RE: [ActiveDir] SidHistory migration

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

NT4 doesn't know about this, so nothing to configure here.  It's turned off by default in 2000 (so you don't have to turn it off, if you didn't turn it on...).  So there's only 2003 where you may want to turn it off...   Also, to further understand your problem: am I correct in assuming, that you've migrated all groups and users to 2003 and that the resources are still in the 2000 forest/domain?  Often people forget that you need to migrate the Groups with SID-history as well...  It's best to compare one on one which SIDs a user and his/her groups have in 2000 (incl. SIDhistory) to those in 2003, before analysing this further...   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Montag, 12. Januar 2004 23:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SidHistory migration Thanks, Guido!   I’ve turned SID filtering off and have had no luck.  Is there something I need to do on the Windows 2000 or NT side?!   Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324  Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.   From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Saturday, January 10, 2004 5:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SidHistory migration   2003 has SID-Filterning turned on by default for any external trusts to and from domain - i.e. access with SID-History should work fine as long as the resources your accessing are on servers that are members of the 2003 forest.   you can turn off SID-Filtering - this should resolve your problem.  However, as this feature generally decreases the attack surface for your 2003 forest in trusted environments, you really only want to consider this as an interims solution.    /Guido   From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 9. Januar 2004 16:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SidHistory migration We were going to do the inplace but we have no choice to do it this way.  Any suggestions?   Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324  Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.   From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, January 09, 2004 10:03 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SidHistory migration   Even if you did make it work, I would be uncomfortable with the complexity involved of permissions.  'Course I'm in a regulated industry, but still...   Any reason why you don't upgrade your domain in place?  Why the new domain again?   Why can't you get rid of the old domain and get rid of the sIDHistory from that migration?  In other words, why not complete the migration prior to migrating again?     Al   From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Friday, January 09, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] SidHistory migration Hello, All!  Happy New Year!   I'm hoping you can help me figure this one out!   We've migrated from NT to 2000 with SIDHistory and have been running successfully for quite some time now.  We now want to move to 2003 with SIDHistory - which, will give our user accounts 3 SIDs (NT, 2000, 2003).  We've tested this in the lab and with the migration software we are using we are getting a successful SID migration, however, when logging in as a migrated user in 2003 I don't have the same access I had in 2000 (or NT).    It appears that SIDHistory is NOT working.  We have a two way trust between our two forests as well as trusts going back to NT.  I've disabled SID filtering on the 2003 trust.    Any help in this matter would be greatly appreciated!   Thanks!   Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324  Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/   This message may have included proprietary or protected information.  This message and the information contained herein are not to be further communicated without my express written consent.