RE: SID Hitory Not Working after ADMT 3 Migration
- From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
- Date: Mon, 03 Jul 2006 02:49:42 GMT
Hi,
Let us considering following questions:
Did you tried to migrate the groups? if a user account is a member of a
group that is not migrated and the group has been given access to the
resource, the SID histroy to this user account couldn't help to access the
resource after it is been migrated.We recommend that you migrate global
groups first and then user accounts.
Let's try to assign specific access to a user account to allow it to access
a resource. Then try to migrate this user account with SID history to see
if the problem still occurs.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
21:23:31 GMT)From: "Greg H" <gphalpin@xxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
Subject: SID Hitory Not Working after ADMT 3 Migration
Date: 30 Jun 2006 14:23:26 -0700
Organization: http://groups.google.com
Lines: 80
Message-ID: <1151702606.593288.140430@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 128.118.17.15
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1151702611 23128 127.0.0.1 (30 Jun 2006
..NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Fri, 30 Jun 2006 21:23:31 +0000 (UTC)
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: b68g2000cwa.googlegroups.com; posting-host=128.118.17.15;
posting-account=Ke3t7g0AAADgUVDPAh-d2SjTPvyYW4bD
Path:
..sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.
giganews.com!nntp.giganews.com!postnews.google.com!b68g2000cwa.googlegroups.
com!not-for-mail
microsoft.public.windows.server.migration:24284Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.windows.server.migration
Hello All,
I have read a lot of posts and found a lot of good information for the
migration we are doing but cannot find an answer to a SID history
problem we have.
I am using ADMT 3.0 to migrate users from a Windows 2000 domain to a
Windows 2003 domain in a separate forest. When I migrate the users,
the log shows that SID history was added to the users new account in
the new domain. A log sample is below. I did not migrate groups
because we need to clean up our groups and are creating new groups in
the new domain. Even when I tried migrating groups, SID history did
not work.
I have also disabled SID filtering using the netdom trust tool but that
did not correct the problem. I have restarted the domain controllers
several times. Also, I'm not referring to built-in groups. I'm
referring to Domain Local and Global groups that we created to
permission data.
Using the security translation tool, the users still have their
profiles on their computers but they cannot access resources in the old
domain unless we add them to a Domain Local group in the old domain or
repermission the old resources.
I appreciate any help on this.
Thanks,
Greg
[Settings Section]
Task: User Migration (9)
ADMT Console
User: UDLA\mstreet
Computer: laitpndns02.UDLA.tsu.edu (LAITPNDNS02)
Domain: udla.tsu.edu (CLA)
OS: Microsoft Windows Server 2003 R2 5.2 (3790) Service
Pack 1
Source Domain
Name: fsip.tsu.edu (FSIP)
DC: MAZDA.fsip.tsu.edu (MAZDA)
OS: Windows 2000 Server 5.0 (2195) Service Pack 4
OU:
Target Domain
Name: udla.tsu.edu (UDLA)
DC: laitpndns02.udla.tsu.edu (LAITPNDNS02)
OS: Windows Server 2003 5.2 (3790) Service Pack 1
OU: LDAP://udla.tsu.edu/OU=Staff,OU=Standard,OU=CLA User
Accounts,DC=udla,DC=tsu,DC=edu
Intra-Forest: No
Password Option: Copy passwords, only for new objects = No
Password Export Server: MAZDA.fsip.tsu.edu
Migrate Security Identifiers: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Source Disable Option: Leave source account
Source Expiration: Do not expire source account
Target Disable Option: Set target same as source
Migrate groups: No
Migrate service accounts: Yes
[Object Migration Section]
2006-06-30 09:44:07 Starting Account Replicator.
2006-06-30 09:44:08 CN=data migrate - Created
2006-06-30 09:44:08 SID for FSIP\dmigrate added to the SID History of
UDLA\dmigrate
2006-06-30 09:44:09 CN=data migrate - Password Copied.
2006-06-30 09:44:09 Operation completed.
.
- Follow-Ups:
- Re: SID Hitory Not Working after ADMT 3 Migration
- From: Greg H
- Re: SID Hitory Not Working after ADMT 3 Migration
- References:
- SID Hitory Not Working after ADMT 3 Migration
- From: Greg H
- SID Hitory Not Working after ADMT 3 Migration
- Prev by Date: How can I Seize/Transfer Global Catalog to another DC?
- Next by Date: Re: Inplace Upgrade from WIN NT4.0 to Windows 2003 AD
- Previous by thread: SID Hitory Not Working after ADMT 3 Migration
- Next by thread: Re: SID Hitory Not Working after ADMT 3 Migration
- Index(es):
Relevant Pages
|
