Trust and SID History are two different entities. You cannot compare
both. Trust can be established between two Domains at any time then
you can assign the permission to resources. SID History is a "history
of SIDs". It is very useful when you are performing a migration.
What will happen when you migrate a user without SID History? After
the migration, the user will be in Active Directory. All the
resources are still in NT Domain and resources permission is
configured to use the "NT4.0\Username account". Your new user name is
in Active Directory (AD\username). There is not a "link" between
"NT4.0\username" and "AD\Username". You normally are denied access
when you try to access the resources in NT4.0 Domain even if you have
a trust between NT and AD Domain. I always explain (in simple
language) that SID History is an "invisible link" between your old
account and the migrated new account. If you migrate a user using
SID History, after the user migration, you can access all the
resources in NT Domain without doing any extra steps because of SID
History ("the link"). What will happen when you shutdown the NT 4.0
Domain or remove the SID History? "The link" will be down so you
cannot access the resources. How do I fix it? You can fix this issue
by Re-ACLing the resources.
What is Re-ACL? Your NT resources permission are configured with
"NT4.0\Username". The Re-ACL process will Replace (depends on the
option you choose) the resources permission to "AD\Username". In
order to access the resources in NT you need to have a trust in place.
Now you can safely remove the SID History and migrate all the
resource servers to Active Directory and shut down the NT Domain.
HTH
Santhosh
Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX
On 5/11/05, Bert Skorupski <[EMAIL PROTECTED]> wrote:
> Hey guys,
>
> Today I got really confused about trusts and sIDHistory. I always
> thought that you have to use a trust for accessing resources in an "old"
> NT4 resource domain. But today I found a Microsoft technote telling the
> following:
>
> "In this way SIDHistory ensures that migrated users can continue to
> access resources located in a trusting (resource) domain, even though
> the user's new domain does not have a trust relationship with the
> resource domain."
>
> Can be found here:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T
> echRef/9d688a18-15c7-4d4e-9d34-7a763baa50a1.mspx
>
> Scenario:
>
> NT4 Account Domain --> User migrated to target AD domain including
> sIDHistory, Trust relationship exists to NT4 resource domain and to
> target AD domain
>
> NT4 Resource Domain --> hosting resources (e.g. files & folders)
> permissioned to users of NT4 account domain, Trust relationship to NT4
> account domain only
>
> Target AD domain --> hosting the "new" migrated user accounts, Trust
> relationship to NT4 account domain
>
> --> Is it really possible to access resources still hosted within the
> NT4 resource domain (not being reACLed yet - so still referencing the
> NT4 account domain accounts in all ACLs) by simply connecting to the
> file server in that case?
>
> --> What's going to happen if the NT4 account domain was switched off
> while the resources were still hosted within the NT4 resource domain?
> Could the "migrated" AD users still access the resources?
>
> --> What's going to happen if you'd reACLe all the permissions within
> the NT4 resource domain by replacing the "old" SIDs with the "new" AD
> SIDs? (Again - still not having a trust relationship between NT4
> resource domain and AD target domain)?
>
> --> What's going to happen if you'd move the resource hosting member
> server form the NT4 resource domain to the target AD domain but without
> having the ACLs reACLed yet? What's going to happen if additionally the
> trust relationship to the NT4 account domain gets deleted (or the whole
> domain gets switched off)?
>
> I'd greatly appreciate any hints here to get me back on the safe track!
> ;-)
>
> Best regards,
> Bert
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
