Re: ADMT SID History Question ?
From: Burnsie (stuartdavidburns_at_hotmail.com)
Date: 02/09/05
- Next message: Burnsie: "Re: ADMT SID History Question ?"
- Previous message: WooYing: "Re: Replication between BDC and W2K3 AD"
- In reply to: Frances [MSFT]: "RE: ADMT SID History Question ?"
- Next in thread: Burnsie: "Re: ADMT SID History Question ?"
- Messages sorted by: [ date ] [ thread ]
Date: 9 Feb 2005 00:49:00 -0800
Thanks Frances,
I understand how SID history works ie the new user gets a copy of the
old SID.
What i would like to understand is how the server that holds the
resource knows to display the new migrated account.
Example :
In domain example above i have an account in NT4Domain\(testusr) and
the corresponding migrated account in active directory
(2k3Domain\testusr)
On a member server of the 2k3domain i assign permision to
NT4Domain\testusr as soon as i apply this and re-open the security
properties dialogue the displayed user automatically switches to
2k3domain\testusr
How does the server know to display the migrated user? How does this
process work ? Does the member server first check with its DC to see
if anyone in the 2k3domain has that SID and if it cant find it does it
then check trusted domains to see if that SID exists ?
Sorry to be a pain but i like to fully understand these things before
i start migrating 6000 odd users !
thanks again for your help.
v-franhe@microsoft.com (Frances [MSFT]) wrote in message news:<3xLOpwZDFHA.3048@cpmsftngxa10.phx.gbl>...
> Hello,
>
> Good to hear from you.
>
> According to your message, yes, you don't have to run the Security
> Translation Wizard after you have migrated accounts including SIDHistory.
>
> Exchange Directory Migration Wizard only lists some simple attributes to
> migrate. If you want to upgrade or migrate your Exchange, we recommend you
> use Exchange built-in Migration method instead. If you are interested, more
> information can be accessed in the microsoft.public.exchange.setup
> newsgroup since they are the experts in Exchange.
>
> Regarding your questions, let me explain in detail.
>
> How SID is working
> ================
>
> When a resource has an ACE (SID) in a DACL, it doesn't need to find out who
> owns the SID. When a user needs the resource, he will access it. Then the
> resource will compare the user's SID with its DACL. If the SID matches the
> ACE in its DACL, the user can access it. Otherwise, the user will get
> "Access Denied".
>
> SIDhistory is used to help the users continue to access resources in
> migration scenario.
>
> To clarify, let us name the source domain D1, the user in D1 is D1\U1, and
> the target domain D2. The resource is Resource1. Its location is not very
> important. We grant D1\U1 the permission to access Resource1.
>
> D1\U1 can access Resource1. When D1\U1 is migrated to D2, he is now D2\U1.
> If he is migrated without SIDhistory, then Resource1 cannot find the SID of
> D2\U1, he can no longer access Resource1. Otherwise, with SIDhistory, D2\U1
> has a SIDhistory attribute containing D1\U1. When he accesses Resource1,
> Resource1 finds his SID as D1\U1, so he can still access it.
>
>
> Security translation:
> ================
>
> Security translation is a function of ADMT 2.0 that updates access control
> lists (ACLs) when migrating objects across domains.
>
> Security translation can be performed automatically for objects migrated by
> ADMT. Some of the security translation tasks are included in user/group
> migration (with SIDhistory), and in computer migration wizard (in the page
> of "security translation options").
>
> So Security Translation Wizard is mainly used to translate security of
> objects and principals not migrated by ADMT (for example, built-in and
> well-known principals) or to perform a custom translation mapping.
>
>
> Please refer to the following article for more information.
>
> How to Migrate Your Microsoft Windows NT 4.0 Directory Services to
> Microsoft Active Directory: Demo 3-Security Translation Wizard
> http://www.microsoft.com/seminar/shared/asp/view.asp?url=/Seminar/en/2003121
> 8TNT1-99d3/manifest.xml&rate=0
>
>
> Regarding your scenario, migrating SIDhistory is ok. You need to run
> Security Translation Wizard only when you grant the permission to the
> built-in group in the resource. As for Exchange part, refer to Exchange
> newsgroup for more information.
>
>
> Hope this helps. If you have any further questions, don't hesitate to get
> in touch!
>
> Best regards,
>
> Frances He
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Burnsie: "Re: ADMT SID History Question ?"
- Previous message: WooYing: "Re: Replication between BDC and W2K3 AD"
- In reply to: Frances [MSFT]: "RE: ADMT SID History Question ?"
- Next in thread: Burnsie: "Re: ADMT SID History Question ?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
