SID history stopped working.

[Tim.Olsen]

Hello all. I'm baffled.

3 weeks ago I moved several users and groups using ADMT v3 from w2k to
w2k3 R2. I included SID history on each.

All was well with the world until last night, when DC's in both the
source and target domains rebooted and now migrated users no longer
have access to resources in the source domain.

I've trippled checked, ADSIedit shows the accounts have the SIDhistory
attribute set.
I've trippled checked the NTFS rights, they still include the old
resource names.

I've even got a userid/workstation pair that was locked up, not logged
off, at 5pm yesterday that still works. Yet new authentication of that
same ID, on the same workstation it fails --e.g. if I do a "runas
/user:domain\sameuser cmd" and try to to access the sameuser's
homedirectory I get access denied.

NTFS ACL's haven't changed.
SIDhistory attribute is there.

I'm stumped. Any ideas?

 

[Tim.Olsen]

Burned down the trust and re-established the trust seemed to resolve
the issue.

 

[Dean Wells [MVP]]

Sounds like SID filtering (a function that occurs when a ticket/token
traverses a trust) though I'm confused at to why it "turned itself on".
Query the trust configuration using "netdom trust"

 

[Tim.Olsen]

Yeah thats what I figured too.
But can't explain why it turned off, either. My best guess, and it's
really a guess, is this:

The trust is between a w2k domain and a w2k3 R2 domain.
The trust was established before the w2k3 domain was upgraded to R2.
Although the w2k3 side machine were rebooted several times, the w2k
side had not rebooted since the r2 upgrade on the otherside. When it
did sid history stopped working.

When I redid the trust the problem left.