Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts

Tech-Archive recommends: Fix windows errors by optimizing your registry

Now I'm confused.

Name = SID
Type = Foreign Security Principal
Description = Blank
Readable name = local domain name \ user name but - this sid doesn't
match the sid of the users who have been migrated from the previous domain
that had the trust. The user name is a legitimate user name though. I
thought these helped tie the sid history together and once the trust was
broken (The old NT domain doesn't even exist anymore) these could be purged,
but I have let them sit until I fully determined there was no tie to
anything.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eu15nIEoGHA.4352@xxxxxxxxxxxxxxxxxxxxxxx
If there are no connections to domains outside of the forest, then yes,
you shouldn't need the FSPs that represent security principals outside of
the forest. Note that if you have used any of the "builtin" principals
they may be represented as well. The best way I have found to determine if
an FSP is valid or not is to look in DSA.MSC and look at the column called
Readable Name. If it resolves to the name of something real like
domain\username, check into it. Otherwise if it is just a SID, delete it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Paul Bergson wrote:
Joe,
I have a site where used to be a trust. There are FSP's and I want to
delete them but am not 100% positive they can be deleted. This is now a
2003 forest and domain functional level AD with a single domain.

I can't see why I can't delete them but I can't find any reference where
it specifically states I can. Since they are FSP's and I have NO
external trusts of any kind... I can delete these, right?



.

Relevant Pages

  • Re: What is the difference between a SID and a GUID?
    ... So GUIDs are basically unique identifiers for each object in AD, ... additionally these objects may or may not be actual security principals (and ... >> What is the difference between a SID and a GUID? ... > A GUID - is a generic term for a guaranteed unique identifier. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please Clarify foir me...
    ... forms of UIDs (unique identifiers). ... SID is unique among installs. ... It is true to say that all security principals are internally ... I understand that user accounts, computer accounts, serivce accounts are ...
    (microsoft.public.win2000.security)
  • Re: How to comprehend "security principal"?
    ... security principles are referenced by the OS using a SID that ... The SID is a globally unique number that includes the domain SID and a ... >A "Security Principal" is an entity, represented by an object in the> directory, that has the ability to access directory resources such as, ... you might find that> Organizational Units are Security Principals as well (the subject of> intense ...
    (microsoft.public.win2000.active_directory)
  • Re: SID in Domain
    ... to be Security Principals. ... If the SID were to change, then the ACL would be totally messed up. ... > When a computer joins to a domain, ...
    (microsoft.public.windows.server.active_directory)
  • Re: SID History and SID Filtering questions (netdom)
    ... group policies rebooted the lab DC's and tried the command, netdom ... ... Oh and by the way the Technet doc on how to create a SID mapping file ... SID filtering is enabled automatically on any trust relationships created by domain controllers running Windows 2000 Service Pack 4 or Windows Server 2003. ...
    (microsoft.public.windows.server.migration)