Solved

Active Directory Cross Forrest Migration help 2003 -> 2012 - sid history help

Posted on 2014-11-17
6
128 Views
Last Modified: 2014-12-09
I have a 2003 AD domain setup and a 2012 AD domain we are migrating to. I have a 2 way transitive trust with SID filtering disabled between them. I am using ADMT to transfer the user accounts and groups to the new domain. I am using the option in ADMT to transfer SID history. I am able to transfer groups and accounts fine and can check with ASDI edit the SID history is intact OK.

The issues comes in with this: If I have on the old domain \oldfs\oldshare01 with full share permissions to everyone and GroupA ReadWrite with my migrated user a member of GroupA, I cannot access the share folder. If I go to the same folder \oldfs\oldshare01 and add in migrateduser@olddomain.com explicitly I can now access the files in the folder. So it seems to be something with the group. Again I have migrated GroupA into the new domain and it has the old SID and it has migrated user in the new domain as a member

thoughts?

forgot to mention that the file server is in a child domain

so it's

domainold.com   <---2 way transitive trust--> domainnew.com
-child.domainold.com
0
Comment
Question by:Bible_on_stage
  • 3
  • 3
6 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 40450179
You have disabled SID Filtering but not enabled SID history over trust, this is required so that SID History will not get blocked over trust

Run below command either from target DC \ source DC to enable SID History to traverse from target domain to source domain
Running command through target DC is preferable.
U need to install 2003 support tools on 2003 DC if you want to run below command
On 2012 the tool is available and run command with elevated command prompt.

The syntax
netdom trust <source domain> /domain:<target domain> /EnableSIDHistory:Yes
Ex:
netdom trust SD.com /domain:TD.com /EnableSIDHistory:Yes

Also ensure that Trust is set to disable SID Filtering
The Syntax
netdom trust <source domain> /domain:<target domain> /Quarantine:No

Mahesh
0
 

Author Comment

by:Bible_on_stage
ID: 40450192
Already found that and applied those 2 fixes to the trust
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40450262
Have you run above commands against child domain?

I think SID is getting blocked against child domain.

Also ensure that you are able to do name resolution against child domain from target domain and vice versa
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 36

Expert Comment

by:Mahesh
ID: 40452236
The best option could be create new external trust between target domain and child domain in source forest
Then enable SID History and disable SID filtering on that trust

U need to ensure name resolution between both domains prior to built trust

This will definitely work
0
 

Accepted Solution

by:
Bible_on_stage earned 0 total points
ID: 40481101
0
 

Author Closing Comment

by:Bible_on_stage
ID: 40488469
found solution on my own
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question