certainly awkward - I've never heard of anything alike and I've done quite a few migrations and inplace upgrades. I first read the mail and thought, gee - someone really doesn't know what they're talking about. Then I saw it was from you, Sakari, and though - oh no, you wouldn't joke around with this.
> It seems that the groups are gone from the DCs but are still > cached in the member servers. But its funny that this caching > still applies after several weeks. there is no such thing as a group-membership-cache on member-servers so I highly doubt you're dealing with any issue that will go away or fix itself in time. More likely there's a name-cache (not sure) which could explain why the groups display in the ACL editor (can you check how the name is displayed - i.e. with or without the domainname?) > The old members of the groups can access the resources > (even though they don't show in the Member Of tab) the first thing to do is obviously to validate how the users are granted access to those resources - they could very easily have access to the resource via membership to some other group which is totally unrelated to these missing groups (as mentioned by joe and Jorge, check the user's token and compare to the permissions on the resource). Naturally server local groups wouldn't show up in the memberOf tab on a user in AD - but this is no different than it was with WinNT. How about bringing that old BDC back online and checking what memberships it displays for the users and if the groups really are global groups. If at last all of this stuff is true afterall, your friends must have really whitnessed a highly unlikely domain-upgrade failure. At least it's good that they know the memberships of the groups and could recreate them. Also you know the old SID of the missing group, which is also good. Do they also know where these global groups where used at all? If they are sure that it's "only" those 50 member servers mentioned, then re-creating the groups and re-acling the memberserver would be my preferred approach over trying to get those old SIDs into the SIDhistory of another group. You can easily reacl the servers with just a list of the SIDs for those missing/re-created groups. If they're unsure about the usage of the groups, then getting their SID into the SIDhistory of new groups could be a valid approach. To make this work in your situation, you don't have to first perform an inplace-upgrade from the roll-back BDC - you could migrate the groups staight away to a new interims forest and then migrate them from the interims to the production forest. Their RIDs wouldn't have been reused, since the RIDs only could upward (and old RID will never be reused by AD). /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Freitag, 9. September 2005 17:45 To: [email protected] Subject: RE: [ActiveDir] Create a group with a specified SID Hi Jorge and Dean, Answers and more description: - I don't have personal access to the network in question, but I trust the guys over there to give me quite correct information. Of course, it's never the same as seeing yourself. - The NTDS dump I mentioned is by using the operational dumpDatabase attribute of RootDSE. - The missing groups are not visible with any of the following: - The previously mentioned NTDS dump - NET LOCALGROUP or NET GROUP - NT User Manager - ADSI Edit - ADUC search feature - The Member Of tab of a user in ADUC does not list the missing groups. - The old members of the groups can access the resources (even though they don't show in the Member Of tab). - In ACL Editor, the missing groups show as names, not SIDs - You can create a new group in NT User Manager with the same SAM name as the missing one. After that, it also shows in ADUC. And after that, the missing group shows as a SID in ACL Editor, and not by name anymore. - The forest has a root and three child domains, and this problem appears in one of the child domains. - The problem domain has 3 DCs. - The missing groups are global groups. - I have to ask them to check the WHOAMI/SECTOK thing. It seems that the groups are gone from the DCs but are still cached in the member servers. But its funny that this caching still applies after several weeks. But still the question remains how do the missing groups get in the users' access tokens. Because they cannot add users to the missing groups, they could create a new group for each missing group, which the suffix NEW, for example. And add all the correct users to these new groups (the member information is available). But those new groups would need to be added to all the resources in all the 50 member servers. They could also try the following: - perform the in-place upgrade again from the roll-back BDC to a new empty forest/domain - migrate (with ADMT) the groups in question to another empty forest/domain - then migrate (with ADMT) the groups in question to the current production domain (if ADMT allows this, and if the RIDs of the incoming missing groups are not already reused in the production domain Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
