Re: SID Filtering and trust
From: Dean Wells [MVP] (dwells_at_mask.msetechnology.com)
Date: 02/09/05
- Next message: gordonah: "Re: SID Filtering and trust"
- Previous message: Andrew: "Re: SID Filtering and trust"
- In reply to: Jason: "SID Filtering and trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Feb 2005 07:59:50 -0500
The trust will not break as part of the upgrade, SID filtering does not
break trusts, rather it controls their behavior. If all DCs are
upgraded and you recreate the trust, SID filtering is on by default. As
such, the users' sIDHistory will be stripped from the ticket by the
trusting domain's KDCs each time users attempt to access resources
across the trust. To prevent this loss of access, disable SID filtering
(I've requested more granular control of this feature more times than I
can remember but I've heard nothing that would indicate it'll be in SP1
or ...).
NOTE - Cross-forest trust requires each forest to be running at 2003
forest functional level (no downlevel DCs), the trust must be created
between the 2 forest root domains, name resolution must be setup in both
directions and time must be in sync. (not automatic between forests)
within the respective threshold of each domains' tolerance policy.
-- Dean Wells [MVP / Directory Services] MSEtechnology [[ Please respond to the Newsgroup only regarding posts ]] R e m o v e t h e m a s k t o s e n d e m a i l Jason wrote: > Hi, > I have a child W2K domain with 4 sites in native mode. Each sites has > 2 DC +GC. Our doamin maintains three external trust relationship with > other NT4 domains ( say NT4domain A, B and C ). Actually , our child > domain is migrated from one of the NT4 domain ( domain A ) using > ADMT. We still have about 40% of users having a SID History. > Recently ,one of our sites's local system admin insist to upgrade > their DC s from W2K to W2K3 ( for some funny business reason). My > concern is, after they have upgrade their two DCs to W2k3 while we > are still on W2K DC native mode ( I suppose they could only maintain > the same W2k native functional level ) , will our trust with the NT4 > domains be lost ? I heard from a colleague that once the DCs upgraded > to W2K3, immediately, due to SID filtering , our domain will lost the > trust relationship with these external NT4 domains as they are , > relatively , regarded as External forest. My questions are: > 1) It this true , that is , the trust relation will lost immediately > ? ( because of the default SID filtering ? ) > 2)What if the trust is re-create again ? Will my users with SID > history still be able to access these NT4 Domains based on sidhistory > the same as they are before? > 3) What can be done to prevent this lost of trust ( if true ) from > happening ? > > Please help me to answer these questions, highly appreciated ! > > Jason
- Next message: gordonah: "Re: SID Filtering and trust"
- Previous message: Andrew: "Re: SID Filtering and trust"
- In reply to: Jason: "SID Filtering and trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
