Bible_on_stage
asked on
Active Directory Cross Forrest Migration help 2003 -> 2012 - sid history help
I have a 2003 AD domain setup and a 2012 AD domain we are migrating to. I have a 2 way transitive trust with SID filtering disabled between them. I am using ADMT to transfer the user accounts and groups to the new domain. I am using the option in ADMT to transfer SID history. I am able to transfer groups and accounts fine and can check with ASDI edit the SID history is intact OK.
The issues comes in with this: If I have on the old domain \oldfs\oldshare01 with full share permissions to everyone and GroupA ReadWrite with my migrated user a member of GroupA, I cannot access the share folder. If I go to the same folder \oldfs\oldshare01 and add in migrateduser@olddomain.com explicitly I can now access the files in the folder. So it seems to be something with the group. Again I have migrated GroupA into the new domain and it has the old SID and it has migrated user in the new domain as a member
thoughts?
forgot to mention that the file server is in a child domain
so it's
domainold.com <---2 way transitive trust--> domainnew.com
-child.domainold.com
The issues comes in with this: If I have on the old domain \oldfs\oldshare01 with full share permissions to everyone and GroupA ReadWrite with my migrated user a member of GroupA, I cannot access the share folder. If I go to the same folder \oldfs\oldshare01 and add in migrateduser@olddomain.com
thoughts?
forgot to mention that the file server is in a child domain
so it's
domainold.com <---2 way transitive trust--> domainnew.com
-child.domainold.com
ASKER
Already found that and applied those 2 fixes to the trust
Have you run above commands against child domain?
I think SID is getting blocked against child domain.
Also ensure that you are able to do name resolution against child domain from target domain and vice versa
I think SID is getting blocked against child domain.
Also ensure that you are able to do name resolution against child domain from target domain and vice versa
The best option could be create new external trust between target domain and child domain in source forest
Then enable SID History and disable SID filtering on that trust
U need to ensure name resolution between both domains prior to built trust
This will definitely work
Then enable SID History and disable SID filtering on that trust
U need to ensure name resolution between both domains prior to built trust
This will definitely work
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
found solution on my own
Run below command either from target DC \ source DC to enable SID History to traverse from target domain to source domain
Running command through target DC is preferable.
U need to install 2003 support tools on 2003 DC if you want to run below command
On 2012 the tool is available and run command with elevated command prompt.
The syntax
netdom trust <source domain> /domain:<target domain> /EnableSIDHistory:Yes
Ex:
netdom trust SD.com /domain:TD.com /EnableSIDHistory:Yes
Also ensure that Trust is set to disable SID Filtering
The Syntax
netdom trust <source domain> /domain:<target domain> /Quarantine:No
Mahesh