RE: 2003 to 2003 Cross Forest migration
- From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
- Date: Wed, 14 Jun 2006 05:20:57 GMT
Hi,
Yes, you have to disable SID filtering and enable SID history by using:
Enable SID history by running :
netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes
SID filtering is enabled automatically on any trust relationships created
by domain controllers running Windows 2000 Service Pack 4 or Windows Server
2003. Or, you can manually enable it by using the Netdom trust command line
utility with the /EnableSIDHistory:no command line switch. To disable SID
filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
switch.
More information:
If even this level of SIDHistory accessibility is too much, you can impose
even stricter limits on your trust relationships by enabling the Quarantine
feature. (In this context, the Quarantine feature controls SID processing
over trust relationships and shouldn't be confused with the Network Access
Protection or Network Access Quarantine Control technologies that are used
to control local and remote access connections.) By enabling Quarantine for
a trust relationship, you are specifying that only SIDs from the exact
domain on the other side of the trust are to be honored.In effect, enabling
Quarantine on a trust relationship will break the transitivity of that
trust, so that only the specific domains on either side of the trust are
considered participants in the trust. Quarantine is disabled by default on
all trust relationships; you can manually enable it by using the Netdom
trust command line utility with the /quarantine:yes command line switch.
Use the /quarantine:no switch to disable Quarantine on a trust relationship
where it has already been enabled.
Hope this helps.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
microsoft.public.windows.server.migration:24049Thread-Topic: 2003 to 2003 Cross Forest migration
thread-index: AcaPIke4qqMuhidfRZ+7vpQsB8yB0g==
X-WBNR-Posting-Host: 66.162.54.194
From: =?Utf-8?B?UGxheno=?= <Plazz@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: 2003 to 2003 Cross Forest migration
Date: Tue, 13 Jun 2006 12:48:02 -0700
Lines: 8
Message-ID: <24FF770F-FFEE-48AA-B8DC-6117FC940726@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
groupNNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration
Using ADMT Version 3 tool. Have 2 way trust setup. Can move the user or
doaccount but can not update SID History. Tool is being run from Source DC
recieving
SIDHistory cannot be updated. The credentials entered must have Admin
privlidges on the source domain which it does. My question is I believe
historyyou have to enable/disable SID filtering on the Domain trust for SID
to migrate?
.
- Follow-Ups:
- RE: 2003 to 2003 Cross Forest migration
- From: Plazz
- RE: 2003 to 2003 Cross Forest migration
- Prev by Date: RE: Does PES work on two Windows 2003 domains?
- Next by Date: RE: 0x57 Error message
- Previous by thread: RE: Unable to add domain admins from trusted domain to local administr
- Next by thread: RE: 2003 to 2003 Cross Forest migration
- Index(es):
Relevant Pages
|
Loading
