Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



SID History and SID Filtering questions (netdom)

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 12-04-2006
Riccardo
 
Posts: n/a
SID History and SID Filtering questions (netdom)


Hi, there seems to be very little in-depth technical docs on sid history
and sid filtering and I need some help!

I am trying to get sidhistory to work between 2 domains a windows 2000
domain and a windows 2003sp1 domain, (we are moving from the windows
2000 domain)

I have domain admin rights in both domains (and Enterprise admin in the
2003 domain)

when I run the command ( in either domain)
netdom trust win200domain /Domain:Win2003Domain /Quarantine

I get an Access Denied error.
I have tried the /userO and /userD options

My questions are
1) Exactly where am I getting access denied?
2) when you run the command with a /Quarantine:YES what attribute/s are
changed where in AD?

and what is the difference between the /Quarantine:NO and the
/EnableSidHistory:YES commands?
Do I need to run both?
What is the latest version of netdom? (I am using 5.2.3790.0)

Oh and if anyone from Microsoft is reading this the following needs to
be updated to incorporate ADMT v3

http://support.microsoft.com/default...b;en-us;835991

Regards
Riccardo Moretti

Reply With Quote
  #2  
Old 12-04-2006
Vincent Xu [MSFT]
 
Posts: n/a
RE: SID History and SID Filtering questions (netdom)

Hi,

Netdom Syntax:

Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No

netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes

since you get "Access denied" when you run "Netdom trust TrustingDomainName
/domain:TrustedDomainName /quarantine:No",
1,Verify whether the group has been migrated
2, Enable SID history by running : netdom trust trusted_domain
/domain:trusting_domain /enablesidhistory:yes


Let me know if you still have concern.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>From: Riccardo

<dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>X-Accept-Language: en-us, en
>>MIME-Version: 1.0
>>Subject: SID History and SID Filtering questions (netdom)
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>Content-Transfer-Encoding: 7bit
>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>Lines: 1
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windows.server.migration:23283
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>
>>Hi, there seems to be very little in-depth technical docs on sid history
>>and sid filtering and I need some help!
>>
>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>2000 domain)
>>
>>I have domain admin rights in both domains (and Enterprise admin in the
>>2003 domain)
>>
>>when I run the command ( in either domain)
>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>
>>I get an Access Denied error.
>>I have tried the /userO and /userD options
>>
>>My questions are
>>1) Exactly where am I getting access denied?
>>2) when you run the command with a /Quarantine:YES what attribute/s are
>>changed where in AD?
>>
>>and what is the difference between the /Quarantine:NO and the
>>/EnableSidHistory:YES commands?
>>Do I need to run both?
>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>
>>Oh and if anyone from Microsoft is reading this the following needs to
>>be updated to incorporate ADMT v3
>>
>>http://support.microsoft.com/default...b;en-us;835991
>>
>>Regards
>>Riccardo Moretti
>>


Reply With Quote
  #3  
Old 12-04-2006
Riccardo
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)


Which Group ? > 1,Verify whether the group has been migrated
I also get access denied with 2

what is the difference between /quarantine:No and /enablesidhistory:yes?
Vincent Xu [MSFT] wrote:
> Hi,
>
> Netdom Syntax:
>
> Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>
> netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes
>
> since you get "Access denied" when you run "Netdom trust TrustingDomainName
> /domain:TrustedDomainName /quarantine:No",
> 1,Verify whether the group has been migrated
> 2, Enable SID history by running : netdom trust trusted_domain
> /domain:trusting_domain /enablesidhistory:yes
>
>
> Let me know if you still have concern.
>
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> Get Secure! - www.microsoft.com/security
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>From: Riccardo

>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>Subject: SID History and SID Filtering questions (netdom)
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl

>
> microsoft.public.windows.server.migration:23283
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Hi, there seems to be very little in-depth technical docs on sid history
>>>and sid filtering and I need some help!
>>>
>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>2000 domain)
>>>
>>>I have domain admin rights in both domains (and Enterprise admin in the
>>>2003 domain)
>>>
>>>when I run the command ( in either domain)
>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>
>>>I get an Access Denied error.
>>>I have tried the /userO and /userD options
>>>
>>>My questions are
>>>1) Exactly where am I getting access denied?
>>>2) when you run the command with a /Quarantine:YES what attribute/s are
>>>changed where in AD?
>>>
>>>and what is the difference between the /Quarantine:NO and the
>>>/EnableSidHistory:YES commands?
>>>Do I need to run both?
>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>
>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>be updated to incorporate ADMT v3
>>>
>>>http://support.microsoft.com/default...b;en-us;835991
>>>
>>>Regards
>>>Riccardo Moretti
>>>

>
>

Reply With Quote
  #4  
Old 13-04-2006
Vincent Xu [MSFT]
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Hi,

SID filtering is enabled automatically on any trust relationships created
by domain controllers running Windows 2000 Service Pack 4 or Windows Server
2003. Or, you can manually enable it by using the Netdom trust command line
utility with the /EnableSIDHistory:no command line switch. To disable SID
filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
switch.

If even this level of SIDHistory accessibility is too much, you can impose
even stricter limits on your trust relationships by enabling the Quarantine
feature. (In this context, the Quarantine feature controls SID processing
over trust relationships and shouldn't be confused with the Network Access
Protection or Network Access Quarantine Control technologies that are used
to control local and remote access connections.) By enabling Quarantine for
a trust relationship, you are specifying that only SIDs from the exact
domain on the other side of the trust are to be honored.In effect, enabling
Quarantine on a trust relationship will break the transitivity of that
trust, so that only the specific domains on either side of the trust are
considered participants in the trust. Quarantine is disabled by default on
all trust relationships; you can manually enable it by using the Netdom
trust command line utility with the /quarantine:yes command line switch.
Use the /quarantine:no switch to disable Quarantine on a trust relationship
where it has already been enabled.

I suspect that your problem is: you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they
lost the permission to access the old resource. Please feel free to correct
me.

If so, please check the share permission and NTFS permission of the old
resource and let me know if you grant the permission to the user directly.

If this is the issue, we need to re-ACL the resources.

Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.

To do so:

1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".

Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.

2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.

3. Edit the SID mapping file in Notepad and input the following content:

<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">

Note: Please put the correct SIDs in the above line.

4. Run ADMT, choose "Security Translation Wizard".

5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created
in Step 2.

6. Follow the wizard to translate resources on ServerA.

7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.

Let me know if you have any concerns or questions.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.

We also love to hear your product feedback!
Let us know what you think by posting
from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>From: Riccardo

<dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>X-Accept-Language: en-us, en
>>MIME-Version: 1.0
>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>Subject: Re: SID History and SID Filtering questions (netdom)
>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

<F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>Content-Transfer-Encoding: 7bit
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>Lines: 1
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windows.server.migration:23291
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>
>>Which Group ? > 1,Verify whether the group has been migrated
>>I also get access denied with 2
>>
>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>Vincent Xu [MSFT] wrote:
>>> Hi,
>>>
>>> Netdom Syntax:
>>>
>>> Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>
>>> netdom trust trusted_domain /domain:trusting_domain

/enablesidhistory:yes
>>>
>>> since you get "Access denied" when you run "Netdom trust

TrustingDomainName
>>> /domain:TrustedDomainName /quarantine:No",
>>> 1,Verify whether the group has been migrated
>>> 2, Enable SID history by running : netdom trust trusted_domain
>>> /domain:trusting_domain /enablesidhistory:yes
>>>
>>>
>>> Let me know if you still have concern.
>>>
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> ======================================================
>>> Get Secure! - www.microsoft.com/security
>>> ======================================================
>>> When responding to posts, please "Reply to Group" via your newsreader

so
>>> that others
>>> may learn and benefit from this issue.
>>> ======================================================
>>> This posting is provided "AS IS" with no warranties,and confers no

rights.
>>> ======================================================
>>>
>>>
>>>
>>> --------------------
>>>
>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>From: Riccardo
>>>
>>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>
>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>X-Accept-Language: en-us, en
>>>>>MIME-Version: 1.0
>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>Content-Transfer-Encoding: 7bit
>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>Lines: 1
>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>
>>> microsoft.public.windows.server.migration:23283
>>>
>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>
>>>>>
>>>>>Hi, there seems to be very little in-depth technical docs on sid

history
>>>>>and sid filtering and I need some help!
>>>>>
>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>2000 domain)
>>>>>
>>>>>I have domain admin rights in both domains (and Enterprise admin in

the
>>>>>2003 domain)
>>>>>
>>>>>when I run the command ( in either domain)
>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>
>>>>>I get an Access Denied error.
>>>>>I have tried the /userO and /userD options
>>>>>
>>>>>My questions are
>>>>>1) Exactly where am I getting access denied?
>>>>>2) when you run the command with a /Quarantine:YES what attribute/s

are
>>>>>changed where in AD?
>>>>>
>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>/EnableSidHistory:YES commands?
>>>>>Do I need to run both?
>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>
>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>be updated to incorporate ADMT v3
>>>>>
>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>
>>>>>Regards
>>>>>Riccardo Moretti
>>>>>
>>>
>>>

>>


Reply With Quote
  #5  
Old 17-04-2006
Riccardo
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo

>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl

>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain

>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust

>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader

>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no

>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid

>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in

>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s

>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>

>

Reply With Quote
  #6  
Old 17-04-2006
Riccardo
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo

>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl

>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain

>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust

>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader

>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no

>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid

>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in

>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s

>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>

>

Reply With Quote
  #7  
Old 17-04-2006
Riccardo
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo

>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl

>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain

>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust

>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader

>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no

>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid

>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in

>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s

>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>

>


Reply With Quote
  #8  
Old 17-04-2006
Riccardo
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo

>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl

>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain

>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust

>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader

>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no

>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid

>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in

>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s

>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>

>


Reply With Quote
  #9  
Old 17-04-2006
Riccardo
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Thanks for the information, you are correct in what you are saying and
it is our migration strategy, We have 2 outbound domains one has the
quarantine disabled and the other (where SID history is not working) has
it enabled.
I ran nltest /domain_trusts and the domain that does not work has attr
(0x4) which means the Quarantine is set to YES.

The Other domain that works had its quarantine disabled about a year ago
and before SP1 of Windows 2003,
I dont undersand why I get an access denied (I am starting to suspect
group policy perhaps LSA or something)

I went to out lab environment and we had the same issue, I disabled the
group policies rebooted the lab DC's and tried the command, netdom ...
Success!!!! then I disabled the quarantine again re-enabled the GPO's
rebooted the DCs and ran the netdom again (so far no change) but now in
the lab I get unknown user or bad password when running the netdom
command. (These steps I cannot perform in production.)

I then Exported the GPO's loaded a few VM's imported the GPO's and the
netdom command works always.

I then tried (in the lab) loading ADSIedit.msc looking at the trust
object and tried to change the trustArrribute manually however this
seems to be some sort of protected object and cannot be changed.

I am stumped!

Oh and by the way the Technet doc on how to create a SID mapping file
only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
written a small app to export the Domain SID + User RID from the domain
you are attempting to migrate so that you can use a SID mapping file.


Vincent Xu [MSFT] wrote:
> Hi,
>
> SID filtering is enabled automatically on any trust relationships created
> by domain controllers running Windows 2000 Service Pack 4 or Windows Server
> 2003. Or, you can manually enable it by using the Netdom trust command line
> utility with the /EnableSIDHistory:no command line switch. To disable SID
> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
> switch.
>
> If even this level of SIDHistory accessibility is too much, you can impose
> even stricter limits on your trust relationships by enabling the Quarantine
> feature. (In this context, the Quarantine feature controls SID processing
> over trust relationships and shouldn't be confused with the Network Access
> Protection or Network Access Quarantine Control technologies that are used
> to control local and remote access connections.) By enabling Quarantine for
> a trust relationship, you are specifying that only SIDs from the exact
> domain on the other side of the trust are to be honored.In effect, enabling
> Quarantine on a trust relationship will break the transitivity of that
> trust, so that only the specific domains on either side of the trust are
> considered participants in the trust. Quarantine is disabled by default on
> all trust relationships; you can manually enable it by using the Netdom
> trust command line utility with the /quarantine:yes command line switch.
> Use the /quarantine:no switch to disable Quarantine on a trust relationship
> where it has already been enabled.
>
> I suspect that your problem is: you grant a group, which has the user
> account, the permission to access the old resource. After you migrate the
> user to the new domain, they are not part of the old group so that they
> lost the permission to access the old resource. Please feel free to correct
> me.
>
> If so, please check the share permission and NTFS permission of the old
> resource and let me know if you grant the permission to the user directly.
>
> If this is the issue, we need to re-ACL the resources.
>
> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
> Fortunately, we are able to use Security Translation Wizard with a SID
> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
> resources.
>
> To do so:
>
> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
> return content, we can find the SID of OldDomain\"Domain Users". Please use
> this method to get the SID of NewDomain\"Domain Users".
>
> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
> do not have it, please let me know.
>
> 2. Create a SID mapping file (should be a txt file). We can name it
> sidmapping.txt.
>
> 3. Edit the SID mapping file in Notepad and input the following content:
>
> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
> Note: Please put the correct SIDs in the above line.
>
> 4. Run ADMT, choose "Security Translation Wizard".
>
> 5. On the "Security Translation Options" page, choose "Other objects
> specified in a file" and browse to select the sidmapping.txt file created
> in Step 2.
>
> 6. Follow the wizard to translate resources on ServerA.
>
> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
> Let me know if you have any concerns or questions.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> ======================================================
> PLEASE NOTE: The partner managed newsgroups are provided to assist with
> break/fix issues and simple how to questions.
>
> We also love to hear your product feedback!
> Let us know what you think by posting
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
> We look forward to hearing from you!
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others
> may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties,and confers no rights.
> ======================================================
>
>
>
> --------------------
>
>>>Message-ID: <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>From: Riccardo

>
> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>
>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>X-Accept-Language: en-us, en
>>>MIME-Version: 1.0
>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

>
> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>
>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>Content-Transfer-Encoding: 7bit
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>Lines: 1
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl

>
> microsoft.public.windows.server.migration:23291
>
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>
>>>Which Group ? > 1,Verify whether the group has been migrated
>>>I also get access denied with 2
>>>
>>>what is the difference between /quarantine:No and /enablesidhistory:yes?
>>>Vincent Xu [MSFT] wrote:
>>>
>>>>Hi,
>>>>
>>>>Netdom Syntax:
>>>>
>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
>>>>
>>>>netdom trust trusted_domain /domain:trusting_domain

>
> /enablesidhistory:yes
>
>>>>since you get "Access denied" when you run "Netdom trust

>
> TrustingDomainName
>
>>>>/domain:TrustedDomainName /quarantine:No",
>>>>1,Verify whether the group has been migrated
>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>
>>>>
>>>>Let me know if you still have concern.
>>>>
>>>>
>>>>Best regards,
>>>>
>>>>Vincent Xu
>>>>Microsoft Online Partner Support
>>>>
>>>>======================================================
>>>>Get Secure! - www.microsoft.com/security
>>>>======================================================
>>>>When responding to posts, please "Reply to Group" via your newsreader

>
> so
>
>>>>that others
>>>>may learn and benefit from this issue.
>>>>======================================================
>>>>This posting is provided "AS IS" with no warranties,and confers no

>
> rights.
>
>>>>======================================================
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>From: Riccardo
>>>>
>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>
>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>X-Accept-Language: en-us, en
>>>>>>MIME-Version: 1.0
>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>Lines: 1
>>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>
>>>>microsoft.public.windows.server.migration:23283
>>>>
>>>>
>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>
>>>>>>
>>>>>>Hi, there seems to be very little in-depth technical docs on sid

>
> history
>
>>>>>>and sid filtering and I need some help!
>>>>>>
>>>>>>I am trying to get sidhistory to work between 2 domains a windows 2000
>>>>>>domain and a windows 2003sp1 domain, (we are moving from the windows
>>>>>>2000 domain)
>>>>>>
>>>>>>I have domain admin rights in both domains (and Enterprise admin in

>
> the
>
>>>>>>2003 domain)
>>>>>>
>>>>>>when I run the command ( in either domain)
>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>
>>>>>>I get an Access Denied error.
>>>>>>I have tried the /userO and /userD options
>>>>>>
>>>>>>My questions are
>>>>>>1) Exactly where am I getting access denied?
>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s

>
> are
>
>>>>>>changed where in AD?
>>>>>>
>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>/EnableSidHistory:YES commands?
>>>>>>Do I need to run both?
>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>
>>>>>>Oh and if anyone from Microsoft is reading this the following needs to
>>>>>>be updated to incorporate ADMT v3
>>>>>>
>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>
>>>>>>Regards
>>>>>>Riccardo Moretti
>>>>>>
>>>>
>>>>

>


Reply With Quote
  #10  
Old 17-04-2006
Vincent Xu [MSFT]
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Hi Riccardo ,

Regarding generate the sid mapping file, there are some differences between
ADMT V2 & V3.

1, Database connection string.
2, Database structure.

Connection string:

ADMT V2: objConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Program Files\Active Directory Migration Tool\Protar.mdb"

ADMT V3: objConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Server =(the
box running admt); Initial Catalog=ADMT; Integrated Security=SSPI "

Database structure:

Technote article 835991 details vbscript that pulls data from the ADMT's
MigratedObjects table and writes the SID mapping file. However ADMT v3
moved the SourceDomainSID, SourceRID, TargetDomain, and TargetSamName
values out of the MigratedObjects table

I think you had to write a SQL query to process the SourceObjectId and
TargetObjectId values in the MigratedObjects table pulling the related
values from the Objects and Domain tables into a new SidMap table that I
created in the ADMT database. Then modified the vbscript to generate the
SID Mapping file using the new SidMap table.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
>>Message-ID: <44434A04.2000105@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>Date: Mon, 17 Apr 2006 09:55:48 +0200
>>From: Riccardo

<dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>X-Accept-Language: en-us, en
>>MIME-Version: 1.0
>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>Subject: Re: SID History and SID Filtering questions (netdom)
>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

<F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
<443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
<1vXUgzrXGHA.6000@TK2MSFTNGXA01.phx.gbl>
>>In-Reply-To: <1vXUgzrXGHA.6000@TK2MSFTNGXA01.phx.gbl>
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>Content-Transfer-Encoding: 7bit
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: dsl-146-99-85.telkomadsl.co.za 165.146.99.85
>>Lines: 1
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windows.server.migration:23340
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>Thanks for the information, you are correct in what you are saying and
>>it is our migration strategy, We have 2 outbound domains one has the
>>quarantine disabled and the other (where SID history is not working) has
>>it enabled.
>>I ran nltest /domain_trusts and the domain that does not work has attr
>>(0x4) which means the Quarantine is set to YES.
>>
>>The Other domain that works had its quarantine disabled about a year ago
>>and before SP1 of Windows 2003,
>>I dont undersand why I get an access denied (I am starting to suspect
>>group policy perhaps LSA or something)
>>
>>I went to out lab environment and we had the same issue, I disabled the
>>group policies rebooted the lab DC's and tried the command, netdom ...
>>Success!!!! then I disabled the quarantine again re-enabled the GPO's
>>rebooted the DCs and ran the netdom again (so far no change) but now in
>>the lab I get unknown user or bad password when running the netdom
>>command. (These steps I cannot perform in production.)
>>
>>I then Exported the GPO's loaded a few VM's imported the GPO's and the
>>netdom command works always.
>>
>>I then tried (in the lab) loading ADSIedit.msc looking at the trust
>>object and tried to change the trustArrribute manually however this
>>seems to be some sort of protected object and cannot be changed.
>>
>>I am stumped!
>>
>>Oh and by the way the Technet doc on how to create a SID mapping file
>>only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
>>written a small app to export the Domain SID + User RID from the domain
>>you are attempting to migrate so that you can use a SID mapping file.
>>
>>
>>Vincent Xu [MSFT] wrote:
>>> Hi,
>>>
>>> SID filtering is enabled automatically on any trust relationships

created
>>> by domain controllers running Windows 2000 Service Pack 4 or Windows

Server
>>> 2003. Or, you can manually enable it by using the Netdom trust command

line
>>> utility with the /EnableSIDHistory:no command line switch. To disable

SID
>>> filtering (and thus enable SIDHistory), use the /EnableSIDHistory:yes
>>> switch.
>>>
>>> If even this level of SIDHistory accessibility is too much, you can

impose
>>> even stricter limits on your trust relationships by enabling the

Quarantine
>>> feature. (In this context, the Quarantine feature controls SID

processing
>>> over trust relationships and shouldn't be confused with the Network

Access
>>> Protection or Network Access Quarantine Control technologies that are

used
>>> to control local and remote access connections.) By enabling Quarantine

for
>>> a trust relationship, you are specifying that only SIDs from the exact
>>> domain on the other side of the trust are to be honored.In effect,

enabling
>>> Quarantine on a trust relationship will break the transitivity of that
>>> trust, so that only the specific domains on either side of the trust

are
>>> considered participants in the trust. Quarantine is disabled by default

on
>>> all trust relationships; you can manually enable it by using the Netdom
>>> trust command line utility with the /quarantine:yes command line

switch.
>>> Use the /quarantine:no switch to disable Quarantine on a trust

relationship
>>> where it has already been enabled.
>>>
>>> I suspect that your problem is: you grant a group, which has the user
>>> account, the permission to access the old resource. After you migrate

the
>>> user to the new domain, they are not part of the old group so that they
>>> lost the permission to access the old resource. Please feel free to

correct
>>> me.
>>>
>>> If so, please check the share permission and NTFS permission of the old
>>> resource and let me know if you grant the permission to the user

directly.
>>>
>>> If this is the issue, we need to re-ACL the resources.
>>>
>>> Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate

it.
>>> Fortunately, we are able to use Security Translation Wizard with a SID
>>> Mapping file to add the NewDomain\"Domain Users" group''s SID to the
>>> resources.
>>>
>>> To do so:
>>>
>>> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
>>> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From

the
>>> return content, we can find the SID of OldDomain\"Domain Users". Please

use
>>> this method to get the SID of NewDomain\"Domain Users".
>>>
>>> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If

you
>>> do not have it, please let me know.
>>>
>>> 2. Create a SID mapping file (should be a txt file). We can name it
>>> sidmapping.txt.
>>>
>>> 3. Edit the SID mapping file in Notepad and input the following content:
>>>
>>> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>>>
>>> Note: Please put the correct SIDs in the above line.
>>>
>>> 4. Run ADMT, choose "Security Translation Wizard".
>>>
>>> 5. On the "Security Translation Options" page, choose "Other objects
>>> specified in a file" and browse to select the sidmapping.txt file

created
>>> in Step 2.
>>>
>>> 6. Follow the wizard to translate resources on ServerA.
>>>
>>> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>>>
>>> Let me know if you have any concerns or questions.
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> ======================================================
>>> PLEASE NOTE: The partner managed newsgroups are provided to assist

with
>>> break/fix issues and simple how to questions.
>>>
>>> We also love to hear your product feedback!
>>> Let us know what you think by posting
>>> from the web interface: Partner Feedback
>>> from your newsreader: microsoft.private.directaccess.partnerfeedback.
>>> We look forward to hearing from you!
>>> ======================================================
>>> When responding to posts, please "Reply to Group" via your newsreader

so
>>> that others
>>> may learn and benefit from this issue.
>>> ======================================================
>>> This posting is provided "AS IS" with no warranties,and confers no

rights.
>>> ======================================================
>>>
>>>
>>>
>>> --------------------
>>>
>>>>>Message-ID:

<443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>>Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>>>From: Riccardo
>>>
>>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>
>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>X-Accept-Language: en-us, en
>>>>>MIME-Version: 1.0
>>>>>To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>>>Subject: Re: SID History and SID Filtering questions (netdom)
>>>>>References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>
>>> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>
>>>>>In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>Content-Transfer-Encoding: 7bit
>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>Lines: 1
>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>
>>> microsoft.public.windows.server.migration:23291
>>>
>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>
>>>>>
>>>>>Which Group ? > 1,Verify whether the group has been migrated
>>>>>I also get access denied with 2
>>>>>
>>>>>what is the difference between /quarantine:No and

/enablesidhistory:yes?
>>>>>Vincent Xu [MSFT] wrote:
>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>Netdom Syntax:
>>>>>>
>>>>>>Netdom trust TrustingDomainName /domain:TrustedDomainName

/quarantine:No
>>>>>>
>>>>>>netdom trust trusted_domain /domain:trusting_domain
>>>
>>> /enablesidhistory:yes
>>>
>>>>>>since you get "Access denied" when you run "Netdom trust
>>>
>>> TrustingDomainName
>>>
>>>>>>/domain:TrustedDomainName /quarantine:No",
>>>>>>1,Verify whether the group has been migrated
>>>>>>2, Enable SID history by running : netdom trust trusted_domain
>>>>>>/domain:trusting_domain /enablesidhistory:yes
>>>>>>
>>>>>>
>>>>>>Let me know if you still have concern.
>>>>>>
>>>>>>
>>>>>>Best regards,
>>>>>>
>>>>>>Vincent Xu
>>>>>>Microsoft Online Partner Support
>>>>>>
>>>>>>======================================================
>>>>>>Get Secure! - www.microsoft.com/security
>>>>>>======================================================
>>>>>>When responding to posts, please "Reply to Group" via your newsreader
>>>
>>> so
>>>
>>>>>>that others
>>>>>>may learn and benefit from this issue.
>>>>>>======================================================
>>>>>>This posting is provided "AS IS" with no warranties,and confers no
>>>
>>> rights.
>>>
>>>>>>======================================================
>>>>>>
>>>>>>
>>>>>>
>>>>>>--------------------
>>>>>>
>>>>>>
>>>>>>>>Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>>>From: Riccardo
>>>>>>
>>>>>><dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>>>
>>>>>>>>User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>>>X-Accept-Language: en-us, en
>>>>>>>>MIME-Version: 1.0
>>>>>>>>Subject: SID History and SID Filtering questions (netdom)
>>>>>>>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>>>Content-Transfer-Encoding: 7bit
>>>>>>>>Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>>>>NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>>>Lines: 1
>>>>>>>>Path:

TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>>>
>>>>>>microsoft.public.windows.server.migration:23283
>>>>>>
>>>>>>
>>>>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>>>
>>>>>>>>
>>>>>>>>Hi, there seems to be very little in-depth technical docs on sid
>>>
>>> history
>>>
>>>>>>>>and sid filtering and I need some help!
>>>>>>>>
>>>>>>>>I am trying to get sidhistory to work between 2 domains a windows

2000
>>>>>>>>domain and a windows 2003sp1 domain, (we are moving from the

windows
>>>>>>>>2000 domain)
>>>>>>>>
>>>>>>>>I have domain admin rights in both domains (and Enterprise admin in
>>>
>>> the
>>>
>>>>>>>>2003 domain)
>>>>>>>>
>>>>>>>>when I run the command ( in either domain)
>>>>>>>>netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>>>
>>>>>>>>I get an Access Denied error.
>>>>>>>>I have tried the /userO and /userD options
>>>>>>>>
>>>>>>>>My questions are
>>>>>>>>1) Exactly where am I getting access denied?
>>>>>>>>2) when you run the command with a /Quarantine:YES what attribute/s
>>>
>>> are
>>>
>>>>>>>>changed where in AD?
>>>>>>>>
>>>>>>>>and what is the difference between the /Quarantine:NO and the
>>>>>>>>/EnableSidHistory:YES commands?
>>>>>>>>Do I need to run both?
>>>>>>>>What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>>>
>>>>>>>>Oh and if anyone from Microsoft is reading this the following needs

to
>>>>>>>>be updated to incorporate ADMT v3
>>>>>>>>
>>>>>>>>http://support.microsoft.com/default...b;en-us;835991
>>>>>>>>
>>>>>>>>Regards
>>>>>>>>Riccardo Moretti
>>>>>>>>
>>>>>>
>>>>>>
>>>

>>
>>


Reply With Quote
  #11  
Old 08-05-2006
Riccardo
 
Posts: n/a
Re: SID History and SID Filtering questions (netdom)

Yeeee Haaaaaa I got it to work

I ran a net use \\servername\ipc$ to the domain controllers in each
domain then the command worked!!!!



Riccardo wrote:

> Thanks for the information, you are correct in what you are saying and
> it is our migration strategy, We have 2 outbound domains one has the
> quarantine disabled and the other (where SID history is not working) has
> it enabled.
> I ran nltest /domain_trusts and the domain that does not work has attr
> (0x4) which means the Quarantine is set to YES.
>
> The Other domain that works had its quarantine disabled about a year ago
> and before SP1 of Windows 2003,
> I dont undersand why I get an access denied (I am starting to suspect
> group policy perhaps LSA or something)
>
> I went to out lab environment and we had the same issue, I disabled the
> group policies rebooted the lab DC's and tried the command, netdom ...
> Success!!!! then I disabled the quarantine again re-enabled the GPO's
> rebooted the DCs and ran the netdom again (so far no change) but now in
> the lab I get unknown user or bad password when running the netdom
> command. (These steps I cannot perform in production.)
>
> I then Exported the GPO's loaded a few VM's imported the GPO's and the
> netdom command works always.
>
> I then tried (in the lab) loading ADSIedit.msc looking at the trust
> object and tried to change the trustArrribute manually however this
> seems to be some sort of protected object and cannot be changed.
>
> I am stumped!
>
> Oh and by the way the Technet doc on how to create a SID mapping file
> only applies to ADMT v2 and Not ADMTv3 it should be updated, I have now
> written a small app to export the Domain SID + User RID from the domain
> you are attempting to migrate so that you can use a SID mapping file.
>
>
> Vincent Xu [MSFT] wrote:
>
>> Hi,
>>
>> SID filtering is enabled automatically on any trust relationships
>> created by domain controllers running Windows 2000 Service Pack 4 or
>> Windows Server 2003. Or, you can manually enable it by using the
>> Netdom trust command line utility with the /EnableSIDHistory:no
>> command line switch. To disable SID filtering (and thus enable
>> SIDHistory), use the /EnableSIDHistory:yes switch.
>>
>> If even this level of SIDHistory accessibility is too much, you can
>> impose even stricter limits on your trust relationships by enabling
>> the Quarantine feature. (In this context, the Quarantine feature
>> controls SID processing over trust relationships and shouldn't be
>> confused with the Network Access Protection or Network Access
>> Quarantine Control technologies that are used to control local and
>> remote access connections.) By enabling Quarantine for a trust
>> relationship, you are specifying that only SIDs from the exact domain
>> on the other side of the trust are to be honored.In effect, enabling
>> Quarantine on a trust relationship will break the transitivity of that
>> trust, so that only the specific domains on either side of the trust
>> are considered participants in the trust. Quarantine is disabled by
>> default on all trust relationships; you can manually enable it by
>> using the Netdom trust command line utility with the /quarantine:yes
>> command line switch. Use the /quarantine:no switch to disable
>> Quarantine on a trust relationship where it has already been enabled.
>> I suspect that your problem is: you grant a group, which has the user
>> account, the permission to access the old resource. After you migrate
>> the user to the new domain, they are not part of the old group so that
>> they lost the permission to access the old resource. Please feel free
>> to correct me.
>>
>> If so, please check the share permission and NTFS permission of the
>> old resource and let me know if you grant the permission to the user
>> directly.
>>
>> If this is the issue, we need to re-ACL the resources.
>>
>> Since OldDomain\User1 is a built-in group we cannot use ADMT to
>> migrate it. Fortunately, we are able to use Security Translation
>> Wizard with a SID Mapping file to add the NewDomain\"Domain Users"
>> group''s SID to the resources.
>>
>> To do so:
>>
>> 1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
>> Users". We can logon as OldDomain\User1, run "whoami.exe /all". From
>> the return content, we can find the SID of OldDomain\"Domain Users".
>> Please use this method to get the SID of NewDomain\"Domain Users".
>>
>> Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools.
>> If you do not have it, please let me know.
>>
>> 2. Create a SID mapping file (should be a txt file). We can name it
>> sidmapping.txt.
>>
>> 3. Edit the SID mapping file in Notepad and input the following content:
>>
>> <SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>>
>> Note: Please put the correct SIDs in the above line.
>>
>> 4. Run ADMT, choose "Security Translation Wizard".
>>
>> 5. On the "Security Translation Options" page, choose "Other objects
>> specified in a file" and browse to select the sidmapping.txt file
>> created in Step 2.
>>
>> 6. Follow the wizard to translate resources on ServerA.
>>
>> 7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>>
>> Let me know if you have any concerns or questions.
>>
>> Best regards,
>>
>> Vincent Xu
>> Microsoft Online Partner Support
>>
>> ======================================================
>> PLEASE NOTE: The partner managed newsgroups are provided to assist
>> with break/fix issues and simple how to questions.
>> We also love to hear your product feedback! Let us know what you
>> think by posting from the web interface: Partner Feedback from
>> your newsreader: microsoft.private.directaccess.partnerfeedback. We
>> look forward to hearing from you!
>> ====================================================== When responding
>> to posts, please "Reply to Group" via your newsreader so that others
>> may learn and benefit from this issue.
>> ======================================================
>> This posting is provided "AS IS" with no warranties,and confers no
>> rights. ======================================================
>>
>>
>>
>> --------------------
>>
>>>> Message-ID:
>>>> <443D4313.5020605@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>> Date: Wed, 12 Apr 2006 20:12:35 +0200
>>>> From: Riccardo

>>
>>
>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>
>>>> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>> X-Accept-Language: en-us, en
>>>> MIME-Version: 1.0
>>>> To: "Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com>
>>>> Subject: Re: SID History and SID Filtering questions (netdom)
>>>> References: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>

>>
>>
>> <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>
>>>> In-Reply-To: <F$s72RhXGHA.5252@TK2MSFTNGXA01.phx.gbl>
>>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>> Content-Transfer-Encoding: 7bit
>>>> Newsgroups: microsoft.public.windows.server.migration
>>>> NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>> Lines: 1 Path:
>>>> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>>> Xref: TK2MSFTNGXA01.phx.gbl

>>
>>
>> microsoft.public.windows.server.migration:23291
>>
>>>> X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>
>>>>
>>>> Which Group ? > 1,Verify whether the group has been migrated
>>>> I also get access denied with 2
>>>>
>>>> what is the difference between /quarantine:No and
>>>> /enablesidhistory:yes?
>>>> Vincent Xu [MSFT] wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Netdom Syntax:
>>>>>
>>>>> Netdom trust TrustingDomainName /domain:TrustedDomainName
>>>>> /quarantine:No
>>>>>
>>>>> netdom trust trusted_domain /domain:trusting_domain

>>
>>
>> /enablesidhistory:yes
>>
>>>>> since you get "Access denied" when you run "Netdom trust

>>
>>
>> TrustingDomainName
>>
>>>>> /domain:TrustedDomainName /quarantine:No", 1,Verify whether the
>>>>> group has been migrated
>>>>> 2, Enable SID history by running : netdom trust trusted_domain
>>>>> /domain:trusting_domain /enablesidhistory:yes
>>>>>
>>>>>
>>>>> Let me know if you still have concern.
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Vincent Xu
>>>>> Microsoft Online Partner Support
>>>>>
>>>>> ======================================================
>>>>> Get Secure! - www.microsoft.com/security
>>>>> ====================================================== When
>>>>> responding to posts, please "Reply to Group" via your newsreader

>>
>>
>> so
>>
>>>>> that others may learn and benefit from this issue.
>>>>> ======================================================
>>>>> This posting is provided "AS IS" with no warranties,and confers no

>>
>>
>> rights.
>>
>>>>> ======================================================
>>>>>
>>>>>
>>>>>
>>>>> --------------------
>>>>>
>>>>>
>>>>>>> Date: Wed, 12 Apr 2006 08:02:23 +0200
>>>>>>> From: Riccardo
>>>>>
>>>>>
>>>>> <dskjfhadskjgaskjdhgf@ajhsgdfkjsahgfksajh.sdjhfgsakjhdgfsadjhg.s>
>>>>>
>>>>>>> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
>>>>>>> X-Accept-Language: en-us, en
>>>>>>> MIME-Version: 1.0
>>>>>>> Subject: SID History and SID Filtering questions (netdom)
>>>>>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>> Message-ID: <ep3qkafXGHA.4988@TK2MSFTNGP05.phx.gbl>
>>>>>>> Newsgroups: microsoft.public.windows.server.migration
>>>>>>> NNTP-Posting-Host: dsl-146-103-45.telkomadsl.co.za 165.146.103.45
>>>>>>> Lines: 1 Path:
>>>>>>> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>>>>> Xref: TK2MSFTNGXA01.phx.gbl
>>>>>
>>>>>
>>>>> microsoft.public.windows.server.migration:23283
>>>>>
>>>>>
>>>>>>> X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>>>
>>>>>>>
>>>>>>> Hi, there seems to be very little in-depth technical docs on sid

>>
>>
>> history
>>
>>>>>>> and sid filtering and I need some help!
>>>>>>>
>>>>>>> I am trying to get sidhistory to work between 2 domains a windows
>>>>>>> 2000 domain and a windows 2003sp1 domain, (we are moving from the
>>>>>>> windows 2000 domain)
>>>>>>>
>>>>>>> I have domain admin rights in both domains (and Enterprise admin in

>>
>>
>> the
>>
>>>>>>> 2003 domain)
>>>>>>>
>>>>>>> when I run the command ( in either domain)
>>>>>>> netdom trust win200domain /Domain:Win2003Domain /Quarantine
>>>>>>>
>>>>>>> I get an Access Denied error.
>>>>>>> I have tried the /userO and /userD options
>>>>>>>
>>>>>>> My questions are
>>>>>>> 1) Exactly where am I getting access denied?
>>>>>>> 2) when you run the command with a /Quarantine:YES what attribute/s

>>
>>
>> are
>>
>>>>>>> changed where in AD?
>>>>>>>
>>>>>>> and what is the difference between the /Quarantine:NO and the
>>>>>>> /EnableSidHistory:YES commands?
>>>>>>> Do I need to run both?
>>>>>>> What is the latest version of netdom? (I am using 5.2.3790.0)
>>>>>>>
>>>>>>> Oh and if anyone from Microsoft is reading this the following
>>>>>>> needs to be updated to incorporate ADMT v3
>>>>>>>
>>>>>>> http://support.microsoft.com/default...b;en-us;835991
>>>>>>>
>>>>>>> Regards
>>>>>>> Riccardo Moretti
>>>>>>>
>>>>>
>>>>>

>>

>

Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "SID History and SID Filtering questions (netdom)"
Thread Thread Starter Forum Replies Last Post
What does a filtering do Robert59 Networking & Security 5 22-02-2010 09:56 AM
How does MAC filtering work desilva Networking & Security 5 08-02-2010 08:49 AM
What is email filtering Chandranath Technology & Internet 5 19-01-2010 05:15 AM
MAC Encryption and filtering Bindusar Networking & Security 5 17-01-2010 04:47 AM
Using NETDOM.EXE to add Windows Vista to domain... Paul Yhonquea Active Directory 3 07-09-2009 10:06 AM


All times are GMT +5.5. The time now is 08:10 PM.