Re: SID Filtering vs. SIDhistory

From: Eric Fleischman [MSFT] (efleis_at_online.microsoft.com)
Date: 01/27/04 

Date: Mon, 26 Jan 2004 21:19:59 -0600

Hmm.....well it seems to me there are two questions:
1) Should we use sid filtering on the trust? The short answer is, if this is
a very short-lived trust used only for the sake of migration, I would keep
it off. Will it matter? No not really. But let's take one more potential
point of failure off during the migration.
SIDFiltering won't really affect the migration itself, only stuff during an
interop phase in which SID History is being used across the trust.
2) Why does it seem that sid filtering isn't working? My bet is that there
is a subtle setting on your tdo (Eric speak for Trusted Domain Object, IE
the object in AD that represents the trust on the w2k03 side) that is not
formed properly. If you want to dig in to this side, I can show you how to
ldif dump the tdo so we can all take a peak.

Let me know what you think and we'll proceed from there. :-)

~Eric 

-- 
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Rich Roller" <rich_roller@*REMOVE-THIS*whitney.org> wrote in message
news:%23ZQI0rG5DHA.2348@TK2MSFTNGP10.phx.gbl...
> > A somewhat more pointed question: is this a domain trust or a
> forest trust?
> > And what is the OS on both sides of the trust?
>
> Two-way trust between WS2003 AD Domain & NT4 Domain.  Does that
> answer your Q?
>
>

Relevant Pages

  • Re: sidHistory and DomainUsers
    ... It looks like a SID filtering issue but SID filtering is off. ... TRUST: 'smt711.paworld.net' trusts 'PAWORLD.NET' ... migrated users from one domain in one forest to a domain in the other ... Also you should know that the migration take place ...
    (microsoft.public.windows.server.active_directory)
  • Re: SID Filtering and trust
    ... SIDHistory is an attribute in the User object and the SIDHistory attributes ... I think the fear is that in the migration, SID filtering ... trust that is used there is the normal way of using ADMT to W2k3 -- so I ... > Recently,one of our sites's local system admin insist to upgrade their DC ...
    (microsoft.public.win2000.active_directory)
  • Re: SID Filtering and trust
    ... SIDHistory is an attribute in the User object and the SIDHistory attributes ... I think the fear is that in the migration, SID filtering ... trust that is used there is the normal way of using ADMT to W2k3 -- so I ... > Recently,one of our sites's local system admin insist to upgrade their DC ...
    (microsoft.public.windows.server.active_directory)
  • Re: SID Filtering and trust
    ... SIDHistory is an attribute in the User object and the SIDHistory attributes ... I think the fear is that in the migration, SID filtering ... trust that is used there is the normal way of using ADMT to W2k3 -- so I ... > Recently,one of our sites's local system admin insist to upgrade their DC ...
    (microsoft.public.win2000.security)
  • Re: sidHistory and DomainUsers
    ... It looks like a SID filtering issue but SID filtering is off. ... Trust type: Intra-forest ... So let's get a few more details - one of the forests is running in ... Also you should know that the migration take place ...
    (microsoft.public.windows.server.active_directory)