SID Filtering and trust

Discussion in 'Active Directory' started by Jason, Feb 9, 2005.

  1. Jason

    Jason Guest

    I have a child W2K domain with 4 sites in native mode. Each sites has 2 DC
    +GC. Our doamin maintains three external trust relationship with other NT4
    domains ( say NT4domain A, B and C ). Actually , our child domain is
    migrated from one of the NT4 domain ( domain A ) using ADMT. We still have
    about 40% of users having a SID History.
    Recently ,one of our sites's local system admin insist to upgrade their DC s
    from W2K to W2K3 ( for some funny business reason). My concern is, after
    they have upgrade their two DCs to W2k3 while we are still on W2K DC native
    mode ( I suppose they could only maintain the same W2k native functional
    level ) , will our trust with the NT4 domains be lost ? I heard from a
    colleague that once the DCs upgraded to W2K3, immediately, due to SID
    filtering , our domain will lost the trust relationship with these external
    NT4 domains as they are , relatively , regarded as External forest.
    My questions are:
    1) It this true , that is , the trust relation will lost immediately ? (
    because of the default SID filtering ? )
    2)What if the trust is re-create again ? Will my users with SID history
    still be able to access these NT4 Domains based on sidhistory the same as
    they are before?
    3) What can be done to prevent this lost of trust ( if true ) from happening

    Please help me to answer these questions, highly appreciated !

    Jason, Feb 9, 2005
    1. Advertisements

  2. Jason

    Ryan Hanisco Guest


    SIDHistory is an attribute in the User object and the SIDHistory attributes
    will not be lost. I think the fear is that in the migration, SID filtering
    will be enabled on the external trust. I have not heard of this happening
    nor have I seen any documentation to this effect. Remember that the kind of
    trust that is used there is the normal way of using ADMT to W2k3 -- so I
    wouldn't expect that there would be a problem. Still, the trust could be

    Other things to remember.
    1. Your local sys admin shouldn't be dictating something like installing
    2003 as it effects the ENTIRE forest and has to be carefully planned and
    implemented. While there are tons of good reasons to implement 2003, many
    of these features aren't available until you have the domain or forest
    functional level at 2003. Make sure that the business case is valid and
    that the risk/ impact to the whole organization is evaluated.

    2. Make sure to install and use the 2003 version of NETDOM to maintain and
    check your trusts. This will work on NT/ 2000 servers just as well at 2003
    and does a much better job. This can be gotten from the MS site and does
    not need the 2003 media.

    3. Your forest and domains need to be absolutely healthy before upgrading
    to 2003. You may well consider resolving the NT4 domains to 2000/2003 if
    that is the plan. The last thing you need is the creeping strangeness of
    supporting three network operating systems
    Ryan Hanisco, Feb 9, 2005
    1. Advertisements

  3. Jason

    gordonah Guest

    Hi Jason

    further to Ryan's answer, SIDfiltering is on by default (can be turn off
    though) for a cross-forest trust. A cross-forest trust is new to Windows 2003
    and can only be implemented between two forests which have been upgraded to
    Windows 2003 functional level.
    I don't think this is the case in your scenario, and in any case I don't
    think the type of trust would automatically be upgraded if the domains at
    either end were changed to meet the criteria.

    gordonah, Feb 9, 2005
  4. Jason

    Andrew Guest


    So, do you have to have windows2k3 in order for forests to trust each other?
    Can this not be done with Win2k. Please let me know If ive read this wrong.
    Andrew, Feb 9, 2005
  5. The trust will not break as part of the upgrade, SID filtering does not
    break trusts, rather it controls their behavior. If all DCs are
    upgraded and you recreate the trust, SID filtering is on by default. As
    such, the users' sIDHistory will be stripped from the ticket by the
    trusting domain's KDCs each time users attempt to access resources
    across the trust. To prevent this loss of access, disable SID filtering
    (I've requested more granular control of this feature more times than I
    can remember but I've heard nothing that would indicate it'll be in SP1
    or ...).

    NOTE - Cross-forest trust requires each forest to be running at 2003
    forest functional level (no downlevel DCs), the trust must be created
    between the 2 forest root domains, name resolution must be setup in both
    directions and time must be in sync. (not automatic between forests)
    within the respective threshold of each domains' tolerance policy.
    Dean Wells [MVP], Feb 9, 2005
  6. Jason

    gordonah Guest


    yes and no. For a cross-forest both forests have to be at Windows 2003
    functionality. This setup a trust relationship between all domains in each

    However, if either of the forests are not at W2K3 level, you can still set
    up trusts between domains in each forest, it just needs to be done on 1
    domain to 1 domain basis, rather than performed just once for the forest.
    This can be a lot of trusts depending on the domain structure within the
    Hope this clarifies my previous answer.

    gordonah, Feb 9, 2005
  7. Jason

    Andrew Guest

    Gordon, cheers for that it does indeed clarify things for me.

    Thanks, Andrew
    Andrew, Feb 9, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.