SID filter between a W2k and a W2k Domain

Discussion in 'Server Migration' started by Thorsten, Sep 22, 2008.

  1. Thorsten

    Thorsten Guest

    Hello,


    We are planning to do inter-forest users and group migration. Now we have a
    trust between the W2k and the W2k8 Domain. The SID Filter on the W2k Domain
    ist eneabled and if we use the comannd "Netdom TRUST <TrustingDomain>
    /domain:<TrustedDomain> /FilterSIDs:No /userD:<domainadminAcct>
    /passwordD:<domainadminpwd>", we got a "Access Denied". The user on both
    Domains are Domain- /Enterprise Admins. How can we disable the SID-filter
    between a W2k and a W2k8 inter-forest trust?

    Thanks.

    Thorsten
     
    Thorsten, Sep 22, 2008
    #1
    1. Advertisements

  2. Hello Thorsten,

    What output comes with this command:

    Netdom TRUST trustingdomain /domain:TRUSTEDDOMAIN /quarantine:no /usero:useraccount/passwordo:password

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Sep 22, 2008
    #2
    1. Advertisements

  3. Thorsten

    Thorsten Guest

    Hello Meinolf,
    I got a "Access denied"

    If I insert a wrong password I got the message "password wrong" The user
    has Domain/Enterprise Adminrights. The DNS settings are correct, I can make
    a nslookup for the destination domain on the source domain.

    Best regards

    Thorsten
     
    Thorsten, Sep 22, 2008
    #3
  4. Meinolf Weber, Sep 22, 2008
    #4
  5. Thorsten

    Thorsten Guest

    Hello Meinolf,

    I found this acrticle this morning, too.

    I had have do all Points from Akila without the Point 5. I had only a one
    way trust from the W2k to the W2k8 Domain. Now I have changed the
    configuration and I have a bidirectional trust between the domains. On the
    Point 6 of the Posting I should diable the SID Filter, but this does not
    work at my environment.

    I found a posting that it could be the netdom version on the W2k DC, but the
    netdom version from the W2k8 does not work on the W2k DC.

    Kind regards

    Thorsten
     
    Thorsten, Sep 22, 2008
    #5
  6. Meinolf Weber, Sep 22, 2008
    #6
  7. Thorsten

    Thorsten Guest

    I got a error meesage that a procedure is wrong on the kernel32.dll. I could
    not/should not replace the dll, or not? ;-)
     
    Thorsten, Sep 22, 2008
    #7
  8. Hello Thorsten,

    For Windows 2000 use this example (the RESDOM domain is filtering the ACCDOM
    domain):

    Check out this one to disable SID filtering:
    netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD:adminpwd /UO:RESDOM\Administrator
    /PO:adminpwd /filtersids:no


    Best regards

    Meinolf Weber
     
    Meinolf Weber, Sep 22, 2008
    #8
  9. Thorsten

    Thorsten Guest

    Hello Meinolf,

    sorry, I used this parameter "FilterSIDs:no", because this netdom version
    did not understand the other parameter. But what should I say: I got the
    message "Access denied".
     
    Thorsten, Sep 22, 2008
    #9
  10. Meinolf Weber, Sep 22, 2008
    #10
  11. Thorsten

    Thorsten Guest

    Hello Meinolf,

    I created a W2k Test Domain this morning and I did a trust between the W2k
    and the W2k3 domain. Now I have a W2k domain with two trusts, one with a
    W2k3 and one with a W2k8 domain. Both trust a unidirectional trust form the
    W2k domain outside.

    Now I used the command "netdom trust <trusting domain> /domain:<trusted
    domain> /FilterSIDs:no" for the W2k3 domain and the command execute
    successfully. Then I tested it with the W2k8 domain, the result of the
    command was "Access denied".

    I think something ist other on the W2k8 DC. The firewall on the W2k8 DC ist
    for the domain profile disabled.

    What could I test to solve the problem?

    kind regards

    Thorsten
     
    Thorsten, Sep 23, 2008
    #11
  12. Hello Thorsten,

    Just to make sure that it isn't the firewall disable it completely for a
    test.

    Best regards

    Meinolf Weber


    domain>> /FilterSIDs:no" for the W2k3 domain and the command execute
    domain>>
     
    Meinolf Weber, Sep 23, 2008
    #12
  13. Thorsten

    Thorsten Guest

    Hello Meinolf,

    I disabled the firewall for all profiles and I added Inbound/Outbound Rools
    between the W2k an W2k8 Dc for all ports. I am getting the "Access denied"
    yet. I do not know what I should do, does somebody has trust between a W2k
    and W2k8 domain without a SID filter, it is hard to believe this for me?

    Best regards

    Thorsten
     
    Thorsten, Sep 23, 2008
    #13
  14. Thorsten

    Thorsten Guest

    Hello Meinolf,

    this was my last test: I installed a W2k3 Server in the domain of the W2k8
    server. I did the server to a dc, then I shutdown the W2k8 server. After
    this I execute the netdom comannd and the filter would succesfully disabled.
    If I move the FSMO roles to the W2k3 server and the W2k8 server ist on the
    command did not function properly. Only when the W2k8 DC ist off the SID
    filter from the trust could be disabled. The firewall on the W2k8 is
    definitely off.

    Kind Regards

    Thorsten
     
    Thorsten, Sep 23, 2008
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.