After the migration of a user (using ADMT or any third party migration tool), you can still access the resources in NT 4.0 using SID History (not SID Filtering!). You have to Re-ACL (Security Translation) the resources using the migrated account before removing the SID History. Then you can move all resource servers to new AD Domain.
Regarding the SID Filtering, in windows 2000 SP4 and Windows 2003, SID Filtering is enabled by default. It is a best practice to enable SID Filtering because of the security reasons. But during the migration, especially if you are using SID History, you have to disable SID Filtering. But make sure to enable after the complete migration. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 5/6/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > I have bad news for you, do not put your self in such a situation. You > should always do such a migration off hours. My suggestion to you is to use > Microsoft's Active Directory Migration Tool 2.0 > http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en > > NetIQ and Quest also have a tool with enhanced features. > > Regards, > > Jose Medeiros > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > packman > Sent: Friday, May 06, 2005 7:05 AM > To: [email protected] > Subject: [ActiveDir] SID History Filtering > > I'm working at a client with what I think is a unique set of circumstances. > Instead of upgrading their existing NT 4.0 Domain to AD, they instead, > created a new AD structure and left the NT 4.0 Domain in production. Almost > all of the users are still logging into the 4.0 domain (4d) still, due to > the fact that their resources are still in that domain. My role in all this > is getting the servers in 4d moved to AD without causing disruption to those > users. All of the 4d ID's were pulled into the AD structure. Someone > mentioned to me that we could use SID History filtering, and in on fail > swoop, move all the 4d servers over to AD, less the DC's and everything > should still work with the users logging in to 4d. Is this the case? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
