SIDHistory has been added to accounts during migration and SID filter quarantining is turned off (/quarantine:NO), but users still don't have access to resources; even though the SIDHistory of the User Object and Group Membership SIDHistory has been validated using ADSI Edit.
Foresttrust was used in the current scenario instead of external domain to domain trust. This type of trust was introduced in Windows Server 2003 and / EnableSidHistory switch needs to be used in place of /quarantine switch. Basically:
DOMAIN to DOMAIN trust: use /quarantine:YES/NO
FOREST to FOREST trust: use / EnableSidHistory:YES/NO
When troubleshooting, it is a good idea to use Whoami.exe Microsoft command line utility (part of Windows 2000 Resource Kit). If executed with /all switch, it will list all the SID values contained in the security token of currently logged in user. Running it under the context of source and target environments would show if particular domain's SIDs are filtered.
Starting since 2000 SP4 SID filter quarantining is set by default on all external domain trusts. Also any forest trusts have SID filtering enabled by default. The Netdom command line utility needs to be used to manage trusts, for Windows 2003 the syntax is:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Quarantine:no /EnableSIDHistory:yes
/UserD:user /PasswordD:password /UserO:user /PasswordO:password
where:
trusting_domain_name: is the name of the trusting domain.
/Domain: Specifies the name of the trusted domain or Non-Windows Realm.
/UserD: User account used to make the connection with the domain specified by the /Domain argument
/PasswordD: Password of the user account specified by /UserD.
/UserO: User account for making the connection with the trusting domain
/PasswordO: Password of the user account specified By /UserO.
For Windows 2000 use the following command:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /FilterSIDs:no
/UserD:user /PasswordD:password /UserO:user /PasswordO:password
An overview of Netdom can be found in the following Microsoft TechNet article:
https://msdn.microsoft.com/fr-fr/library/cc737599%28v=ws.10%29.aspx
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center