Enable SID History / Disable SID Filtering
Friday, July 25, 2008
I've been getting a lot of experience with the Active Directory Migration Tools [ADMT] but it seems like I always have a problem with using SID history between domains. This is more of a reminder for myself how to get SID History to work.
What is SID History
SID History is an attribute of an Active Directory object that stores an old Security IDentifier(SID) mostly commonly used during a migration. So you have an old domain, and you move to a new domain, and the user on the new account maintains access to all of their old files and folders. This saves the hassles of having to re-permission network shares, folder access, applications, etc. In order to use SID history, you must disable SID Filtering and enable SID History on the trust between the domains.
To enable SID History on a trust issue this command:
What is SID Filtering
The nemesis of SID History is SID Filtering. This is a security measure put into place by default that protects your new environment from attackers that may have broken into the old domain. Although you may think, no one's going to get into the old domain, I think that just about every migration I've done, they leave the original domain up and running and then starts to put a low priority on everything in that domain; patches, access control management, event log review all becomes secondary because no one is on it any more and now becomes a fairly large new attack vector. While it makes sense to leave the old environment up and running, it still needs that same care it has always needed.
So that's why SID Filtering is good, but unfortunately, it completely blocks the use of SID History which would be very important during a migration. This command below disables SID Filtering:
External Links
http://technet2.microsoft.com/windowsserver/en/library/52b395b4-0313-47d8-87d4-fb1dd4d5c4701033.mspx?mfr=true - Technet article about disabling SID filtering
http://technet2.microsoft.com/windowsserver/en/library/31915de7-ff58-4f26-a8ec-450ffca759121033.mspx?mfr=true - Technet article about external trustsLabels: active directory, ADMT, migration, SID filtering, SID history
I've been getting a lot of experience with the Active Directory Migration Tools [ADMT] but it seems like I always have a problem with using SID history between domains. This is more of a reminder for myself how to get SID History to work.
What is SID History
SID History is an attribute of an Active Directory object that stores an old Security IDentifier(SID) mostly commonly used during a migration. So you have an old domain, and you move to a new domain, and the user on the new account maintains access to all of their old files and folders. This saves the hassles of having to re-permission network shares, folder access, applications, etc. In order to use SID history, you must disable SID Filtering and enable SID History on the trust between the domains.
To enable SID History on a trust issue this command:
What is SID Filtering
The nemesis of SID History is SID Filtering. This is a security measure put into place by default that protects your new environment from attackers that may have broken into the old domain. Although you may think, no one's going to get into the old domain, I think that just about every migration I've done, they leave the original domain up and running and then starts to put a low priority on everything in that domain; patches, access control management, event log review all becomes secondary because no one is on it any more and now becomes a fairly large new attack vector. While it makes sense to leave the old environment up and running, it still needs that same care it has always needed.
So that's why SID Filtering is good, but unfortunately, it completely blocks the use of SID History which would be very important during a migration. This command below disables SID Filtering:
External Links
http://technet2.microsoft.com/windowsserver/en/library/52b395b4-0313-47d8-87d4-fb1dd4d5c4701033.mspx?mfr=true - Technet article about disabling SID filteringhttp://technet2.microsoft.com/windowsserver/en/library/31915de7-ff58-4f26-a8ec-450ffca759121033.mspx?mfr=true - Technet article about external trusts
Labels: active directory, ADMT, migration, SID filtering, SID history
<< Home