Solved

Active Directory Cross Forrest Migration help 2003 -> 2012 - sid history help

Posted on 2014-11-17
6
132 Views
Last Modified: 2014-12-09
I have a 2003 AD domain setup and a 2012 AD domain we are migrating to. I have a 2 way transitive trust with SID filtering disabled between them. I am using ADMT to transfer the user accounts and groups to the new domain. I am using the option in ADMT to transfer SID history. I am able to transfer groups and accounts fine and can check with ASDI edit the SID history is intact OK.

The issues comes in with this: If I have on the old domain \oldfs\oldshare01 with full share permissions to everyone and GroupA ReadWrite with my migrated user a member of GroupA, I cannot access the share folder. If I go to the same folder \oldfs\oldshare01 and add in migrateduser@olddomain.com explicitly I can now access the files in the folder. So it seems to be something with the group. Again I have migrated GroupA into the new domain and it has the old SID and it has migrated user in the new domain as a member

thoughts?

forgot to mention that the file server is in a child domain

so it's

domainold.com   <---2 way transitive trust--> domainnew.com
-child.domainold.com
0
Comment
Question by:Bible_on_stage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 40450179
You have disabled SID Filtering but not enabled SID history over trust, this is required so that SID History will not get blocked over trust

Run below command either from target DC \ source DC to enable SID History to traverse from target domain to source domain
Running command through target DC is preferable.
U need to install 2003 support tools on 2003 DC if you want to run below command
On 2012 the tool is available and run command with elevated command prompt.

The syntax
netdom trust <source domain> /domain:<target domain> /EnableSIDHistory:Yes
Ex:
netdom trust SD.com /domain:TD.com /EnableSIDHistory:Yes

Also ensure that Trust is set to disable SID Filtering
The Syntax
netdom trust <source domain> /domain:<target domain> /Quarantine:No

Mahesh
0
 

Author Comment

by:Bible_on_stage
ID: 40450192
Already found that and applied those 2 fixes to the trust
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40450262
Have you run above commands against child domain?

I think SID is getting blocked against child domain.

Also ensure that you are able to do name resolution against child domain from target domain and vice versa
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 37

Expert Comment

by:Mahesh
ID: 40452236
The best option could be create new external trust between target domain and child domain in source forest
Then enable SID History and disable SID filtering on that trust

U need to ensure name resolution between both domains prior to built trust

This will definitely work
0
 

Accepted Solution

by:
Bible_on_stage earned 0 total points
ID: 40481101
0
 

Author Closing Comment

by:Bible_on_stage
ID: 40488469
found solution on my own
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
An article on effective troubleshooting
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question