What happens with SIDs in Migration?

[Günther Rühmann]

Hello,

I am looking for background information about what happens with SIDs at
intraforest migration of users and computers.

I migrated some users and computers from a sub.top.com damain to the parent
domain top.com. It worked fine but I wonder about how it has worked.
For example: a computer that has not been migrated has a share where the
migrated users had share und ntfs permissions. When I look at these shares
/ files / folders, the migrated users a listed correctly with their new
account user.top.com. What happened ?
As I know user´s and group´s SIDs are stored in share´s / folder´s / file´s
ACL. When looking at the permission list, the SIDs have to be resolved to
acount names. Does it work because the SIDs did not change with migration or
did the migration tool change all the ACLs on each ressource computer by
overwriting the old SID with the new one ? Or is there something about SID
history ??

Can anyone hekp me ?

 

[Matjaz Ladava [MVP]]

The trick is in SID history. Moving user to another domain within the forest
will change its sit, but put its old sid in sidhistory. That is why user can
still access its resources in original domain. If you would moved user to
another forest, then in Windows Server 2003 SID history would be cleared due
to security. This was not the case with Windows 2000 domain (prior to SP4).

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)

 

[Günther Rühmann]

Thanks for your answer.
This explains the way a user can access his "old" ressources on servers.

But with view from a ressource server: In a file´s ACL there are still the
"old" SIDs. Whenn opening the security tab in the file´s properties, this
should be a problem for the system looks for the old SID on the old DC (in
sub.top.com). But it gets the correct account information in top.com? How
does the server look for account information for a specific ID? I think it
looks for a DC and queries the ADS the the SID - and I mean the "old" SD
should not be found because it is removed. Can you explain it ?

 

[Matjaz Ladava [MVP]]

If the computer is not migrated, then the sid's on its share remain the same
.. In ADMT i think you have some ability to specify whether permissions are
changed during the migration process.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)

 

[Günther Rühmann]

sorry, I think I did not describe my problem very clearly

First: the migation works - but I do not know why
UserA with SID-A1 has been migrated from sub.top.com to top.com. Let´s say
his new SID is SID-A2.
UserA had permissions for a share on a server.
I believe, the ACL on thois share has not been modified with migration ??.If
so SID-A1 is still in the ACL of the share.
When I look at the share´s properties UserA is correctly displayed and
refers to UserA.top.com. How is this possible ?
The server has to lookup the account for SID-A1.
I thinik the query is sent to it´s DC - it is in sub.top.com
That DC does not know SID-A1.
Somehow a DC from top.com is queried. Does that DC searh automatically in
SID-history ?
Is SID-A1 at any time replaced with SID-A2 in the share´s ACL ?

Regards
Guenther

 

[Matjaz Ladava [MVP]]

Have you used Security Translation wizard in ADMT. It is used to do what you
described...

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)