Re: sidHistory and DomainUsers

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Who knew I'd end up regretting putting my email addy in those scripts,
c'est la vie! Could I ask that if you run any more of my scripts that
you remove my email address from the pasted output, it helps with
keeping the spam to a minimum ... thanks!

So let's get a few more details - one of the forests is running in
Windows 2000 mode which could indicate the presence of Windows 2000 DCs,
is this the case?
How many users (roughly) exists in each domain in each of the two
forests?
How many users have been or will be migrated?
Are you trying to consolidate two domains or perhaps even the the two
forests?

I doubt your problem is SID filtering but let's qualify that; you've
migrated users from one domain in one forest to a domain in the other
forest -- is the exmaple migrated user that's causing this problem
trying to access resources in the domain they were migrated from or in
the domain they now exist in?

We can also further determine the details of this aspect of your
configuration by using trustdump again from
ftp://falcon.msetechnology.com/scripts/trustdump.cmd.txt

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l


"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4DF9A284-D9B6-4588-8870-99E885DF699F@xxxxxxxxxxxxxxxx
Hi Dean,
thanks for your input. I run the Fll on the involved forests to give
you
more details. Also you should know that the migration take place
between
SMT711.PAWORLD.NET and SMT811.qaworld.net. Between these two domains a
two
way trust exists. Without SID-Filtering enabled!
Any idea welcome.
Peter
PS: In this paper http://support.microsoft.com/kb/893191/en-us MS
explained
something which looks like my problem. But SID-Filtering on the trusts
is
disabled!


FLL V1.1 / Dean Wells (dwells@xxxxxxxxxxxxxxxxx) - March 2006

STATUS - Determining configuration for Forest: DC=qaworld,DC=net

- number of Domains: 3
- schema revision : 30

Forest: qaworld.net
- functional level: Windows 2000 [0]

Domain: qaworld.net
- functional level: Windows 2003 Native [2]
Domain: SMT811.qaworld.net
- functional level: Windows 2003 Native [2]
Domain: SMT812.qaworld.net
- functional level: Windows 2000 [0] / Mixed

Done.


FLL V1.1 / Dean Wells (dwells@xxxxxxxxxxxxxxxxx) - March 2006

STATUS - Determining configuration for Forest: DC=paworld,DC=net

- number of Domains: 3
- schema revision : 30

Forest: paworld.net
- functional level: Windows 2003 Native [2]

Domain: PAWORLD.NET
- functional level: Windows 2003 Native [2]
Domain: SMT711.PAWORLD.NET
- functional level: Windows 2003 Native [2]
Domain: SMT712.PAWORLD.NET
- functional level: Windows 2003 Native [2]
Done.



"Dean Wells (MVP)" wrote:

It's almost certainly (~ since I've not tested this) because the
Domain
User's group is, by default, everyone's primary group and is
therefore
handled very differently. In fact, users don't even exist as members
per se in their designated primary group (it's a one way relationship
maintained on the user alone within the primaryGroupID attribute and
targets the group by its RID.) My guess is that the code path used
to
tack on the primary group's SID during token construction doesn't
honor
its sIDHistory.

I've got some concerns about volunteering a solution before knowing
what
functional levels are in play here (if you're uncertain, download
fll.cmd from ftp://falcon.msetechnology.com/scripts/fll.cmd.txt and
run
it, paste back the results; it expects the forest root FQDN as the
only
argument)?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l


"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F6E80412-E17F-4C10-9FD9-E4A94E76D9EB@xxxxxxxxxxxxxxxx
Hello Everybody,
Is someone able to explain me the difference between usind
sidHistory
for a
'normal' group and the DomainUsers group. In my migration test
between
two
domains in different forests the sidHistory for accounts and groups
work
perfect. Only access which was granted for 'domain users' dosn't
work.
The
sidHistory attribute of the 'domain users' group in the target
domain
is
filled with the sid of the 'domain users' group of the source
domain.
Thanks
Peter






.

Relevant Pages

  • Re: 2 companies merging -- Active directory integration best practice
    ... My company has 53 servers, ... Many of such questions have to be considered before even going to technical planning phase. ... merge one of forests into second in OU structure or domain ... re-ACLing of resources during the later phase of migration. ...
    (microsoft.public.windows.server.active_directory)
  • Re: sidHistory and DomainUsers
    ... Is someone able to explain me the difference between usind sidHistory ... domains and not forests. ... How to troubleshoot inter-forest sIDHistory migration with ADMTv2 ... MVP Microsoft MVP - Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Problem with cross forest SID History migration using ADMT
    ... I have started a migration between two forests migrating a security group ... Windows 2000 Domain to Windows 2003 Domain). ...
    (microsoft.public.windows.server.active_directory)
  • Active Directory Migration Problem
    ... Both forests have one DC. ... Standard while the other is running Win2k SBS. ... access resources during the migration. ... server is? ...
    (microsoft.public.windows.server.active_directory)
  • Re: sidHistory and DomainUsers
    ... There is a two-way trust between the domains and sidHistory ... I checked the sidHistory attribute and the entries seem fine. ... domains and not forests. ... How to troubleshoot inter-forest sIDHistory migration with ADMTv2 ...
    (microsoft.public.windows.server.active_directory)