ADMT - SID History Issues, Cannot access resources in old domain
Luke
I will briefly explain my situation. The company I work for currently
has 3 domains which are being consolidated into one Windows 2000
Domain. Lets call them DomainA, DomainB, DomainC and Newforest.
DomainB and DomainC have already been migrated using using ADMT
without any problems.
The issue I'm having is with DomainA. I have run through the
interforest domain migration checklist multiple times and I have done
everything required. I have migrated the groups first and then the
user accounts, all group memberships are correctly migrated. ADMT
reports SID History to have been successfully migrated on the
accounts, but when I login as one of the users on Newforest, I cannot
access resources which are still on DomainA.
I used ASDIEdit to view the "sidhistory" attribute and get the
following value -
0x01 0x05 0x00 0x000x00 0x00 0x00 0x05 0x15 0x00
Strange thing is that ALL user accounts have this same value? Odd. I'm
running the ADMT process from Newforest\Administrator which has Admin
access on DomainA.
Here is the log for one account
ENITYGROUP=DomainA
GRIFFIN=NewForest
2004-12-06 10:57:35
2004-12-06 10:57:35 Active Directory Migration Tool, Starting...
2004-12-06 10:57:35 Starting Account Replicator.
2004-12-06 10:57:36 Account Migration ENITYGROUP GRIFFIN CopyUsers:Yes
CopyGlobalGroups:No CopyLocalGroups:No CopyComputers:No
2004-12-06 10:57:55 CN=Rhonda Hanson - Created
2004-12-06 10:58:19 SID for ENITYGROUP\rhondah added to the SID
History of GRIFFIN\rhondah
2004-12-06 10:58:32 - Set password for Rhonda Hanson.
2004-12-06 10:58:49 LDAP://instsyd1.griffin.local/CN=Rhonda
Hanson,OU=User accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
- added to group CN=CG COO
2004-12-06 10:58:49 LDAP://instsyd1.griffin.local/CN=Rhonda
Hanson,OU=User accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
- added to group CN=CG HR
2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
Hanson,OU=User accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
- added to group CN=CG Management
2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
Hanson,OU=User accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
- added to group CN=CG secretarial
2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
Hanson,OU=User accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
- added to group CN=CG sydney projects
2004-12-06 10:58:50 LDAP://instsyd1.griffin.local/CN=Rhonda
Hanson,OU=User accounts,OU=Claudegroup.com.au,OU=Companies,DC=griffin,DC=local
- added to group CN=CG Sydney
2004-12-06 10:58:51 Operation completed.
Any help would be fantastic.
Luke
![Rebecca Chen [MSFT]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Rebecca Chen [MSFT]
The ADMT log shows the SIDhistory has been successfully added to the
accounts.
What is the error message when you access the old domain A shares? Have you
grant the group permission to the shares instead of the individual user?
As I know, this issue may occur if you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they
lost the permission to access the old resource.
Please check the share permission and NTFS permission of the old resource
and let me know if you grant the permission to the user directly.
If this is the issue, we need to re-ACL the resources.
Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.
To do so:
sec
1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".
Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.
2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.
3. Edit the SID mapping file in Notepad and input the following content:
<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
Note: Please put the correct SIDs in the above line.
4. Run ADMT, choose "Security Translation Wizard".
5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created
in Step 2.
6. Follow the wizard to translate resources on ServerA.
7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
As for the roaming profile issue, I suggest you check if the issue occurs
on all the Windows 2000 computers with different user accounts. If so,
please send the Event Viewer logs of a Windows 2000 computer to me.
Step 1: Click Start, click Run, and then type "eventvwr" (without the
quotation
marks), click OK.
Step 2: Right-click Application and select Save Log File As.
Step 3: Save it Application.evt.
Step 4: Repeat step 1 to 3 to save the Security and System event to
Security.evt
and System.evt.
Step 5: Delete all the Application, Security and System log in the Event
Viewer.
Step 6: Restart the computer. When the issue occurs, save the new
Application, Security and System log to three new files as well as the
error message when you access the old domain shares, send them to me at
v-r...@microsoft.com for research.
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: Luke.F...@claudegroup.com.au (Luke)
>Newsgroups: microsoft.public.windows.server.migration
>Subject: ADMT - SID History Issues, Cannot access resources in old domain
>Date: 5 Dec 2004 16:02:59 -0800
>Organization: http://groups.google.com
>Lines: 62
>Message-ID: <90b59465.04120...@posting.google.com>
>NNTP-Posting-Host: 61.88.56.180
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1102291379 4639 127.0.0.1 (6 Dec 2004 00:02:59
GMT)
>X-Complaints-To: groups...@google.com
>NNTP-Posting-Date: Mon, 6 Dec 2004 00:02:59 +0000 (UTC)
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwi
x.com!newsfeed.cwix.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news
glorb.com!postnews.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15768
>X-Tomcat-NG: microsoft.public.windows.server.migration
Fogarty@discussions.microsoft.com Luke Fogarty
grant the group permission to the shares instead of the individual user?
[Luke Fogarty] \\server\resource is not accessable. You might not have
permission to use this network resource. Contact the administrator of this
server to find out if you have access permissions.
Access is denied.
As I know, this issue may occur if you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they lost
the permission to access the old resource.
Please check the share permission and NTFS permission of the old resource
and let me know if you grant the permission to the user directly.
[Luke Fogarty]
I created two new shares on domaina with the share permissions of
domaina\rhondah (full control) and NTFS permissions of domaina\rhondah (full
control) and the second with share and NTFS permissions for a group rhondah
is a member of.
I still get the same error message as above.
If this is the issue, we need to re-ACL the resources.
[Luke Fogarty]
It doesn't look like the issue, so I haven't re-ACLed any resources at this
stage.
Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.
[Luke Fogarty]
I'm sure I could get access if I run the security translation wizard on the
servers, but as far as I know I shouldn't have to? SID history is supposed to
allow access to old resources. This is how I've used it in the past.
To do so:
sec
1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".
Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.
2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.
3. Edit the SID mapping file in Notepad and input the following content:
<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
Note: Please put the correct SIDs in the above line.
4. Run ADMT, choose "Security Translation Wizard".
5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created in
Step 2.
6. Follow the wizard to translate resources on ServerA.
7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
As for the roaming profile issue, I suggest you check if the issue occurs on
all the Windows 2000 computers with different user accounts. If so, please
send the Event Viewer logs of a Windows 2000 computer to me.
[Luke Fogarty] I'm not having any roaming profiles issues at this stage.
Exchange permissions are setup for the account "SELF" on each user/mailbox.
Luke Fogarty
grant the group permission to the shares instead of the individual user?
[Luke Fogarty] \\server\resource is not accessable. You might not have
permission to use this network resource. Contact the administrator of this
server to find out if you have access permissions.
Access is denied.
As I know, this issue may occur if you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they lost
the permission to access the old resource.
Please check the share permission and NTFS permission of the old resource
and let me know if you grant the permission to the user directly.
[Luke Fogarty]
I created two new shares on domaina with the share permissions of
domaina\rhondah (full control) and NTFS permissions of domaina\rhondah (full
control) and the second with share and NTFS permissions for a group rhondah
is a member of.
I still get the same error message as above.
If this is the issue, we need to re-ACL the resources.
[Luke Fogarty]
It doesn't look like the issue, so I haven't re-ACLed any resources at this
stage.
Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.
[Luke Fogarty]
I'm sure I could get access if I run the security translation wizard on the
servers, but as far as I know I shouldn't have to? SID history is supposed to
allow access to old resources. This is how I've used it in the past.
To do so:
sec
1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".
Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.
2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.
3. Edit the SID mapping file in Notepad and input the following content:
<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
Note: Please put the correct SIDs in the above line.
4. Run ADMT, choose "Security Translation Wizard".
5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created in
Step 2.
6. Follow the wizard to translate resources on ServerA.
7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
As for the roaming profile issue, I suggest you check if the issue occurs on
all the Windows 2000 computers with different user accounts. If so, please
send the Event Viewer logs of a Windows 2000 computer to me.
[Luke Fogarty] I'm not having any roaming profiles issues at this stage.
Luke Fogarty
grant the group permission to the shares instead of the individual user?
[Luke Fogarty] \\server\resource is not accessable. You might not have
permission to use this network resource. Contact the administrator of this
server to find out if you have access permissions.
Access is denied.
As I know, this issue may occur if you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they lost
the permission to access the old resource.
Please check the share permission and NTFS permission of the old resource
and let me know if you grant the permission to the user directly.
[Luke Fogarty]
I created two new shares on domaina with the share permissions of
domaina\rhondah (full control) and NTFS permissions of domaina\rhondah (full
control) and the second with share and NTFS permissions for a group rhondah
is a member of.
I still get the same error message as above.
If this is the issue, we need to re-ACL the resources.
[Luke Fogarty]
It doesn't look like the issue, so I haven't re-ACLed any resources at this
stage.
Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.
[Luke Fogarty]
I'm sure I could get access if I run the security translation wizard on the
servers, but as far as I know I shouldn't have to? SID history is supposed to
allow access to old resources. This is how I've used it in the past.
To do so:
sec
1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".
Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.
2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.
3. Edit the SID mapping file in Notepad and input the following content:
<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
Note: Please put the correct SIDs in the above line.
4. Run ADMT, choose "Security Translation Wizard".
5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created in
Step 2.
6. Follow the wizard to translate resources on ServerA.
7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
As for the roaming profile issue, I suggest you check if the issue occurs on
all the Windows 2000 computers with different user accounts. If so, please
send the Event Viewer logs of a Windows 2000 computer to me.
[Luke Fogarty] I'm not having any roaming profiles issues at this stage.
Rebecca Chen [MSFT]
Subject: RE: ADMT - SID History Issues, Cannot access resources in old doma
Date: Mon, 6 Dec 2004 14:51:06 -0800
Newsgroups: microsoft.public.windows.server.migration
Access is denied.
[Luke Fogarty]
[Luke Fogarty]
[Luke Fogarty]
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: ADMT - SID History Issues, Cannot access resources in old
doma
>thread-index: AcTb88BilS95Tn8nSeO8sOymzvtGHQ==
>X-WBNR-Posting-Host: 61.88.56.180
>From: =?Utf-8?B?THVrZSBGb2dhcnR5?= <LukeF...@discussions.microsoft.com>
>References: <90b59465.04120...@posting.google.com>
<Ox4ngZ32...@cpmsftngxa10.phx.gbl>
>Subject: RE: ADMT - SID History Issues, Cannot access resources in old doma
>Date: Mon, 6 Dec 2004 16:29:02 -0800
>Lines: 88
>Message-ID: <9275C648-02F6-4538...@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15797
>X-Tomcat-NG: microsoft.public.windows.server.migration
Rebecca Chen [MSFT]
I would like to confirm two things:
1. Can you use the user account with SIDhistory kept to logon to the old
domain A? Using this step, we can know if the SIDhistory has been remained.
NOTE: You need create two way trust between the old NT domain and the
Newforest domain.
2. As you have stated, "I created two new shares on domaina with the share
permissions of domaina\rhondah (full control) and NTFS permissions of
domaina\rhondah (full control) and the second with share and NTFS
permissions for a group rhondah is a member of.", it seems that rhondah is
a group. Please grant the individual user, for example, the migrated user
is called Luck, grant luck to the NTFS and Share full control permission.
Can Luck logon to the Newforest and access the share? Also check Luck user
account is existing in Domain A.
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Newsgroups: microsoft.public.windows.server.migration
>From: v-r...@online.microsoft.com (Rebecca Chen [MSFT])
>Organization: Microsoft
>Date: Tue, 07 Dec 2004 08:11:09 GMT
>Subject: RE: ADMT - SID History Issues, Cannot access resources in old doma
>X-Tomcat-NG: microsoft.public.windows.server.migration
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit