Re: Multiple DOMAINS - SINGLE SIGN ON

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"" wrote:
> We just set-up a new domain with a 2003 DC and established a
> trust with our
> older domain on a 2000 server. We have roughly 200 gigs of
> file storage on
> the older 2000 server which needs to be accessed by users who
> have been
> migrated to the 2003 domain.. I have set-up their user
> accounts and
> passwords so they are identical on each domain. This does not
> seem to do the
> trick, did I miss a step?
>
> Many Thanks!

The reason it does not work is because the ACLs (access control list)
on the data specifies the SIDs of the users in the OLD domain. As you
created the users (although with the same name) in the NEW domain they
will NOT have access. That would be to easy if just creating a user
would give you access to the data other users with the same name have.
The same applies to groups

What you need to do is to use ADMTv3 (Active Directory Migration Tool)
and migrate groups, users, memberships from the OLD domain to the NEW
domain including SIDhistory. This way the users in the NEW domain have
access to the OLD data
After that you need to MIGRATE the data and reacl (also with ADMT)
where the OLD SIDs in the ACLs are replaced with the NEW SIDs. After
data you can cleanup SIDhistory

Fore more info on ADMT and migration see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-19544062A6E6&displaylang=en
http://whitepapers.silicon.com/0,39024759,60088469p-39000357q,00.htm

Also search for migration ebooks/white papers at Quest, NetIQ

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Multiple-DOMAINS-SINGLE-SIGN-ftopict442706.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1496063
.

Relevant Pages

  • Re: ADMT V2.0 NT4.0 -> Windows 2003
    ... > So after the user and workstation accounts have been migrated with ADMT, ... >> The old sid is kept in the sidhistory and will remain there until you ... If you finished your migration and translated all permissions on ... >> user logs on he's getting a token with SIDs for himself, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADMT V2.0 NT4.0 -> Windows 2003
    ... > If you use ADMT the NT4 domain needs to be named differently than the new AD ... > The old sid is kept in the sidhistory and will remain there until you clean it ... If you finished your migration and translated all permissions on files, ... > user logs on he's getting a token with SIDs for himself, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADMT V2.0 NT4.0 -> Windows 2003
    ... If you use ADMT the NT4 domain needs to be named differently than the new AD ... The old sid is kept in the sidhistory and will remain there until you clean it ... If you finished your migration and translated all permissions on files, ... user logs on he's getting a token with SIDs for himself, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Syncrhonizing File Rights Across Domains
    ... on the data specifies the SIDs of the users in the OLD domain. ... What you need to do is to use ADMTv3 (Active Directory Migration Tool) ... After that you need to MIGRATE the data and reacl (also with ADMT) ... data you can cleanup SIDhistory ...
    (microsoft.public.win2000.active_directory)
  • RE: [Rant] ADMT
    ... I'm sorry to hear that ADMT tool gives you so much trouble. ... is a useful tool when you try to perform a migration even the usage is ... | - Created an empty OU for migrated objects in target domain. ... Now the source server was found ...
    (microsoft.public.windows.server.migration)