After migration unable to access the File Server

Discussion in 'Server Migration' started by SBSM, Aug 1, 2004.

  1. SBSM

    SBSM Guest

    Background:
    We have setup a new W2K3 domain and used ADMT to migrate the users & groups with their SIDs from the existing Windows 2000 domain. The new domain is a clean installation. Two way trust has been established between W2K and W2K3 domain.

    Now the issue is, all the file servers and the mail servers (exchange 5.5) servers are still in Windows 2000 domain. As a pilot run we have joined 5 desktop users to new domain. We have used computer migration wizard to migrate computers from the Windows 2000 domain to Windows 2003.
    1. After joining the desktop to the new domain, we are able to login to the new W2K3 AD with the same username and password. But when we try to access the File Server which is in W2K domain, we get access denied error. File permissions are fine. The event log in the file server shows

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Privilege Use
    Event ID: 578
    Date: 7/30/2004
    Time: 4:13:13 PM
    User: STARHUBSG\SABAPATHIC
    Computer: SGSCVFS1
    Description:
    Privileged object operation:
    Object Server: Eventlog
    Object Handle: 0
    Process ID: 288
    Primary User Name: SGSCVFS1$
    Primary Domain: SCV_DOMAIN
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: SABAPATHIC
    Client Domain: STARHUBSG
    Client Logon ID: (0x0,0xA6AD067A)
    Privileges: SeBackupPrivilege

    2. Similarly when we launch outlook we get Access to the exchange folder denied.

    Help me please!

    Thank You.
    SBSM
     
    SBSM, Aug 1, 2004
    #1
    1. Advertisements

  2. SBSM

    Michael Bell Guest

    Did you verify that the SID history attribute actually migrated
    successfully? I have run into issues where the SID history did NOT migrate
    correctly on the first pass.
    You can verify the presence of the SID history attribute by using ADSIEdit.
     
    Michael Bell, Aug 1, 2004
    #2
    1. Advertisements

  3. Hi SBSM,

    I have replied your previous post.

    Please use the following NETDOM command to disable SID Filtering between
    the two domains (in this example, the RESDOM domain is filtering the ACCDOM
    domain):

    netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator
    /PD:adminpwd

    /UO:RESDOM\Administrator /PO:"" /filtersids:no

    Reference:

    MS02-001: Forged SID could result in elevated privileges in Windows 2000
    http://support.microsoft.com/?id=289243

    You can try the command on the DC in Windows 2000 domain. What is the
    result?

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 2, 2004
    #3
  4. SBSM

    SBSM Guest

    Hi Bob,
    I have executed the NETDOM command on both resource and account domain and verified the current status of SID History support. (The SID History is enabled on both the domains)

    Still I am unable to access the File Server which is in Windows 2000 domain (old domain). In the NTFS file permissions, I have a customized user group and the username is also part of that group. This customized group is also available/migrated to the new windows 2003 AD domain.

    Please advise.

    Regards,
    SBSM
     
    SBSM, Aug 4, 2004
    #4
  5. SBSM

    SBSM Guest

    Hi Bob,
    Is there any difference between

    netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD:adminpwd /UO:RESDOM\Administrator /PO:adminpwd /filtersids:no

    netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD:adminpwd /UO:RESDOM\Administrator /PO:adminpwd /EnableSIDHistory:YES

    Because I run the /EnableSIDHistory option not the /filtersids option.

    Thanks,
    SBSM
     
    SBSM, Aug 4, 2004
    #5
  6. HI SBSM,

    If you use the Netdom tool in Windows Server 2003 Support tool, you need to
    use the /Quarantine switch. The main difference is that the /Quarantine
    switch is used to disable or enable SID filtering between domains where as
    the /EnableSIDHistory switch is used to disable or enable SID filtering
    between two Windows 2003 Forests. Unlike Windows 2000, Windows 2003 allows
    transitive trusts between forest, which means that all domains in each
    forest trust each other.

    In addition, you need to run the command on the source domain since you try
    to access resources in source domain from target domain.

    Wish it helps.

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 4, 2004
    #6
  7. Hi SBSM,

    You can first try to disable the sid filtering by running "netdom trust
    <2000 domain FQDN> /domain:<2003 domain FQDN> /usero:administrator
    /passwordo:<admin password or *> /quarantine:no" command on windows 2003 DC.

    If the problem still persists, please run the command on the Windows 2000
    DC again.

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 5, 2004
    #7
  8. SBSM

    SBSM Guest

    Hi Bob,
    Thank You. It is working now. After running the NETDOM command with
    /quarantine:NO option, it started working. Thanks a ton. :)

    Regards,
    SBSM
     
    SBSM, Aug 6, 2004
    #8
  9. My Pleasure!

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 6, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.