All,
I've been following the Sybex book, Mastering Windows 2003, to test
an inter-forest migration from external.dev to development.dev using the
ADMT. I have not received any errors during the migration and everything
appears to be setup correctly, however, I do not think the SID History is
functioning properly.
I have a 200 domain named External.dev and a 2003 domain named
development.dev. I have a group on External.dev called "Accounting" and a
member of that group named "Pete". I have a member server in external.dev,
N060MSADDEV4, with a share named "Accounting". The Everyone group has been
removed from the ACL and the External\Accounting group has been given full
control.
I migrate Accounting from external.dev to development.dev with the
box checked to migrate SID histories and I receive no errors. The new
Accounting group in development.dev should have a SID matching the one on
the Accounting group in external.dev and since that group has access to
N060MSADDEV4\Accounting any new member of Develppment\Accounting should be
able to access N060MSADDEV4\Accounting. I create a user named "Tom" in
development.dev and place him in the new Accounting group and attempt to
connect to the share and access is denied. If I then migrate N060MSADDEV4
to development.dev and Add the equivalent security references for the
target object and leave the source references in tact I can then access the
share with Tom, but according to the book I should not have to do that. Am
I not doing something correctly in this test?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
