Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Wed, 5 Jul 2006 15:24:36 -0500
Joe,
I ran ADMT for the migration including the security translation wizard on my
resource machines (I did it to all workstations and servers) when the
migration was going on, so I don't believe there are any old sid's in the
acl's. I went back and looked to double check and I found none, but I might
just not be understanding the process.
I'm unclear about what you are referring to when you stated "I would look
through the groups for that FSP and when you find it, change to the user's
real object in the forest, then remove the FSP". I thought this was done
automagically via ADMT so I went through the group membership of groups and
all cn's pointed directly to the newly created users in there ou.
I know there is a lot of smoke and mirrors that went on during the migration
but I was hoping I only had to go back and clear the sidHistory attribute of
the migrated objects (Which I have held off doing so far) and the clean up
of the FSP objects but this is not my strong suit.
So question is how can I find any lingering objects because I don't think I
can have any. If not can I delete the FSP objects and clear the sidHistory?
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:uRGJtBFoGHA.4248@xxxxxxxxxxxxxxxxxxxxxxx
Ah you have migrated the user principals into the domain. This simply
means you have SID History set for them and that is how the APIs are
resolving the SIDs.
Yeah in that case, if the readable name is in the same forest, I would
look through the groups for that FSP and when you find it, change to the
user's real object in the forest, then remove the FSP.
Then start cleaning up ACLs that reference the old SIDs (ACLs don't need
the DNs, just the SIDs) and once that is done, clear the SID Histories.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Paul Bergson wrote:
I don't get it. I ran your sid to name and they resolve.
???
.
- Follow-Ups:
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: Joe Richards [MVP]
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- References:
- Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: David Chadwick
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: Joe Richards [MVP]
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: Paul Bergson
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: Joe Richards [MVP]
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: Paul Bergson
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: Paul Bergson
- Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- From: Joe Richards [MVP]
- Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- Prev by Date: Re: Schema Authentication?
- Next by Date: Re: Domain controller not a global catalog, but is registered as in DN
- Previous by thread: Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- Next by thread: Re: Infrastructure Master FSMO role, Global Catalogs and Forest Trusts
- Index(es):
Relevant Pages
|
