Solved

Migrated users cannot access resources in source domain even though sid history is enabled.

Posted on 2014-01-22
2
4,923 Views
Last Modified: 2014-01-27
This is a similar situation to the question asked by WeirdFishes in 2011.  I'm working on cross-forest migration, with one domain per forest.  A test user has been migrated to the target domain (Windows 2008) but cannot access resources now in the source domain (Windows 2003).  I have a two-way forest trust setup.  Using the test user in the target domain, I can access resources in the source domain where all users have permissions, but a folder where the test user account in the source domain has specific permission cannot be accessed.

I've confirmed that the test user account in the target domain has the correct SID history.

Can you help?
0
Comment
Question by:vphul
2 Comments
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39802141
Have you disabled SID Filtering and enabled SID History across the forest trust ?
If its not done source domain SID will get dropped by source domain when accessing resources from target domain over trust.
If not please enable SID history and disable SID filtering across forest trust from target domain controller
You must be run below command through elevated command prompt and you must be logged on as root domain "domain administrator in target domain
Also your account must be present in source domain built-in administrators group

To disable SID filtering:
netdom trust <source domain FQDN> /domain:<trusted domain> /Quarantine:NO

To Enable SID filtering:
netdom trust <source domain FQDN> /domain:<trusted domain> /EnableSIDHistory:yes

http://blogs.technet.com/b/csstwplatform/archive/2010/05/06/how-to-disabling-sid-filter-quarantining-allowing-sid-history.aspx

Both commands should get completed successfully.
Then force replication in source domain.

Also I suggest you to remigrate all groups in merge mode with SID History post your user migration is completed as it will help to fix target users group membership wrt source domain.
At least migrate those affected groups with SID History to which user is member of.

Then logoff user once and try to access shared folder in source domain.

Also i suggest you instead of granting access to individual users in source domain, grant access to security groups and make individual users member of security groups.
Ensure that all source domain security groups are migrated 1st, then all users and then remigrate groups in merge mode with SID History for best \ accurate results as far as possible.

Mahesh
0
 

Author Comment

by:vphul
ID: 39812092
Hello Mahesh,

Thanks very much for your comment.  I had enabled SID history but not disabled SID filtering.  I'm very pleased to report that my test user can now access the resources in the source domain.

Thanks very much for your help.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question