I thought you indicated the users were on NT4?
If so, I might have a tool I haven't publicly published
that can populate SID Histories but will require a trust. I will have to dig
around, it was something I started playing with and then dropped it because
something else came up.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of packman
Sent: Friday, May 06, 2005 1:27 PM
To: [email protected]
Subject: Re: [ActiveDir] SID History Filtering
-Art
On 5/6/05, Santhosh
Sivarajan <[EMAIL PROTECTED]>
wrote:
After the migration of a user (using ADMT or any third party migration
tool), you can still access the resources in NT 4.0 using SID History
(not SID Filtering!). You have to Re-ACL (Security Translation) the
resources using the migrated account before removing the SID History.
Then you can move all resource servers to new AD Domain.
Regarding the SID Filtering, in windows 2000 SP4 and Windows 2003, SID
Filtering is enabled by default. It is a best practice to enable SID
Filtering because of the security reasons. But during the migration,
especially if you are using SID History, you have to disable SID
Filtering. But make sure to enable after the complete migration.
HTH
Santhosh
Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX
On 5/6/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:
> I have bad news for you, do not put your self in such a situation. You
> should always do such a migration off hours. My suggestion to you is to use
> Microsoft's Active Directory Migration Tool 2.0
> http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en
>
> NetIQ and Quest also have a tool with enhanced features.
>
> Regards,
>
> Jose Medeiros
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]]On Behalf Of
> packman
> Sent: Friday, May 06, 2005 7:05 AM
> To: [email protected]
> Subject: [ActiveDir] SID History Filtering
>
> I'm working at a client with what I think is a unique set of circumstances.
> Instead of upgrading their existing NT 4.0 Domain to AD, they instead,
> created a new AD structure and left the NT 4.0 Domain in production. Almost
> all of the users are still logging into the 4.0 domain (4d) still, due to
> the fact that their resources are still in that domain. My role in all this
> is getting the servers in 4d moved to AD without causing disruption to those
> users. All of the 4d ID's were pulled into the AD structure. Someone
> mentioned to me that we could use SID History filtering, and in on fail
> swoop, move all the 4d servers over to AD, less the DC's and everything
> should still work with the users logging in to 4d. Is this the case?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
