Re: Trust Fails and Restored, now ACL has to be reassign

From: "Ryan Hanisco" <rhanisco@xxxxxxxxxxxxxx>
Date: Sat, 28 Jan 2006 18:49:23 +0000

Hi WooYing,

Use the ADSIEdit tool to verify that the SIDHistory attribute is still there on all your accounts in the target domain. These don't go away unless you remove them, but if you have other admins on your network with that capability, you'll want to verify this.

If the SIDHistory is still there, then I would want to look at the trust to make sure that SID Filtering is turned off and that the Trust is fully functional.

Just like you did when you did ADMT, use the NETDOM tool to verify the trust and to turn SID Filtering off.

This should fix your problem.

Best Wishes,

Ryan Hanisco

"WooYing" <WooYing@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A760D94D-80AE-40E1-B395-306DDE0373A3@xxxxxxxxxxxxx:

Recently we had our trust fail and we got it going again, even though the
trust validates fine I am not convenice it is 100%.  Here what I mean in the
begining we had a domain running AD (ABC.com) and then we had a NT domain
(123).  Well I used ADMT to migrate users from the 123 domain over to ABC.com
While I migrated the users of course I kept the SID the same.  For some
reason now any users that are on ABC.com who had previously (same SID as 123)
cannot access any server that are still sitting on the 123 domain.  Whenever
I check out the share folder rights on the server, all I would see is user
123/username as having access.  Now I have to manually enter in the same
username abc/username and the user shows up twice.  Should it just be a
matter of if the SID is the same it wouldn't matter what the username or what
domain their from.  Also we upgrade 123 domain from NT4 to Windows 2003 AD.
Any help is appreciated.  Thanks

Prev by Date: Re: Bad performance when accessing files over a network share
Next by Date: Re: Bad performance when accessing files over a network share
Previous by thread: Re: Bad performance when accessing files over a network share
Next by thread: Windows 2000 Cable Router / VPN problem
Index(es):
- Date
- Thread

Relevant Pages

RE: Migration NT4 to W3K AD
... I have migrated user groups and users successfully whitout the SID. ... The netdom command is now working also netdom verify. ... software loaded on the NT4 server that i have uninstalled. ... verify the trust from the command line does not work like i wrote earlier. ...
(microsoft.public.windows.server.active_directory)
Re: SID Filtering vs. SIDhistory
... Also, the trust *is* going to live for a little while, probably ... So SIDhistory over the trusts *has* to work ... Our hunch is to leave it as is (SIDfiltering active) just because ... > history and sid filtering, yet sid history appears to be working ...
(microsoft.public.windows.server.security)
Re: SID History and SID Filtering questions (netdom)
... group policies rebooted the lab DC's and tried the command, netdom ... ... Oh and by the way the Technet doc on how to create a SID mapping file ... SID filtering is enabled automatically on any trust relationships created by domain controllers running Windows 2000 Service Pack 4 or Windows Server 2003. ...
(microsoft.public.windows.server.migration)
Re: SID History and SID Filtering questions (netdom)
... SID filtering is enabled automatically on any trust relationships created ... by domain controllers running Windows 2000 Service Pack 4 or Windows Server ... you can manually enable it by using the Netdom trust command line ... To disable SID ...
(microsoft.public.windows.server.migration)
Re: SID History and SID Filtering questions (netdom)
... which means the Quarantine is set to YES. ... group policies rebooted the lab DC's and tried the command, netdom ... ... Oh and by the way the Technet doc on how to create a SID mapping file ... SID filtering is enabled automatically on any trust relationships created by domain controllers running Windows 2000 Service Pack 4 or Windows Server 2003. ...
(microsoft.public.windows.server.migration)