External Trust and Sid Filtering...

Discussion in 'Active Directory' started by TKE402, Jul 12, 2007.

  1. TKE402

    TKE402 Guest


    I would like to create an external trust with another domain (Windows 2000).
    I did a search online and found a Technet article that I don't quite
    understand. In the article it says:

    Impact of SID filtering
    SID filtering on external trusts can affect your existing Active Directory
    infrastructure in the following two areas:

    • SID history data that contains SIDs from any domain other than the trusted
    domain will be removed from authentication requests made from the trusted
    domain. This will result in access being denied to resources that have the
    user's old SID.

    My worry is that my current domain (Windows2003) was created by migrating
    user accounts from an NT 4.0 domain and using SID History. That domain is
    long gone now and the trust used for migration has been deleted. My
    understanding of this paragraph is that if I create another external trust
    and have SID filtering turned on, then any user with SID History will not be
    able to access resources on the trusting domain? Am I reading that right?


    TKE402, Jul 12, 2007
    1. Advertisements

  2. TKE402

    Steve B Guest


    The answers depends on how you will permission resources in the other domain
    (i.e. trusting domain).

    1) If you are going to use new groups from the trusted domain (e.g. a global
    group) that were created new in the trusted domain then SIDHistory Filtering
    is irrelevant since there will be no SID History for these groups.

    2) If your using groups that were migrated across - did you run any sort of
    Security Translation for the objects you migrated (this can be done by ADMT).

    a) If so, SID History is irrelevant and SID Filtering will have no effect.

    b) However, if you are still dependant on SID History (e.g. you did no
    security translation) then you will need to disable SID Filtering on the
    trust you are about

    3) If you are adding the user accounts from the trusted domain to groups in
    the trusting domain then SID Filtering is irrelevant.

    Steve B, Jul 13, 2007
    1. Advertisements

  3. TKE402

    TKE402 Guest

    Thanks for the reply. Well, I'm planning on making this a two way trust in
    that I would like to create new groups in both domains that will access
    resources in both domains (hope that makes sense). Is there a way to
    determine that either of the domains is dependant on SID history? I inherited
    this network so I'm not sure what was done previously.


    TKE402, Jul 13, 2007
  4. TKE402

    Steve B Guest

    If your creating new groups you will be fine. There will be no SIDHistory
    and SIDFiltering will have no effect.
    Steve B, Jul 13, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.