SID History and SID Filtering questions (netdom)

[Riccardo]

Hi, there seems to be very little in-depth technical docs on sid history
and sid filtering and I need some help!

I am trying to get sidhistory to work between 2 domains a windows 2000
domain and a windows 2003sp1 domain, (we are moving from the windows
2000 domain)

I have domain admin rights in both domains (and Enterprise admin in the
2003 domain)

when I run the command ( in either domain)
netdom trust win200domain /Domain:Win2003Domain /Quarantine

I get an Access Denied error.
I have tried the /userO and /userD options

My questions are
1) Exactly where am I getting access denied?
2) when you run the command with a /Quarantine:YES what attribute/s are
changed where in AD?

and what is the difference between the /Quarantine:NO and the
/EnableSidHistory:YES commands?
Do I need to run both?
What is the latest version of netdom? (I am using 5.2.3790.0)

Oh and if anyone from Microsoft is reading this the following needs to
be updated to incorporate ADMT v3

http://support.microsoft.com/default...b;en-us;835991

Regards
Riccardo Moretti

[Vincent Xu [MSFT]]

Hi,

Netdom Syntax:

Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No

netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes

since you get "Access denied" when you run "Netdom trust TrustingDomainName
/domain:TrustedDomainName /quarantine:No",
1,Verify whether the group has been migrated
2, Enable SID history by running : netdom trust trusted_domain
/domain:trusting_domain /enablesidhistory:yes


Let me know if you still have concern.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>From: Riccardo
<dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>X-Accept-Language: en-us, en
>>MIME-Version: 1.0
>>Subject: SID History and SID Filtering questions (netdom)
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>Content-Transfer-Encoding: 7bit
>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>Lines: 1
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:23283
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>
>>Hi, there seems to be very little in-depth technical docs on sid history
>>and sid filtering and I need some help!
>>
>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>2000 domain)
>>
>>I have domain admin rights in both domains (and Enterprise admin in the
>>2003 domain)
>>
>>when I run the command ( in either domain)
>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>
>>I get an Access Denied error.
>>I have tried the /userO and /userD options
>>
>>My questions are
>>1) Exactly where am I getting access denied?
>>2) when you run the command with a /Quarantine:YES what attribute/s are
>>changed where in AD?
>>
>>and what is the difference between the /Quarantine:NO and the
>>/EnableSidHistory:YES commands?
>>Do I need to run both?
>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>
>>Oh and if anyone from Microsoft is reading this the following needs to
>>be updated to incorporate ADMT v3
>>
>>http://support.microsoft.com/default...b;en-us;835991
>>
>>Regards
>>Riccardo Moretti
>>

[Riccardo]

Which Group ? > 1,Verify whether the group has been migrated
I also get access denied with 2

what is the difference between /quarantine:No and /enablesidhistory:yes?
Vincent Xu [MSFT] wrote:
> Hi,
>
> Netdom Syntax:
>
> Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>
> netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes
>
> since you get "Access denied" when you run "Netdom trust TrustingDomainName
> /domain:TrustedDomainName /quarantine:No",
> 1,Verify whether the group has been migrated
> 2, Enable SID history by running : netdom trust trusted_domain
> /domain:trusting_domain /enablesidhistory:yes
>
>
> Let me know if you still have concern.
>
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> Get Secure! - www.microsoft.com/security
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>From: Riccardo
>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>Subject: SID History and SID Filtering questions (netdom)
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>
> microsoft.public.windows.server.migration:23283
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Hi, there seems to be very little in-depth technical docs on sid history
>>>and sid filtering and I need some help!
>>>
>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>2000 domain)
>>>
>>>I have domain admin rights in both domains (and Enterprise admin in the
>>>2003 domain)
>>>
>>>when I run the command ( in either domain)
>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>
>>>I get an Access Denied error.
>>>I have tried the /userO and /userD options
>>>
>>>My questions are
>>>1) Exactly where am I getting access denied?
>>>2) when you run the command with a /Quarantine:YES what attribute/s are
>>>changed where in AD?
>>>
>>>and what is the difference between the /Quarantine:NO and the
>>>/EnableSidHistory:YES commands?
>>>Do I need to run both?
>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>
>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>be updated to incorporate ADMT v3
>>>
>>>http://support.microsoft.com/default...b;en-us;835991
>>>
>>>Regards
>>>Riccardo Moretti
>>>
>
>

[Vincent Xu [MSFT]]

Hi,

SID filtering is enabled automatically on any trust relationships created
by domain controllers running Windows 2000 Service Pack 4 or Windows Server
2003. Or, you can manually enable it by using the Netdom trust command line
utility with the /EnableSIDHistory:no command line switch. To disable SID
filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
switch.

If even this level of SIDHistory accessibility is too much, you can impose
even stricter limits on your trust relationships by enabling the Quarantine
feature. (In this context, the Quarantine feature controls SID processing
over trust relationships and shouldn't be confused with the Network Access
Protection or Network Access Quarantine Control technologies that are used
to control local and remote access connections.) By enabling Quarantine for
a trust relationship, you are specifying that only SIDs from the exact
domain on the other side of the trust are to be honored.In effect, enabling
Quarantine on a trust relationship will break the transitivity of that
trust, so that only the specific domains on either side of the trust are
considered participants in the trust. Quarantine is disabled by default on
all trust relationships; you can manually enable it by using the Netdom
trust command line utility with the /quarantine:yes command line switch.
Use the /quarantine:no switch to disable Quarantine on a trust relationship
where it has already been enabled.

I suspect that your problem is: you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they
lost the permission to access the old resource. Please feel free to correct
me.

If so, please check the share permission and NTFS permission of the old
resource and let me know if you grant the permission to the user directly.

If this is the issue, we need to re-ACL the resources.

Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.

To do so:

1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".

Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.

2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.

3. Edit the SID mapping file in Notepad and input the following content:

<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">

Note: Please put the correct SIDs in the above line.

4. Run ADMT, choose "Security Translation Wizard".

5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created
in Step 2.

6. Follow the wizard to translate resources on ServerA.

7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.

Let me know if you have any concerns or questions.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.

We also love to hear your product feedback!
Let us know what you think by posting
from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>From: Riccardo
<dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>X-Accept-Language: en-us, en
>>MIME-Version: 1.0
>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>Subject: Re: SID History and SID Filtering questions (netdom)
>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
<F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>Content-Transfer-Encoding: 7bit
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>Lines: 1
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:23291
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>
>>Which Group ? > 1,Verify whether the group has been migrated
>>I also get access denied with 2
>>
>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>Vincent Xu [MSFT] wrote:
>>> Hi,
>>>
>>> Netdom Syntax:
>>>
>>> Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>
>>> netdom trust trusted_domain /domain:trusting_domain
/enablesidhistory:yes
>>>
>>> since you get "Access denied" when you run "Netdom trust
TrustingDomainName
>>> /domain:TrustedDomainName /quarantine:No",
>>> 1,Verify whether the group has been migrated
>>> 2, Enable SID history by running : netdom trust trusted_domain
>>> /domain:trusting_domain /enablesidhistory:yes
>>>
>>>
>>> Let me know if you still have concern.
>>>
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> ======================================================
>>> Get Secure! - www.microsoft.com/security
>>> ======================================================
>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>> that others
>>> may learn and benefit from this issue.
>>> ======================================================
>>> This posting is provided "AS IS" with no warranties,and confers no
rights.
>>> ======================================================
>>>
>>>
>>>
>>> --------------------
>>>
>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>From: Riccardo
>>>
>>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>
>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>X-Accept-Language: en-us, en
>>>>>MIME-Version: 1.0
>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>Content-Transfer-Encoding: 7bit
>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>Lines: 1
>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>
>>> microsoft.public.windows.server.migration:23283
>>>
>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>
>>>>>
>>>>>Hi, there seems to be very little in-depth technical docs on sid
history
>>>>>and sid filtering and I need some help!
>>>>>
>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>2000 domain)
>>>>>
>>>>>I have domain admin rights in both domains (and Enterprise admin in
the
>>>>>2003 domain)
>>>>>
>>>>>when I run the command ( in either domain)
>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>
>>>>>I get an Access Denied error.
>>>>>I have tried the /userO and /userD options
>>>>>
>>>>>My questions are
>>>>>1) Exactly where am I getting access denied?
>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
are
>>>>>changed where in AD?
>>>>>
>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>/EnableSidHistory:YES commands?
>>>>>Do I need to run both?
>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>
>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>be updated to incorporate ADMT v3
>>>>>
>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>
>>>>>Regards
>>>>>Riccardo Moretti
>>>>>
>>>
>>>
>>

[Riccardo]

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo
>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain
>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust
>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader
>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no
>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid
>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in
>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>
>

[Riccardo]

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo
>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain
>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust
>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader
>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no
>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid
>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in
>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>
>

[Riccardo]

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo
>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain
>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust
>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader
>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no
>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid
>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in
>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>
>

[Riccardo]

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo
>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain
>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust
>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader
>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no
>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid
>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in
>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>
>

[Riccardo]

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo
>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain
>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust
>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader
>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no
>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid
>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in
>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>
>

[Vincent Xu [MSFT]]

Hi Riccardo ,

Regarding generate the sid mapping file, there are some differences between
ADMT V2 & V3.

1, Database connection string.
2, Database structure.

Connection string:

ADMT V2: objConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Program Files\Active Directory Migration Tool\Protar.mdb"

ADMT V3: objConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Server =(the
box running admt); Initial Catalog=ADMT; Integrated Security=SSPI "

Database structure:

Technote article 835991 details vbscript that pulls data from the ADMT's
MigratedObjects table and writes the SID mapping file. However ADMT v3
moved the SourceDomainSID, SourceRID, TargetDomain, and TargetSamName
values out of the MigratedObjects table

I think you had to write a SQL query to process the SourceObjectId and
TargetObjectId values in the MigratedObjects table pulling the related
values from the Objects and Domain tables into a new SidMap table that I
created in the ADMT database. Then modified the vbscript to generate the
SID Mapping file using the new SidMap table.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
>>Message-ID: <44434A04.2000105@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>Date: Mon, 17 Apr 2006 09:55:48 +0200
>>From: Riccardo
<dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>X-Accept-Language: en-us, en
>>MIME-Version: 1.0
>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>Subject: Re: SID History and SID Filtering questions (netdom)
>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
<F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
<443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
<1vXUgzrXGHA.6000@TK2MSFTNGXA01.phx.gbl>
>>In-Reply-To: <1vXUgzrXGHA.6000@TK2MSFTNGXA01.phx.gbl>
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>Content-Transfer-Encoding: 7bit
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: dsl-146-99-85.telkomadsl.co.za 165.146.99.85
>>Lines: 1
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:23340
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>Thanks for the information, you are correct in what you are saying and
>>it is our migration strategy, We have 2 outbound domains one has the
>>quarantine disabled and the other (where SID history is not working) has
>>it enabled.
>>I ran nltest /domain_trusts and the domain that does not work has attr
>>(0x4) which means the Quarantine is set to YES.
>>
>>The Other domain that works had its quarantine disabled about a year ago
>>and before SP1 of Windows 2003,
>>I dont undersand why I get an access denied (I am starting to suspect
>>group policy perhaps LSA or something)
>>
>>I went to out lab environment and we had the same issue, I disabled the
>>group policies rebooted the lab DC's and tried the command, netdom ...
>>Success!!!! then I disabled the quarantine again re-enabled the GPO's
>>rebooted the DCs and ran the netdom again (so far no change) but now in
>>the lab I get unknown user or bad password when running the netdom
>>command. (These steps I cannot perform in production.)
>>
>>I then Exported the GPO's loaded a few VM's imported the GPO's and the
>>netdom command works always.
>>
>>I then tried (in the lab) loading ADSIedit.msc looking at the trust
>>object and tried to change the trustArrribute manually however this
>>seems to be some sort of protected object and cannot be changed.
>>
>>I am stumped!
>>
>>Oh and by the way the Technet doc on how to create a SID mapping file
>>only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
>>written a small app to export the Domain SID + User RID from the domain
>>you are attempting to migrate so that you can use a SID mapping file.
>>
>>
>>Vincent Xu [MSFT] wrote:
>>> Hi,
>>>
>>> SID filtering is enabled automatically on any trust relationships
created
>>> by domain controllers running Windows 2000 Service Pack 4 or Windows
Server
>>> 2003. Or, you can manually enable it by using the Netdom trust command
line
>>> utility with the /EnableSIDHistory:no command line switch. To disable
SID
>>> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
>>> switch.
>>>
>>> If even this level of SIDHistory accessibility is too much, you can
impose
>>> even stricter limits on your trust relationships by enabling the
Quarantine
>>> feature. (In this context, the Quarantine feature controls SID
processing
>>> over trust relationships and shouldn't be confused with the Network
Access
>>> Protection or Network Access Quarantine Control technologies that are
used
>>> to control local and remote access connections.) By enabling Quarantine
for
>>> a trust relationship, you are specifying that only SIDs from the exact
>>> domain on the other side of the trust are to be honored.In effect,
enabling
>>> Quarantine on a trust relationship will break the transitivity of that
>>> trust, so that only the specific domains on either side of the trust
are
>>> considered participants in the trust. Quarantine is disabled by default
on
>>> all trust relationships; you can manually enable it by using the Netdom
>>> trust command line utility with the /quarantine:yes command line
switch.
>>> Use the /quarantine:no switch to disable Quarantine on a trust
relationship
>>> where it has already been enabled.
>>>
>>> I suspect that your problem is: you grant a group, which has the user
>>> account, the permission to access the old resource. After you migrate
the
>>> user to the new domain, they are not part of the old group so that they
>>> lost the permission to access the old resource. Please feel free to
correct
>>> me.
>>>
>>> If so, please check the share permission and NTFS permission of the old
>>> resource and let me know if you grant the permission to the user
directly.
>>>
>>> If this is the issue, we need to re-ACL the resources.
>>>
>>> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate
it.
>>> Fortunately, we are able to use Security Translation Wizard with a SID
>>> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
>>> resources.
>>>
>>> To do so:
>>>
>>> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
>>> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From
the
>>> return content, we can find the SID of OldDomain\"Domain Users". Please
use
>>> this method to get the SID of NewDomain\"Domain Users".
>>>
>>> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If
you
>>> do not have it, please let me know.
>>>
>>> 2. Create a SID mapping file (should be a txt file). We can name it
>>> sidmapping.txt.
>>>
>>> 3. Edit the SID mapping file in Notepad and input the following content:
>>>
>>> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>>>
>>> Note: Please put the correct SIDs in the above line.
>>>
>>> 4. Run ADMT, choose "Security Translation Wizard".
>>>
>>> 5. On the "Security Translation Options" page, choose "Other objects
>>> specified in a file" and browse to select the sidmapping.txt file
created
>>> in Step 2.
>>>
>>> 6. Follow the wizard to translate resources on ServerA.
>>>
>>> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>>>
>>> Let me know if you have any concerns or questions.
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> ======================================================
>>> PLEASE NOTE: The partner managed newsgroups are provided to assist
with
>>> break/fix issues and simple how to questions.
>>>
>>> We also love to hear your product feedback!
>>> Let us know what you think by posting
>>> from the web interface: Partner Feedback
>>> from your newsreader: microsoft.private.directaccess.partnerfeedback.
>>> We look forward to hearing from you!
>>> ======================================================
>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>> that others
>>> may learn and benefit from this issue.
>>> ======================================================
>>> This posting is provided "AS IS" with no warranties,and confers no
rights.
>>> ======================================================
>>>
>>>
>>>
>>> --------------------
>>>
>>>>>Message-ID:
<443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>>>From: Riccardo
>>>
>>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>
>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>X-Accept-Language: en-us, en
>>>>>MIME-Version: 1.0
>>>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>
>>> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>
>>>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>Content-Transfer-Encoding: 7bit
>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>Lines: 1
>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>
>>> microsoft.public.windows.server.migration:23291
>>>
>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>
>>>>>
>>>>>Which Group ? > 1,Verify whether the group has been migrated
>>>>>I also get access denied with 2
>>>>>
>>>>>what is the difference between /quarantine:No and
/enablesidhistory:yes?
>>>>>Vincent Xu [MSFT] wrote:
>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>Netdom Syntax:
>>>>>>
>>>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName
/quarantine:No
>>>>>>
>>>>>>netdom trust trusted_domain /domain:trusting_domain
>>>
>>> /enablesidhistory:yes
>>>
>>>>>>since you get "Access denied" when you run "Netdom trust
>>>
>>> TrustingDomainName
>>>
>>>>>>/domain:TrustedDomainName /quarantine:No",
>>>>>>1,Verify whether the group has been migrated
>>>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>>>
>>>>>>
>>>>>>Let me know if you still have concern.
>>>>>>
>>>>>>
>>>>>>Best regards,
>>>>>>
>>>>>>Vincent Xu
>>>>>>Microsoft Online Partner Support
>>>>>>
>>>>>>======================================================
>>>>>>Get Secure! - www.microsoft.com/security
>>>>>>======================================================
>>>>>>When responding to posts, please "Reply to Group" via your newsreader
>>>
>>> so
>>>
>>>>>>that others
>>>>>>may learn and benefit from this issue.
>>>>>>======================================================
>>>>>>This posting is provided "AS IS" with no warranties,and confers no
>>>
>>> rights.
>>>
>>>>>>======================================================
>>>>>>
>>>>>>
>>>>>>
>>>>>>--------------------
>>>>>>
>>>>>>
>>>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>>>From: Riccardo
>>>>>>
>>>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>>>
>>>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>>>X-Accept-Language: en-us, en
>>>>>>>>MIME-Version: 1.0
>>>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>>>Lines: 1
>>>>>>>>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>>>
>>>>>>microsoft.public.windows.server.migration:23283
>>>>>>
>>>>>>
>>>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>>>
>>>>>>>>
>>>>>>>>Hi, there seems to be very little in-depth technical docs on sid
>>>
>>> history
>>>
>>>>>>>>and sid filtering and I need some help!
>>>>>>>>
>>>>>>>>I am trying to get sidhistory to work between 2 domains a windows
2000
>>>>>>>>domain and a windows 2003sp1 domain, (we are moving from the
windows
>>>>>>>>2000 domain)
>>>>>>>>
>>>>>>>>I have domain admin rights in both domains (and Enterprise admin in
>>>
>>> the
>>>
>>>>>>>>2003 domain)
>>>>>>>>
>>>>>>>>when I run the command ( in either domain)
>>>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>>>
>>>>>>>>I get an Access Denied error.
>>>>>>>>I have tried the /userO and /userD options
>>>>>>>>
>>>>>>>>My questions are
>>>>>>>>1) Exactly where am I getting access denied?
>>>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
>>>
>>> are
>>>
>>>>>>>>changed where in AD?
>>>>>>>>
>>>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>>>/EnableSidHistory:YES commands?
>>>>>>>>Do I need to run both?
>>>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>>>
>>>>>>>>Oh and if anyone from Microsoft is reading this the following needs
to
>>>>>>>>be updated to incorporate ADMT v3
>>>>>>>>
>>>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>>>
>>>>>>>>Regards
>>>>>>>>Riccardo Moretti
>>>>>>>>
>>>>>>
>>>>>>
>>>
>>
>>

[Riccardo]

Yeeee Haaaaaa I got it to work

I ran a net use \\servername\ipc$ to the domain controllers in each
domain then the command worked!!!!



Riccardo wrote:

> Thanks for the information, you are correct in what you are saying and
> it is our migration strategy, We have 2 outbound domains one has the
> quarantine disabled and the other (where SID history is not working) has
> it enabled.
> I ran nltest /domain_trusts and the domain that does not work has attr
> (0x4) which means the Quarantine is set to YES.
>
> The Other domain that works had its quarantine disabled about a year ago
> and before SP1 of Windows 2003,
> I dont undersand why I get an access denied (I am starting to suspect
> group policy perhaps LSA or something)
>
> I went to out lab environment and we had the same issue, I disabled the
> group policies rebooted the lab DC's and tried the command, netdom ...
> Success!!!! then I disabled the quarantine again re-enabled the GPO's
> rebooted the DCs and ran the netdom again (so far no change) but now in
> the lab I get unknown user or bad password when running the netdom
> command. (These steps I cannot perform in production.)
>
> I then Exported the GPO's loaded a few VM's imported the GPO's and the
> netdom command works always.
>
> I then tried (in the lab) loading ADSIedit.msc looking at the trust
> object and tried to change the trustArrribute manually however this
> seems to be some sort of protected object and cannot be changed.
>
> I am stumped!
>
> Oh and by the way the Technet doc on how to create a SID mapping file
> only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
> written a small app to export the Domain SID + User RID from the domain
> you are attempting to migrate so that you can use a SID mapping file.
>
>
> Vincent Xu [MSFT] wrote:
>
>> Hi,
>>
>> SID filtering is enabled automatically on any trust relationships
>> created by domain controllers running Windows 2000 Service Pack 4 or
>> Windows Server 2003. Or, you can manually enable it by using the
>> Netdom trust command line utility with the /EnableSIDHistory:no
>> command line switch. To disable SID filtering (and thus enable
>> SIDHistory), use the /EnableSIDHistory:yes switch.
>>
>> If even this level of SIDHistory accessibility is too much, you can
>> impose even stricter limits on your trust relationships by enabling
>> the Quarantine feature. (In this context, the Quarantine feature
>> controls SID processing over trust relationships and shouldn't be
>> confused with the Network Access Protection or Network Access
>> Quarantine Control technologies that are used to control local and
>> remote access connections.) By enabling Quarantine for a trust
>> relationship, you are specifying that only SIDs from the exact domain
>> on the other side of the trust are to be honored.In effect, enabling
>> Quarantine on a trust relationship will break the transitivity of that
>> trust, so that only the specific domains on either side of the trust
>> are considered participants in the trust. Quarantine is disabled by
>> default on all trust relationships; you can manually enable it by
>> using the Netdom trust command line utility with the /quarantine:yes
>> command line switch. Use the /quarantine:no switch to disable
>> Quarantine on a trust relationship where it has already been enabled.
>> I suspect that your problem is: you grant a group, which has the user
>> account, the permission to access the old resource. After you migrate
>> the user to the new domain, they are not part of the old group so that
>> they lost the permission to access the old resource. Please feel free
>> to correct me.
>>
>> If so, please check the share permission and NTFS permission of the
>> old resource and let me know if you grant the permission to the user
>> directly.
>>
>> If this is the issue, we need to re-ACL the resources.
>>
>> Since OldDomain\User1 is a built-in group we cannot use ADMT to
>> migrate it. Fortunately, we are able to use Security Translation
>> Wizard with a SID Mapping file to add the NewDomain\"Domain Users"
>> group''s SID to the resources.
>>
>> To do so:
>>
>> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
>> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From
>> the return content, we can find the SID of OldDomain\"Domain Users".
>> Please use this method to get the SID of NewDomain\"Domain Users".
>>
>> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools.
>> If you do not have it, please let me know.
>>
>> 2. Create a SID mapping file (should be a txt file). We can name it
>> sidmapping.txt.
>>
>> 3. Edit the SID mapping file in Notepad and input the following content:
>>
>> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>>
>> Note: Please put the correct SIDs in the above line.
>>
>> 4. Run ADMT, choose "Security Translation Wizard".
>>
>> 5. On the "Security Translation Options" page, choose "Other objects
>> specified in a file" and browse to select the sidmapping.txt file
>> created in Step 2.
>>
>> 6. Follow the wizard to translate resources on ServerA.
>>
>> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>>
>> Let me know if you have any concerns or questions.
>>
>> Best regards,
>>
>> Vincent Xu
>> Microsoft Online Partner Support
>>
>> ======================================================
>> PLEASE NOTE: The partner managed newsgroups are provided to assist
>> with break/fix issues and simple how to questions.
>> We also love to hear your product feedback! Let us know what you
>> think by posting from the web interface: Partner Feedback from
>> your newsreader: microsoft.private.directaccess.partnerfeedback. We
>> look forward to hearing from you!
>> ====================================================== When responding
>> to posts, please "Reply to Group" via your newsreader so that others
>> may learn and benefit from this issue.
>> ======================================================
>> This posting is provided "AS IS" with no warranties,and confers no
>> rights. ======================================================
>>
>>
>>
>> --------------------
>>
>>>> Message-ID:
>>>> <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>> Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>> From: Riccardo
>>
>>
>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>
>>>> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>> X-Accept-Language: en-us, en
>>>> MIME-Version: 1.0
>>>> To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>> Subject: Re: SID History and SID Filtering questions (netdom)
>>>> References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>
>>
>> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>
>>>> In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>> Content-Transfer-Encoding: 7bit
>>>> Newsgroups: microsoft.public.windows.server.migration
>>>> NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>> Lines: 1 Path:
>>>> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>> Xref: TK2MSFTNGXA01.phx.gbl
>>
>>
>> microsoft.public.windows.server.migration:23291
>>
>>>> X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>
>>>>
>>>> Which Group ? > 1,Verify whether the group has been migrated
>>>> I also get access denied with 2
>>>>
>>>> what is the difference between /quarantine:No and
>>>> /enablesidhistory:yes?
>>>> Vincent Xu [MSFT] wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Netdom Syntax:
>>>>>
>>>>> Netdom trust TrustingDomainName /domain:TrustedDomainName
>>>>> /quarantine:No
>>>>>
>>>>> netdom trust trusted_domain /domain:trusting_domain
>>
>>
>> /enablesidhistory:yes
>>
>>>>> since you get "Access denied" when you run "Netdom trust
>>
>>
>> TrustingDomainName
>>
>>>>> /domain:TrustedDomainName /quarantine:No", 1,Verify whether the
>>>>> group has been migrated
>>>>> 2, Enable SID history by running : netdom trust trusted_domain
>>>>> /domain:trusting_domain /enablesidhistory:yes
>>>>>
>>>>>
>>>>> Let me know if you still have concern.
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Vincent Xu
>>>>> Microsoft Online Partner Support
>>>>>
>>>>> ======================================================
>>>>> Get Secure! - www.microsoft.com/security
>>>>> ====================================================== When
>>>>> responding to posts, please "Reply to Group" via your newsreader
>>
>>
>> so
>>
>>>>> that others may learn and benefit from this issue.
>>>>> ======================================================
>>>>> This posting is provided "AS IS" with no warranties,and confers no
>>
>>
>> rights.
>>
>>>>> ======================================================
>>>>>
>>>>>
>>>>>
>>>>> --------------------
>>>>>
>>>>>
>>>>>>> Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>> From: Riccardo
>>>>>
>>>>>
>>>>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>>
>>>>>>> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>> X-Accept-Language: en-us, en
>>>>>>> MIME-Version: 1.0
>>>>>>> Subject: SID History and SID Filtering questions (netdom)
>>>>>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>> Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>> Newsgroups: microsoft.public.windows.server.migration
>>>>>>> NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>> Lines: 1 Path:
>>>>>>> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>> Xref: TK2MSFTNGXA01.phx.gbl
>>>>>
>>>>>
>>>>> microsoft.public.windows.server.migration:23283
>>>>>
>>>>>
>>>>>>> X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>>
>>>>>>>
>>>>>>> Hi, there seems to be very little in-depth technical docs on sid
>>
>>
>> history
>>
>>>>>>> and sid filtering and I need some help!
>>>>>>>
>>>>>>> I am trying to get sidhistory to work between 2 domains a windows
>>>>>>> 2000 domain and a windows 2003sp1 domain, (we are moving from the
>>>>>>> windows 2000 domain)
>>>>>>>
>>>>>>> I have domain admin rights in both domains (and Enterprise admin in
>>
>>
>> the
>>
>>>>>>> 2003 domain)
>>>>>>>
>>>>>>> when I run the command ( in either domain)
>>>>>>> netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>>
>>>>>>> I get an Access Denied error.
>>>>>>> I have tried the /userO and /userD options
>>>>>>>
>>>>>>> My questions are
>>>>>>> 1) Exactly where am I getting access denied?
>>>>>>> 2) when you run the command with a /Quarantine:YES what attribute/s
>>
>>
>> are
>>
>>>>>>> changed where in AD?
>>>>>>>
>>>>>>> and what is the difference between the /Quarantine:NO and the
>>>>>>> /EnableSidHistory:YES commands?
>>>>>>> Do I need to run both?
>>>>>>> What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>>
>>>>>>> Oh and if anyone from Microsoft is reading this the following
>>>>>>> needs to be updated to incorporate ADMT v3
>>>>>>>
>>>>>>> http://support.microsoft.com/default...b;en-us;835991
>>>>>>>
>>>>>>> Regards
>>>>>>> Riccardo Moretti
>>>>>>>
>>>>>
>>>>>
>>
>