Active Directory Cross Forrest Migration help 2003 -> 2012 - sid history help

I have a 2003 AD domain setup and a 2012 AD domain we are migrating to. I have a 2 way transitive trust with SID filtering disabled between them. I am using ADMT to transfer the user accounts and groups to the new domain. I am using the option in ADMT to transfer SID history. I am able to transfer groups and accounts fine and can check with ASDI edit the SID history is intact OK.

The issues comes in with this: If I have on the old domain \oldfs\oldshare01 with full share permissions to everyone and GroupA ReadWrite with my migrated user a member of GroupA, I cannot access the share folder. If I go to the same folder \oldfs\oldshare01 and add in migrateduser@olddomain.com explicitly I can now access the files in the folder. So it seems to be something with the group. Again I have migrated GroupA into the new domain and it has the old SID and it has migrated user in the new domain as a member

thoughts?

forgot to mention that the file server is in a child domain

so it's

domainold.com   <---2 way transitive trust--> domainnew.com
-child.domainold.com
Bible_on_stageAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
You have disabled SID Filtering but not enabled SID history over trust, this is required so that SID History will not get blocked over trust

Run below command either from target DC \ source DC to enable SID History to traverse from target domain to source domain
Running command through target DC is preferable.
U need to install 2003 support tools on 2003 DC if you want to run below command
On 2012 the tool is available and run command with elevated command prompt.

The syntax
netdom trust <source domain> /domain:<target domain> /EnableSIDHistory:Yes
Ex:
netdom trust SD.com /domain:TD.com /EnableSIDHistory:Yes

Also ensure that Trust is set to disable SID Filtering
The Syntax
netdom trust <source domain> /domain:<target domain> /Quarantine:No

Mahesh
0
Bible_on_stageAuthor Commented:
Already found that and applied those 2 fixes to the trust
0
MaheshArchitectCommented:
Have you run above commands against child domain?

I think SID is getting blocked against child domain.

Also ensure that you are able to do name resolution against child domain from target domain and vice versa
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

MaheshArchitectCommented:
The best option could be create new external trust between target domain and child domain in source forest
Then enable SID History and disable SID filtering on that trust

U need to ensure name resolution between both domains prior to built trust

This will definitely work
0
Bible_on_stageAuthor Commented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bible_on_stageAuthor Commented:
found solution on my own
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.