Shulou(Shulou.com)06/03 Report--

I have previously published an article on domain object migration using ADMT. The connection is as follows:

Https://blog.51cto.com/hubuxcg/1554925

Https://blog.51cto.com/hubuxcg/1554927

Recently, when I migrated the domain again using ADMT, I encountered the problem that the migrated user could not access the file server in the source domain due to SID filtering. The environment is as follows: source domain: Contoso. Old 2008R2, new domain: Contoso. Local 2008R2 .

Let's first introduce SID History. When performing AD migration or refactoring, SID History will be used to maintain user access to the source resources in the process of migration or refactoring. A new SID will be generated when objects are migrated to a new domain. Because Windows assigns permissions to objects according to SID, the migrated object will lose access to the original resources because it generates a new SID, so when migrating a domain, it is necessary to migrate the SID of the source domain object to the new domain as the Sid History attribute of the new domain object.

SID in the source domain:

SIDHistory in the new domain after migration

Resources in the source domain and the new domain resolve their access control lists (ACL) to SID, and then check for matches between their ACL and access tokens when access is granted or denied. If the SID or Sid History records match, access to the resource is granted or denied according to the access permissions specified in the ACL, that is, the original permissions of the migrated objects in the source domain are retained!

However, starting with the Windows2000 (SP4) version of Windows, SID filtering is applied by default after a forest trust is established between the two directories because of security requirements. This causes the Sid History in the new domain to not be brought to the old domain, and the ACL cannot resolve to the Sid History record and cannot get valid permissions.

As shown below:

To resolve this problem, you need to confirm whether SID filtering is disabled between the two trusted domains, refer to the command:

Netdom trust TrustingDomainName / domain:TrustedDomainName / quarantine:No / usero:domainadministratorAcct / passwordo:domainadminpwd

If the user you are logged in has domain administrator or enterprise administrator privileges, you can skip the username and password option.

First use the command to see the status of course:

Netdom trust contoso.local / domain:contoso.old / quarantine

As you can see from the figure above, SID filtering is enabled, so it needs to be disabled, with the following command:

Netdom trust contoso.local / domain:contoso.old / quarantine:no

After execution, check the status again and show that SID filtering is disabled and all SID will take effect.

After modification, you also need to enable SID conversion in the domain controller policy of the source domain. The GPO configuration is as follows:

After the above configuration is completed, when using ADMT for domain migration, the migrated objects will continue to use all the resources in the source domain until the migration is completed!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.