-quarantining-allowing-sid-history.aspx

Both commands should get completed successfully.
Then force replication in source domain.

Also I suggest you to remigrate all groups in merge mode with SID History post your user migration is completed as it will help to fix target users group membership wrt source domain.
At least migrate those affected groups with SID History to which user is member of.

Then logoff user once and try to access shared folder in source domain.

Also i suggest you instead of granting access to individual users in source domain, grant access to security groups and make individual users member of security groups.
Ensure that all source domain security groups are migrated 1st, then all users and then remigrate groups in merge mode with SID History for best \ accurate results as far as possible.

Mahesh
0
 

Author Comment

by:vphul
Comment Utility
Hello Mahesh,

Thanks very much for your comment.  I had enabled SID history but not disabled SID filtering.  I'm very pleased to report that my test user can now access the resources in the source domain.

Thanks very much for your help.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now