SID Filtering and trust

[Jason]

Hi,
I have a child W2K domain with 4 sites in native mode. Each sites has 2 DC
+GC. Our doamin maintains three external trust relationship with other NT4
domains ( say NT4domain A, B and C ). Actually , our child domain is
migrated from one of the NT4 domain ( domain A ) using ADMT. We still have
about 40% of users having a SID History.
Recently ,one of our sites's local system admin insist to upgrade their DC s
from W2K to W2K3 ( for some funny business reason). My concern is, after
they have upgrade their two DCs to W2k3 while we are still on W2K DC native
mode ( I suppose they could only maintain the same W2k native functional
level ) , will our trust with the NT4 domains be lost ? I heard from a
colleague that once the DCs upgraded to W2K3, immediately, due to SID
filtering , our domain will lost the trust relationship with these external
NT4 domains as they are , relatively , regarded as External forest.
My questions are:
1) It this true , that is , the trust relation will lost immediately ? (
because of the default SID filtering ? )
2)What if the trust is re-create again ? Will my users with SID history
still be able to access these NT4 Domains based on sidhistory the same as
they are before?
3) What can be done to prevent this lost of trust ( if true ) from happening
?

Please help me to answer these questions, highly appreciated !

Jason

 

[Ryan Hanisco]

Jason,

SIDHistory is an attribute in the User object and the SIDHistory attributes
will not be lost. I think the fear is that in the migration, SID filtering
will be enabled on the external trust. I have not heard of this happening
nor have I seen any documentation to this effect. Remember that the kind of
trust that is used there is the normal way of using ADMT to W2k3 -- so I
wouldn't expect that there would be a problem. Still, the trust could be
re-established.

Other things to remember.
1. Your local sys admin shouldn't be dictating something like installing
2003 as it effects the ENTIRE forest and has to be carefully planned and
implemented. While there are tons of good reasons to implement 2003, many
of these features aren't available until you have the domain or forest
functional level at 2003. Make sure that the business case is valid and
that the risk/ impact to the whole organization is evaluated.

2. Make sure to install and use the 2003 version of NETDOM to maintain and
check your trusts. This will work on NT/ 2000 servers just as well at 2003
and does a much better job. This can be gotten from the MS site and does
not need the 2003 media.

3. Your forest and domains need to be absolutely healthy before upgrading
to 2003. You may well consider resolving the NT4 domains to 2000/2003 if
that is the plan. The last thing you need is the creeping strangeness of
supporting three network operating systems

 

[Guest]

Hi Jason

further to Ryan's answer, SIDfiltering is on by default (can be turn off
though) for a cross-forest trust. A cross-forest trust is new to Windows 2003
and can only be implemented between two forests which have been upgraded to
Windows 2003 functional level.
I don't think this is the case in your scenario, and in any case I don't
think the type of trust would automatically be upgraded if the domains at
either end were changed to meet the criteria.

Gordon

 

[Andrew]

Hi,

So, do you have to have windows2k3 in order for forests to trust each other?
Can this not be done with Win2k. Please let me know If ive read this wrong.

 

[Dean Wells [MVP]]

The trust will not break as part of the upgrade, SID filtering does not
break trusts, rather it controls their behavior. If all DCs are
upgraded and you recreate the trust, SID filtering is on by default. As
such, the users' sIDHistory will be stripped from the ticket by the
trusting domain's KDCs each time users attempt to access resources
across the trust. To prevent this loss of access, disable SID filtering
(I've requested more granular control of this feature more times than I
can remember but I've heard nothing that would indicate it'll be in SP1
or ...).

NOTE - Cross-forest trust requires each forest to be running at 2003
forest functional level (no downlevel DCs), the trust must be created
between the 2 forest root domains, name resolution must be setup in both
directions and time must be in sync. (not automatic between forests)
within the respective threshold of each domains' tolerance policy.

 

[Guest]

Andrew

yes and no. For a cross-forest both forests have to be at Windows 2003
functionality. This setup a trust relationship between all domains in each
forest.

However, if either of the forests are not at W2K3 level, you can still set
up trusts between domains in each forest, it just needs to be done on 1
domain to 1 domain basis, rather than performed just once for the forest.
This can be a lot of trusts depending on the domain structure within the
forests.
Hope this clarifies my previous answer.

Gordon

 

[Andrew]

Gordon, cheers for that it does indeed clarify things for me.

Thanks, Andrew