AD accounts in a multi-forest domain. MIIS

Discussion in 'Active Directory' started by Graham, Kevin, Sep 21, 2005.

  1. I'm looking for info regarding Microsoft Identity Integration Server,
    synchronising AD accounts in a multi-forest domain.

    When a new user is created on domain 2 by synchronis from domain 1, the SID
    of the user account on domain 1 is added to the SID history of the new user
    on domain 2. Thus any access user on domain 1 has the user on domain 2 has.

    Is that both ways? Meaning is the SID of the user on domain 2 added to SID
    history of the user on domain 1. Say I now want to give access to a resource
    (domain 2\server 1\share1) on domain 2 to this user, the access is given to
    the user account on domain 2.

    I am wondering what will happen if I need to migrate domain 2\server 1 to
    domain 1. Will the domain 1\user 1, have access to the resource that domain
    2\user 1 had.

    Please excuse me if this sounds very long winded.

    TIA
    Kevin
     
    Graham, Kevin, Sep 21, 2005
    #1
    1. Advertisements

  2. When a new user is created on domain 2 by synchronis from domain 1, the
    Really?!? I was under the impression you couldn't write to sIDHistory using
    MIIS! If you indeed can, that is cool news!

    Assuming that your information is correct, and you are indeed able to
    synchronise SID History, then no, by default this will not happen unless you
    configure your provisioning rules to do so. If you are enabling writes both
    ways, consider adding the necessary attributes and you will be able to do
    this. If you are doing this one way, consider a new attribute flow rule to
    make this happen.

    If SID History is migrated, and you don't have SID filtering on then yes,
    this should be fine.
     
    Paul Williams [MVP], Sep 21, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.