ADMT v3 - SID History Question glen5h <glen5h.2t7tng[ at ]DoNotSpam.com> 04.07.2007 20:42:44 Hi, I’m in the middle of an Inter-Forest migration from a Windows 2000 AD to Windows 2003 and have been using ADMT v3, I’ve has some issues which I’ve now resolved however I still have one issue which I’m sure someone will be able to answer. I have successfully migrated a user from my source domain to the target domain and retained the sIDHistory. The issue is when I logon to the new domain (2003) with the migrated user account, I cannot access any of the resources in the W2K domain which i previously had access to. I get an Access Denied error message. I have a two way trust established between the two Domains and I’ve disabled SID Filtering on the outgoing trusts. I’ve used Ldp.exe to compare the user account in both source and target domains and found that the SID’s are different for each user account as I would expect, however I was expecting to see the SIDHistory Attribute in the Target domain match the SID of the source domain. These two attributes are different; does anyone know if they should match? Any help would be appreciated. -- glen5h ------------------------------------------------------------------------ glen5h's Profile: http://forums.techarena.in/member.php?userid=27530 View this thread: http://forums.techarena.in/showthread.php?t=777751 http://forums.techarena.in

RE: ADMT v3 - SID History Question v-kzhao[ at ]online.microsoft.com ("Ken Zhao [MSFT]") 05.07.2007 03:03:08 Hello, Thank you for using newsgroup! Based on my knowledge, the default behavior is SID filtering is enabled post windows 2000 SP3. Use netdom "netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD: adminpwd /UO:RESDOM\Administrator /PO:adminpwd /filtersids" to disable on the Windows 2000 domain. Earlier versions of netdom require "netdom trust galaxy /domain:hq /userd:hq\administrator /passwordd:* /usero:galaxy\administrator /passwordo:* /verify Ref: 893191 The security IDs for built-in domain groups are filtered in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;EN-US;893191 Thanks & Regards, Ken Zhao Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security> ==================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ==================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: glen5h <glen5h.2t7tng[ at ]DoNotSpam.com> | Subject: ADMT v3 - SID History Question | Date: Thu, 5 Jul 2007 02:12:44 +0530 | Message-ID: <glen5h.2t7tng[ at ]DoNotSpam.com> | Organization: Computer Help - http://forums.techarena.in | User-Agent: vBulletin USENET gateway | X-Newsreader: vBulletin USENET gateway | X-Originating-IP: 195.97.239.81 | Newsgroups: microsoft.public.windows.server.migration | NNTP-Posting-Host: hostname.techarena.in 207.58.143.175 | Lines: 1 | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.migration:1584 | X-Tomcat-NG: microsoft.public.windows.server.migration | | Hi, I’m in the middle of an Inter-Forest migration from a Windows 2000 AD to Windows 2003 and have been using ADMT v3, I’ve has some issues which I’ve now resolved however I still have one issue which I’m sure someone will be able to answer. | | I have successfully migrated a user from my source domain to the target domain and retained the sIDHistory. The issue is when I logon to the new domain (2003) with the migrated user account, I cannot access any of the resources in the W2K domain which i previously had access to. I get an Access Denied error message. | | I have a two way trust established between the two Domains and I’ve disabled SID Filtering on the outgoing trusts. | | I’ve used Ldp.exe to compare the user account in both source and target domains and found that the SID’s are different for each user account as I would expect, however I was expecting to see the SIDHistory Attribute in the Target domain match the SID of the source domain. These two attributes are different; does anyone know if they should match? | | Any help would be appreciated. -- glen5h ------------------------------------------------------------------------ glen5h's Profile: http://forums.techarena.in/member.php?userid=27530 View this thread: http://forums.techarena.in/showthread.php?t=777751 http://forums.techarena.in |

Re: ADMT v3 - SID History Question glen5h <glen5h.2taofi[ at ]DoNotSpam.com> 06.07.2007 09:38:28 Thanks for the reply. I'd already switched of SID Filtering on the outgoung trust as per your reply. I have however now found out where i was going wrong. I should have been migrating the user groups and fixing the group membership when i migrated the user account. Obviously when i think about it. All is working fine now. Thanks. -- glen5h ------------------------------------------------------------------------ glen5h's Profile: http://forums.techarena.in/member.php?userid=27530 View this thread: http://forums.techarena.in/showthread.php?t=777751 http://forums.techarena.in

Re: ADMT v3 - SID History Question v-kzhao[ at ]online.microsoft.com ("Ken Zhao [MSFT]") 10.07.2007 06:25:57 Hello, Glad to hear that all is working now. Thanks & Regards, Ken Zhao Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security> ==================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ==================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: glen5h <glen5h.2taofi[ at ]DoNotSpam.com> | Subject: Re: ADMT v3 - SID History Question | Date: Fri, 6 Jul 2007 15:08:28 +0530 | Message-ID: <glen5h.2taofi[ at ]DoNotSpam.com> | Organization: Computer Help - http://forums.techarena.in | User-Agent: vBulletin USENET gateway | X-Newsreader: vBulletin USENET gateway | X-Originating-IP: 195.97.209.134 | References: <glen5h.2t7tng[ at ]DoNotSpam.com> | Newsgroups: microsoft.public.windows.server.migration | NNTP-Posting-Host: hostname.techarena.in 207.58.143.175 | Lines: 1 | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.migration:1601 | X-Tomcat-NG: microsoft.public.windows.server.migration | | Thanks for the reply. | | I'd already switched of SID Filtering on the outgoung trust as per your reply. | | I have however now found out where i was going wrong. | | I should have been migrating the user groups and fixing the group membership when i migrated the user account. Obviously when i think about it. | | All is working fine now. | | Thanks. -- glen5h ------------------------------------------------------------------------ glen5h's Profile: http://forums.techarena.in/member.php?userid=27530 View this thread: http://forums.techarena.in/showthread.php?t=777751 http://forums.techarena.in |