Re: SID Filtering and trust
From: Ryan Hanisco (rhanisco_at_flagshipis.com)
Date: 02/09/05
- Next message: Jason: "Re: Unable to unlock peer group members ' accounts"
- Previous message: Jason: "SID Filtering and trust"
- In reply to: Jason: "SID Filtering and trust"
- Next in thread: gordonah: "RE: SID Filtering and trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Feb 2005 21:25:42 -0600
Jason,
SIDHistory is an attribute in the User object and the SIDHistory attributes
will not be lost. I think the fear is that in the migration, SID filtering
will be enabled on the external trust. I have not heard of this happening
nor have I seen any documentation to this effect. Remember that the kind of
trust that is used there is the normal way of using ADMT to W2k3 -- so I
wouldn't expect that there would be a problem. Still, the trust could be
re-established.
Other things to remember.
1. Your local sys admin shouldn't be dictating something like installing
2003 as it effects the ENTIRE forest and has to be carefully planned and
implemented. While there are tons of good reasons to implement 2003, many
of these features aren't available until you have the domain or forest
functional level at 2003. Make sure that the business case is valid and
that the risk/ impact to the whole organization is evaluated.
2. Make sure to install and use the 2003 version of NETDOM to maintain and
check your trusts. This will work on NT/ 2000 servers just as well at 2003
and does a much better job. This can be gotten from the MS site and does
not need the 2003 media.
3. Your forest and domains need to be absolutely healthy before upgrading
to 2003. You may well consider resolving the NT4 domains to 2000/2003 if
that is the plan. The last thing you need is the creeping strangeness of
supporting three network operating systems
-- Ryan Hanisco MCSE, MCDBA Flagship Integration Services "Jason" <jasons@hotmail.com> wrote in message news:ONlVO6kDFHA.1564@TK2MSFTNGP09.phx.gbl... > Hi, > I have a child W2K domain with 4 sites in native mode. Each sites has 2 DC > +GC. Our doamin maintains three external trust relationship with other NT4 > domains ( say NT4domain A, B and C ). Actually , our child domain is > migrated from one of the NT4 domain ( domain A ) using ADMT. We still have > about 40% of users having a SID History. > Recently ,one of our sites's local system admin insist to upgrade their DC > s from W2K to W2K3 ( for some funny business reason). My concern is, after > they have upgrade their two DCs to W2k3 while we are still on W2K DC > native mode ( I suppose they could only maintain the same W2k native > functional level ) , will our trust with the NT4 domains be lost ? I heard > from a colleague that once the DCs upgraded to W2K3, immediately, due to > SID filtering , our domain will lost the trust relationship with these > external NT4 domains as they are , relatively , regarded as External > forest. > My questions are: > 1) It this true , that is , the trust relation will lost immediately ? ( > because of the default SID filtering ? ) > 2)What if the trust is re-create again ? Will my users with SID history > still be able to access these NT4 Domains based on sidhistory the same as > they are before? > 3) What can be done to prevent this lost of trust ( if true ) from > happening ? > > Please help me to answer these questions, highly appreciated ! > > Jason > >
- Next message: Jason: "Re: Unable to unlock peer group members ' accounts"
- Previous message: Jason: "SID Filtering and trust"
- In reply to: Jason: "SID Filtering and trust"
- Next in thread: gordonah: "RE: SID Filtering and trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
