Migrating SIDhistory

Hi,
We are planning to do inter-forest users and group migration? In that
regards, i have questions.

1. Suppose a user has a full permission to access a folder. Now, i migrate
the user from domainA in a forest to domainB in another forest. Later I break
the trust between the domains. If go to the security tab of that folder, will
the user name still be resolving?

2. Is SID history a long term solution? If not any best practice/methods to
go for migration?

Thanks,

Imran

Hello Imran,

In response to your Qs:

A1 - Assuming that the file server is migrated to the target domain and you
have run security translation on the file server, the access control entries
will now reflect Target Domain\User - Full Control instead of Source
Domain\User - Full Control. Now if you remove the trust between source and
target domain, the access controll entry will show Target Domain\User - Full
Control.

A2 - Security Translation is the solution, which will modify the ACLs to
refelct the ew target SID's in the place of old SID.

SID History is certainly not a long term solution. Its only a flexibity
given for large migrations, where co-existence can happen during the period
of migration.

You wouldn't need SID History once all your accounts and resources are
successfully migrated to the target domain. You can confirm this by taking
the source DCs offline for a period of time post the migration. You can then
Fix all the issues ONLY then completely de-commision the source domain.

Trust that the above answers your queries....

venkat

"ppt_puppet" wrote:

> Hi,
> We are planning to do inter-forest users and group migration? In that
> regards, i have questions.
>
> 1. Suppose a user has a full permission to access a folder. Now, i migrate
> the user from domainA in a forest to domainB in another forest. Later I break
> the trust between the domains. If go to the security tab of that folder, will
> the user name still be resolving?
>
> 2. Is SID history a long term solution? If not any best practice/methods to
> go for migration?
>
> Thanks,
>
> Imran

Hi Venkat,

Thank you very much for your response.
Can you please tell me how do i proceed with "Security Translation" step of
the migration?

Thanks,
Imran

"Viswanath" wrote:

> Hello Imran,
>
> In response to your Qs:
>
> A1 - Assuming that the file server is migrated to the target domain and you
> have run security translation on the file server, the access control entries
> will now reflect Target Domain\User - Full Control instead of Source
> Domain\User - Full Control. Now if you remove the trust between source and
> target domain, the access controll entry will show Target Domain\User - Full
> Control.
>
> A2 - Security Translation is the solution, which will modify the ACLs to
> refelct the ew target SID's in the place of old SID.
>
> SID History is certainly not a long term solution. Its only a flexibity
> given for large migrations, where co-existence can happen during the period
> of migration.
>
> You wouldn't need SID History once all your accounts and resources are
> successfully migrated to the target domain. You can confirm this by taking
> the source DCs offline for a period of time post the migration. You can then
> Fix all the issues ONLY then completely de-commision the source domain.
>
> Trust that the above answers your queries....
>
> venkat
>
> "ppt_puppet" wrote:
>
> > Hi,
> > We are planning to do inter-forest users and group migration? In that
> > regards, i have questions.
> >
> > 1. Suppose a user has a full permission to access a folder. Now, i migrate
> > the user from domainA in a forest to domainB in another forest. Later I break
> > the trust between the domains. If go to the security tab of that folder, will
> > the user name still be resolving?
> >
> > 2. Is SID history a long term solution? If not any best practice/methods to
> > go for migration?
> >
> > Thanks,
> >
> > Imran

The ADMT V3 Migration Guide has these steps documented neatly. You can
download the user guide from the below link;

http://www.microsoft.com/downloads/d...displaylang=en

Regards
Venkat

"ppt_puppet" <> wrote in message
news:BCA0EC28-8681-44E1-9334-...
> Hi Venkat,
>
> Thank you very much for your response.
> Can you please tell me how do i proceed with "Security Translation" step
> of
> the migration?
>
> Thanks,
> Imran
>
> "Viswanath" wrote:
>
>> Hello Imran,
>>
>> In response to your Qs:
>>
>> A1 - Assuming that the file server is migrated to the target domain and
>> you
>> have run security translation on the file server, the access control
>> entries
>> will now reflect Target Domain\User - Full Control instead of Source
>> Domain\User - Full Control. Now if you remove the trust between source
>> and
>> target domain, the access controll entry will show Target Domain\User -
>> Full
>> Control.
>>
>> A2 - Security Translation is the solution, which will modify the ACLs to
>> refelct the ew target SID's in the place of old SID.
>>
>> SID History is certainly not a long term solution. Its only a flexibity
>> given for large migrations, where co-existence can happen during the
>> period
>> of migration.
>>
>> You wouldn't need SID History once all your accounts and resources are
>> successfully migrated to the target domain. You can confirm this by
>> taking
>> the source DCs offline for a period of time post the migration. You can
>> then
>> Fix all the issues ONLY then completely de-commision the source domain.
>>
>> Trust that the above answers your queries....
>>
>> venkat
>>
>> "ppt_puppet" wrote:
>>
>> > Hi,
>> > We are planning to do inter-forest users and group migration? In that
>> > regards, i have questions.
>> >
>> > 1. Suppose a user has a full permission to access a folder. Now, i
>> > migrate
>> > the user from domainA in a forest to domainB in another forest. Later I
>> > break
>> > the trust between the domains. If go to the security tab of that
>> > folder, will
>> > the user name still be resolving?
>> >
>> > 2. Is SID history a long term solution? If not any best
>> > practice/methods to
>> > go for migration?
>> >
>> > Thanks,
>> >
>> > Imran