SIDHistory has been added to accounts during migration and SID filter quarantining is turned off (/quarantine:NO), but users still don't have access to resources; even though the SIDHistory of the User Object and Group Membership SIDHistory has been validated using ADSI Edit.
Foresttrust was used in the current scenario instead of external domain to domain trust. This type of trust was introduced in Windows Server 2003 and / EnableSidHistory switch needs to be used in place of /quarantine switch.
Starting since 2000 SP4 SID filter quarantining is set by default on all external domain trusts. Also any forest trusts have SID filtering enabled by default. Netdom command line utility needs to be used to manage trusts, for Windows 2003 the syntax is:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Quarantine:no /EnableSIDHistory:yes
/UserD:user /PasswordD:password /UserO:user /PasswordO:password
where:
trusting_domain_name: is the name of the trusting domain.
/Domain: Specifies the name of the trusted domain or Non-Windows Realm.
/UserD: User account used to make the connection with the domain specified by the /Domain argument
/PasswordD: Password of the user account specified by /UserD.
/UserO: User account for making the connection with the trusting domain
/PasswordO: Password of the user account specified By /UserO.
For Windows 2000 use the following command:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /FilterSIDs:no
/UserD:user /PasswordD:password /UserO:user /PasswordO:password
"You should not enable SID filter quarantining on forest trusts, that is, by using the netdom command with the /quarantine:yes option. However, if you have migrated users from one Windows Server 2003 forest to another and the migrated users need access to resources in the former domain, you can relax the default SID filtering that is applied to a forest trust by using the netdom command with the /enablesidhistory:yes option. Using that command on a forest trust reduces the level of SID filtering on the forest trust. So, ensure that you trust the administrators of the trusted domain, as well as their security practices."
Additional related Microsoft articles:
Security Considerations for Trusts (See the "Disabling SID Filtering" section): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1f33e9a1-c3c5-431c-a5cc-c3c2bd579ff1.mspx
Active Directory Operations Guide - Managing Trusts (See the "Procedure for Preventing Unauthorized Privilege Escalation" section): http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd05.mspx
Active Directory Operations Guide - Appendix B - Procedures Reference (See the "Configure SID Filtering" section): http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#E04D0AA
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center