RE: ADMT - SID History Issues, Cannot access resources in old domain

From: Rebecca Chen [MSFT] (v-rebc_at_online.microsoft.com)
Date: 12/06/04

Next message: Carsyn Gu [MSFT]: "RE: System Copy Windows Server 2003"
Previous message: Rebecca Chen [MSFT]: "RE: NT4 to 2003 : Can we keep NT4 and exchange 5.5 for a while ?"
In reply to: Luke: "ADMT - SID History Issues, Cannot access resources in old domain"
Next in thread: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Reply: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Reply: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Reply: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 06 Dec 2004 09:31:29 GMT

Hi Luke,

The ADMT log shows the SIDhistory has been successfully added to the
accounts.

What is the error message when you access the old domain A shares? Have you
grant the group permission to the shares instead of the individual user?

As I know, this issue may occur if you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they
lost the permission to access the old resource.

Please check the share permission and NTFS permission of the old resource
and let me know if you grant the permission to the user directly.

If this is the issue, we need to re-ACL the resources.

Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.

To do so:
sec
1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".

Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.

2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.

3. Edit the SID mapping file in Notepad and input the following content:

Note: Please put the correct SIDs in the above line.

4. Run ADMT, choose "Security Translation Wizard".

5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created
in Step 2.

6. Follow the wizard to translate resources on ServerA.

7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.

As for the roaming profile issue, I suggest you check if the issue occurs
on all the Windows 2000 computers with different user accounts. If so,
please send the Event Viewer logs of a Windows 2000 computer to me.

Step 1: Click Start, click Run, and then type "eventvwr" (without the
quotation
marks), click OK.

Step 2: Right-click Application and select Save Log File As.

Step 3: Save it Application.evt.

Step 4: Repeat step 1 to 3 to save the Security and System event to
Security.evt
and System.evt.

Step 5: Delete all the Application, Security and System log in the Event
Viewer.

Step 6: Restart the computer. When the issue occurs, save the new
Application, Security and System log to three new files as well as the
error message when you access the old domain shares, send them to me at
v-rebc@microsoft.com for research.

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: Luke.Fogarty@claudegroup.com.au (Luke)
>Newsgroups: microsoft.public.windows.server.migration
>Subject: ADMT - SID History Issues, Cannot access resources in old domain
>Date: 5 Dec 2004 16:02:59 -0800
>Organization: http://groups.google.com
>Lines: 62
>Message-ID: <90b59465.0412051602.41d705bf@posting.google.com>
>NNTP-Posting-Host: 61.88.56.180
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1102291379 4639 127.0.0.1 (6 Dec 2004 00:02:59
GMT)
>X-Complaints-To: groups-abuse@google.com
>NNTP-Posting-Date: Mon, 6 Dec 2004 00:02:59 +0000 (UTC)
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwi
x.com!newsfeed.cwix.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news
glorb.com!postnews.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15768
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>Hi there
>
>I will briefly explain my situation. The company I work for currently
>has 3 domains which are being consolidated into one Windows 2000
>Domain. Lets call them DomainA, DomainB, DomainC and Newforest.
>DomainB and DomainC have already been migrated using using ADMT
>without any problems.
>
>The issue I'm having is with DomainA. I have run through the
>interforest domain migration checklist multiple times and I have done
>everything required. I have migrated the groups first and then the
>user accounts, all group memberships are correctly migrated. ADMT
>reports SID History to have been successfully migrated on the
>accounts, but when I login as one of the users on Newforest, I cannot
>access resources which are still on DomainA.
>
>I used ASDIEdit to view the "sidhistory" attribute and get the
>following value -
>
>0x01 0x05 0x00 0x000x00 0x00 0x00 0x05 0x15 0x00
>
>Strange thing is that ALL user accounts have this same value? Odd. I'm
>running the ADMT process from Newforest\Administrator which has Admin
>access on DomainA.
>
>Here is the log for one account
>
>ENITYGROUP=DomainA
>GRIFFIN=NewForest
>
>2004-12-06 10:57:35
>2004-12-06 10:57:35 Active Directory Migration Tool, Starting...
>2004-12-06 10:57:35 Starting Account Replicator.
>2004-12-06 10:57:36 Account Migration ENITYGROUP GRIFFIN CopyUsers:Yes
>CopyGlobalGroups:No CopyLocalGroups:No CopyComputers:No
>2004-12-06 10:57:55 CN=Rhonda Hanson - Created
>2004-12-06 10:58:19 SID for ENITYGROUP\rhondah added to the SID
>History of GRIFFIN\rhondah
>2004-12-06 10:58:32 - Set password for Rhonda Hanson.
>2004-12-06 10:58:49 LDAP://instsyd1.griffin.local/CN=Rhonda
>Hanson,OU=User
accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
>- added to group CN=CG COO
>2004-12-06 10:58:49 LDAP://instsyd1.griffin.local/CN=Rhonda
>Hanson,OU=User
accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
>- added to group CN=CG HR
>2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
>Hanson,OU=User
accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
>- added to group CN=CG Management
>2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
>Hanson,OU=User
accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
>- added to group CN=CG secretarial
>2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
>Hanson,OU=User
accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
>- added to group CN=CG sydney projects
>2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
>Hanson,OU=User
accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
>- added to group CN=CG Sydney
>2004-12-06 10:58:51 Operation completed.
>
>Any help would be fantastic.
>
>Luke
>

Next message: Carsyn Gu [MSFT]: "RE: System Copy Windows Server 2003"
Previous message: Rebecca Chen [MSFT]: "RE: NT4 to 2003 : Can we keep NT4 and exchange 5.5 for a while ?"
In reply to: Luke: "ADMT - SID History Issues, Cannot access resources in old domain"
Next in thread: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Reply: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Reply: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Reply: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: exchange 5.5 test lab
... domain will has the same name but different Security ID (SID). ... the new domain accounts. ... If both your Exchange Servers are locating in the same Exchange ... run ADMT to create active user accounts in Active Directory. ...
(microsoft.public.exchange.admin)
Re: SID History
... use an input file for ADMT so that ADMT matches the accounts ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... it will see the accounts below as two different ... it has the SIDs from A and B in the SID History. ...
(microsoft.public.windows.server.active_directory)
RE: AD Sid History
... you can't directly change the SIDHistory. ... Remember that in ADMT, you don't have to move everything and if you ... "Failed to add the source SID to the destination object's SID ... The other problem is that some of the user accounts were repetative ...
(microsoft.public.windows.server.active_directory)
RE: ADMT and Merging User Accounts
... attribute using ADMT. ... If you want to migrate accounts using the SID ... ADMT and Merging User Accounts ...
(microsoft.public.windows.server.migration)
Re: [opensuse] fstab: umount as user
... Network Operating System concepts.... ... accounts and their settings exist on the ... Secondly, one single mount point for all users is just bad, it won't work. ... If A is member of group 2 they can use resource VI when they log in... ...
(SuSE)