People, Guido was kind enough to offer some suggestions detailed below, however, after trying everything, I still cannot disable this flag. Here are the particulars for anyone who might be able to offer some additional assistance: [1] The child domain has been created from the empty forest root. [2] The child domain has been moved to Windows Server 2003 functional level [3] Trusts have been set up between the empty forest root and the source domain. In addition trusts have been set up between the child domain and the source domain. They were created in AD by the W2K3 empty forest root DC and the Child domain DC and they were set both ways, Source domain trusts Forest Root domain and vice versa, Source domain trusts child domain and vice versa. Their relationships are listed as External and their transivity is listed as NO, both ways on both DCs. Both can be confirmed each way from both DCs. All the documentation I have read states to run this from the Source domain DC. I have tried to run Guido's syntax below and it fails. I tried it with the NETBIOS domain names, with the FQDNs, with the ":" between filterSIDS and NO, without it, capitalizing NO and lowercase. In short, everything. [4] There is a JSI website tip (No. 4432) which offers a different syntax, which I have also tried, both with NETBIOS names and FQDNs.
Everything fails. It's ALWAYS, "The parameter /filtersids is incorrect. The parameter was unexpected". I could use any suggestion at this point to defeat this as I'm now at a standstill. Thanks agian. Rocky __________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Grillenmeier, Guido Sent: Saturday, September 04, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Sid Filtering will not disable > I have a new empty forest root (efr.something.com which is W2K3, brand new and > I have not set a functional level yet, it's what it would be natively upon creation). That would be Win2000 mixed mode at the domain level (which doesn't support SID-History anyways) and Win2000 mode at the forest level... but if I read correctly, you don't want to migrate into the existing root domain anyways Instead, you want to "migrate to a NOT YET created child domain (cd1.efr.something.com)" => you'll have to turn off SID-Filtering on the trust between THIS (not yet existing) child domain and your source domain, not the root (as you SID-Filtering is configured per trust). To do so, you'll first have to create the child domain, set this domain to the Win2003 domain functional level (if you don't expect/want any 2000 DCs in this domain), then create the trust and turn off SIDfiltering on this trust (not from the root). At last, I expect that the error "The parameter quarantine:No was unexpected." comes from the fact that you are using the 2003 syntax, but the source domain is still Windows 2000, wich uses a different syntax for disabling SID-Filtering: NETDOM.EXE Trust sourcedom /Domain:targetdom /FilterSIDs NO /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Saturday, September 04, 2004 9:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Sid Filtering will not disable People,, I cannot get sid filtering to disable in my migration action. I have a new empty forest root (efr.something.com which is W2K3, brand new and I have not set a functional level yet, it's what it would be natively upon creation). I have a source domain in a different forest that I want to get ready to migrate to a NOT YET created child domain (cd1.efr.something.com) The W2K3 Server notes from efr state that in the trusting domain (the one I want to migrate "source.com" which is W2K mixed mode ) I need to disable sid filtering with the command: Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /usero:DomainAdministratorAcct /passwordo:DomainAdminPwd so I type the following: Netdom trust source.com /domain:efr.something.com /quarantine:No /usero:Administrator /passwordo:source.comAdminPassword It returns "The parameter quarantine:No was unexpected. The parameter is incorrect: So I said, "Maybe it's because the child domain is not created yet and you can't migrate to an empty forest root." Then I said "No, how does it know it's an empty forest root. It does not know." So now I can't effect that command. Can anyone help me decipher my logic failure here? I really appreciate all the help(ers) on this list. It has been invaluable. And "For cripes sake joe", "Don't listen to Rick tell you to give just one line answers!" :-0 Just kidding. Love you "both". Thanks. ------------------------------------------------- Rocky Habeeb Microsoft Systems Administrator ------------------------------------------------- James W. Sewall Company Old Town, Maine ------------------------------------------------- 207.827.4456 habr @ jws.com www.jws.com ------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
