Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Active Directory Cross Forrest Migration help 2003 -> 2012 - sid history help

Posted on 2014-11-17
6
Medium Priority
?
140 Views
Last Modified: 2014-12-09
I have a 2003 AD domain setup and a 2012 AD domain we are migrating to. I have a 2 way transitive trust with SID filtering disabled between them. I am using ADMT to transfer the user accounts and groups to the new domain. I am using the option in ADMT to transfer SID history. I am able to transfer groups and accounts fine and can check with ASDI edit the SID history is intact OK.

The issues comes in with this: If I have on the old domain \oldfs\oldshare01 with full share permissions to everyone and GroupA ReadWrite with my migrated user a member of GroupA, I cannot access the share folder. If I go to the same folder \oldfs\oldshare01 and add in migrateduser@olddomain.com explicitly I can now access the files in the folder. So it seems to be something with the group. Again I have migrated GroupA into the new domain and it has the old SID and it has migrated user in the new domain as a member

thoughts?

forgot to mention that the file server is in a child domain

so it's

domainold.com   <---2 way transitive trust--> domainnew.com
-child.domainold.com
0
Comment
Question by:Bible_on_stage
  • 3
  • 3
6 Comments
 
LVL 39

Expert Comment

by:Mahesh
ID: 40450179
You have disabled SID Filtering but not enabled SID history over trust, this is required so that SID History will not get blocked over trust

Run below command either from target DC \ source DC to enable SID History to traverse from target domain to source domain
Running command through target DC is preferable.
U need to install 2003 support tools on 2003 DC if you want to run below command
On 2012 the tool is available and run command with elevated command prompt.

The syntax
netdom trust <source domain> /domain:<target domain> /EnableSIDHistory:Yes
Ex:
netdom trust SD.com /domain:TD.com /EnableSIDHistory:Yes

Also ensure that Trust is set to disable SID Filtering
The Syntax
netdom trust <source domain> /domain:<target domain> /Quarantine:No

Mahesh
0
 

Author Comment

by:Bible_on_stage
ID: 40450192
Already found that and applied those 2 fixes to the trust
0
 
LVL 39

Expert Comment

by:Mahesh
ID: 40450262
Have you run above commands against child domain?

I think SID is getting blocked against child domain.

Also ensure that you are able to do name resolution against child domain from target domain and vice versa
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 39

Expert Comment

by:Mahesh
ID: 40452236
The best option could be create new external trust between target domain and child domain in source forest
Then enable SID History and disable SID filtering on that trust

U need to ensure name resolution between both domains prior to built trust

This will definitely work
0
 

Accepted Solution

by:
Bible_on_stage earned 0 total points
ID: 40481101
0
 

Author Closing Comment

by:Bible_on_stage
ID: 40488469
found solution on my own
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question