Windows Server

Richard Hall · Guest

Hi,

I currently have a single windows 2003 forest that i am
requiring to move into a new AD. I am using ADMT tool to
migrate the users/groups and computers from domainA onto
DomainB but still access resources on domainA. I have
transferred the users,groups and computers but am unable
to access resources on domainA. I have checked SIDHistory
attributes using ldp and the ADMT logs state SIDHistory
Added.

This is really confusing me and need some help in telling
me where i could be going wrong.

Frances [MSFT] · Guest

Hello Richard,

Thanks for your post.

From your message, I understand that the issue is the users in domainB
cannot access the resources in domainA although the SIDHistory is enabled
in the migration process.

I have to obtain more detailed information for your problem. Do you perform
an inter-forest migration involving two forests or an intra-forest
migration involving one forest?

If you have performed the inter-forest migration, it is possible that the
domainB users cannot access the resources in domainA due to the SID
filtering set by default. You can use netdom to configure SID filtering.

Refer to the following article to use the netdom trust command:

NetDom Syntax
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techre
f/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techre
f/en-us/NetDom_syntax.asp

If this is not the case, please double-check the SIDHistory attribute.
Also, please follow the steps below to isolate the problem.

To clarify, let us name domainA\u1 and domainB\u1 for a migrated user u1

Frances [MSFT] · Guest

Hello Richard,

Thanks for your post.

From your message, I understand that the issue is the users in domainB
cannot access the resources in domainA although the SIDHistory is enabled
in the migration process.

I have to obtain more detailed information for your problem. Do you perform
an inter-forest migration involving two forests or an intra-forest
migration involving one forest?

If you have performed the inter-forest migration, it is possible that the
domainB users cannot access the resources in domainA due to the SID
filtering set by default. You can use netdom to configure SID filtering.

Refer to the following article to use the netdom trust command:

NetDom Syntax
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techre
f/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techre
f/en-us/NetDom_syntax.asp

If this is not the case, please double-check the SIDHistory attribute.
Also, please follow the steps below to isolate the problem.

To clarify, let us name domainA\u1 and domainB\u1 for a migrated user u1

Richard Hall · Guest

Thanks for the reply, I have checked the SID History
attribute using the ldp command and the domainb\u1 has the
sid history of domaina\u1 added. I have also re-checked
that sid filtering is turned off on both servers. I have
run the security translation wizard on a specified txt
file that contains old sid and new sid but this still does
not seam to solve my problem.

Any ideas???

Frances [MSFT] · Guest

Hello Richard,

According to your message, I believe the problem is not related to Security
Translation and SIDHistory if you manually add the permissions of DomB\u1,
and the user still cannot access the resources.

Please perform the following steps to isolate the problem.

To clarify, let us name the computer with resource ComA. ComA is in DomA.
Also name the computer which you logon using DomB\u1 ComB in DomB.

Process to test
===========
1.Ping to make sure the network is ok.

Ping ComA from ComB. If it is ok, please ping ComB from ComA.

The specific steps are as follows.

1.1 In the run box, type in "cmd".

1.2 Type "ping servername" to ping the computer. You can either use IP
address or computer name.

2.Use UNC, such as \\192.168.0.1\resource in Run box to access the resource
in ComA
Note: 192.168.0.1 is ComA's IP address.

3.If you have met errors, please send the screen shot to
v-franhe@microsoft.com for research.

If you have such error as "Access Denied", it is probably related to the
user you used for test. Please create a test user and perform the following
test.

3.1 Create the test user in DomA. Let us say DomA\test.

3.2 Migrate the user using ADMT with SIDHistory.
Now we have DomB\test.

3.3 Manually add the permissions to the resource.

3.4 Check again that DomB\test can access the resource.

Is it ok now? If this is the case, it seems that the DomA\u1 has joined
many groups, and access to the resource may be denied in one of those
groups. Please have a check.

If the problem persists, don't hesitate to get in touch. I am looking
forward to your reply!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Richard Hall · Guest

Hello,

I have done everything you suggest and i can get replys
from doma. i also can get access to the resources on doma
if i add domb groups to doma resources. but unable to
access resources on doma when doma groups are securing
doma resources only.
i.e. folder on doma has doma\groupa added to it and groupa
is migrated to domb.

Hope this helps.

Frances [MSFT] · Guest

Hello Richard,

According to your message, I assume that you grant a group, which has the
user account, the permission to access the old resource. Is it correct? If
this is the case, the users may not access the old resource. Because after
you migrate the users to the new domain, they are not part of the old group
so that they lose the permission to access the old resource.

To isolate the problem, please perform the following steps.

1.Grant DomA\GroupA\UserA to the specified folder.

NOTE: UserA has been migrated to DomB with SIDhistory.

2.Use UserA to logon to DomB to access the shares which is located on DomA.

2.1 If it works, we can tell that this issue is related to the DomA\GroupA.
Please check the property of GroupA to see whether it is a built-in group
or well known groups. Since those groups should not be migrated via ADMT.

If this is the case, I suggest that you use SID mapping file to reacl the
resources. Please refer to the following article for more information.

How to use a SID mapping file with the ADMT tool to perform a resource
domain migration to Windows Server 2003
http://support.microsoft.com/?kbid=835991

2.2 If it does not work, it seems that the user migration is not completed
successfully.
I suggest that you remigrate the groups and users, and check again. Please
migrate the groups and users separately (do not migrate the associated
members when migrating groups).

During the group migration, please use the following configurations

[Group Options]
Copy group members * Not Checked
Fix membership of group * Checked

During the user migration, please use the following configurations:
[User Options]

Migrate associated user groups * Not Checked
Fix users' group memberships * Checked

If the groups have previously been migrated, choosing the above options
will update the group memberships during the user migration.

If the problem persists, please give me the detailed steps you have taken
in the migration and the exact error message you get. Also send a screen
shot of the error to v-franhe@microsoft.com for research. The screen shot
of error message is very important and can help us to find out some clues

In addition, the Recommended Migration Order is listed below for your
reference:
1. Trust migration (UI Only)
2. Service account migration
3. Domain Global Group
4. Domain Local Group
5. User migration
6. Computer migration
7. Security translation
8. Report

If you have any further questions don't hesitate to get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Richard Hall · Guest

Hello Frances,

Thankyou for your response but through trying the steps
again and creating another resource i have resolved the
issue with no access on data shares. But could you point
me in the right direction on how i could migrate user
rights from domaina to domainb for access to domaina
exchange server 2003 mailboxes. The reason for this is
that the migration process is going to be staggered by
department rather than one all at once. Can this be
done!!!.

Cheers

Frances [MSFT] · Guest

Hello Richard,

Good to hear that the domainB users can access the resource in domainA.

As for the mailboxes, it is an exchange-related issue and would be better
addressed in the Exchange newsgroup. Please open up a new thread in the
microsoft.public.exchange.setup newsgroup since they are the experts in
Exchange and will provide the most accurate information on this issue.

Thanks for your understanding.

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1