Re: SID Filtering vs. SIDhistory
From: Rich Roller (rich_roller_at_*REMOVE-THIS*whitney.org)
Date: 01/29/04
- Previous message: Richard McCall [MSFT]: "Re: Removing the IPC Share Automatically"
- In reply to: Alex: "Re: SID Filtering vs. SIDhistory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jan 2004 13:17:42 -0500
Alex:
When we try to install WS3's Support Tools (netsetup.exe) it gives
an install error saying it will not install on NT (ironically it
will install on W98!). So unless there is some other trick we
can't seem to use WS3's version of netdom on NT.
And the netdom we got off the NT ResKit didn't have the /TRUST
switch that we had used to display status of SIDfiltering
(Quarantine) so that didn't seem promising.
Finally we looked for the Regsitry key you mentioned but
"QuarantinedDomains" was not visible at all on either the NT PDC
or the AD PDC.
Any more ideas?
Thanks.
Rich
"Alex" <ytsiow@yahoo.com> wrote in message
news:#SAZv2m5DHA.2392@TK2MSFTNGP11.phx.gbl...
> I will think that the w2k3 netdom should work for winnt. You
can also check
> the following registry key.
>
>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Par
ameters\]
>
> Name: QuarantinedDomains
> Type: REG_MULTI_SZ
> Value: Sequence of zero, or more, Netbios domain names
>
> Also check out this link.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;811961
>
> Good luck.
>
>
>
> "Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote in message
> news:%23abmKhh5DHA.2392@TK2MSFTNGP11.phx.gbl...
> > Thanks Alex.
> >
> > So, instead of running netdom on the AD-side (which shows
> > filtering on) I should run it on the NT-side (and expect to
see
> > filtering off)?
> >
> > Any ideas if netdom works similarly on NT and whether I have
to
> > find an old version of netdom (and where?) or if the netdom
from
> > WS2003 is backward compatible?
> >
> > -Rich
> >
> > "Alex" <ytsiow@yahoo.com> wrote in message
> > news:uKtG0ha5DHA.2300@TK2MSFTNGP10.phx.gbl...
> > > I am quite sure that SID Filtering will not affect
sidHistory in
> > your case
> > > (backward access to resources in your NT domain). From what
I
> > understand,
> > > SID Filtering works on the Trusting domain (Resources) which
is
> > your NT
> > > domain in this case. Your NT domain should not have SID
> > Filtering enable by
> > > default and therfore it should work.
> > >
> > >
> > > "Rich Roller" <rich_roller@*REMOVE-THIS*whitney.org> wrote
in
> > message
> > > news:ux2BPAF5DHA.360@TK2MSFTNGP12.phx.gbl...
> > > > We're about to do a important ADMT migration from NT to AD
> > > > (WS2003), in which we chose to migrate SIDhistory which we
> > relied
> > > > on for backward access to NT resources. All of our
testing so
> > far
> > > > was based on two-way trusts that were setup with SID
> > Filtering,
> > > > which is the default for WS2003.
> > > >
> > > > Our testing was generally quite positive and SIDhistory,
from
> > all
> > > > we can tell, was working OK (except for built-in users &
> > built-in
> > > > groups which we understood ADMT would not
migrate/SIDhistory)
> > > >
> > > > What's really puzzling me about this is that in several
> > places,
> > > > including the "new trust wizard", it says that if SID
> > Filtering is
> > > > turned on then things like SIDhistory will not work
properly.
> > > > We've confirmed (using netdom) that our trusts indeed have
SID
> > > > Filtering enabled so what's the deal? How come it looks
to us
> > > > like SIDhistory is working?
> > > >
> > > > We're about to do our *real, production* migration and
we're
> > > > wondering if we should disable SID Filtering?
> > > >
> > > > TIA,
> > > >
> > > > Rich
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Previous message: Richard McCall [MSFT]: "Re: Removing the IPC Share Automatically"
- In reply to: Alex: "Re: SID Filtering vs. SIDhistory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
