?
Solved

Active Directory Cross Forrest Migration help 2003 -> 2012 - sid history help

Posted on 2014-11-17
6
Medium Priority
?
136 Views
Last Modified: 2014-12-09
I have a 2003 AD domain setup and a 2012 AD domain we are migrating to. I have a 2 way transitive trust with SID filtering disabled between them. I am using ADMT to transfer the user accounts and groups to the new domain. I am using the option in ADMT to transfer SID history. I am able to transfer groups and accounts fine and can check with ASDI edit the SID history is intact OK.

The issues comes in with this: If I have on the old domain \oldfs\oldshare01 with full share permissions to everyone and GroupA ReadWrite with my migrated user a member of GroupA, I cannot access the share folder. If I go to the same folder \oldfs\oldshare01 and add in migrateduser@olddomain.com explicitly I can now access the files in the folder. So it seems to be something with the group. Again I have migrated GroupA into the new domain and it has the old SID and it has migrated user in the new domain as a member

thoughts?

forgot to mention that the file server is in a child domain

so it's

domainold.com   <---2 way transitive trust--> domainnew.com
-child.domainold.com
0
Comment
Question by:Bible_on_stage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 40450179
You have disabled SID Filtering but not enabled SID history over trust, this is required so that SID History will not get blocked over trust

Run below command either from target DC \ source DC to enable SID History to traverse from target domain to source domain
Running command through target DC is preferable.
U need to install 2003 support tools on 2003 DC if you want to run below command
On 2012 the tool is available and run command with elevated command prompt.

The syntax
netdom trust <source domain> /domain:<target domain> /EnableSIDHistory:Yes
Ex:
netdom trust SD.com /domain:TD.com /EnableSIDHistory:Yes

Also ensure that Trust is set to disable SID Filtering
The Syntax
netdom trust <source domain> /domain:<target domain> /Quarantine:No

Mahesh
0
 

Author Comment

by:Bible_on_stage
ID: 40450192
Already found that and applied those 2 fixes to the trust
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40450262
Have you run above commands against child domain?

I think SID is getting blocked against child domain.

Also ensure that you are able to do name resolution against child domain from target domain and vice versa
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 37

Expert Comment

by:Mahesh
ID: 40452236
The best option could be create new external trust between target domain and child domain in source forest
Then enable SID History and disable SID filtering on that trust

U need to ensure name resolution between both domains prior to built trust

This will definitely work
0
 

Accepted Solution

by:
Bible_on_stage earned 0 total points
ID: 40481101
0
 

Author Closing Comment

by:Bible_on_stage
ID: 40488469
found solution on my own
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question