Stuart, thanks for this excellent response. Congratulations it would seem to the developers of NT for their forward thinking.
Frustrating as it is I think i am going to have to accept the return of the SIDhistory data as something that happens with a native mode DC - suffice to say a modded response to the SAM logon request from the NT4 client as compared to the NT4 BDC or dare i say a W2k DC in mixed mode ? While i "have the ear" of someone with very good information, could i broach a further issue with you - it is something the newsgroups et al have not been unable to resolve to date. Not sure if i should i detail in this post which will mislead ?? Let us know GT ----- Original Message ----- From: "Stuart Kwan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 4:53 PM Subject: RE: [ActiveDir] OT: Migration tools and AD The NTLM protocol and security subsystem in Windows NT 4.0 allow for additional SIDs other than the user's SID and their Global Group SIDs to appear in a user's authorization data (... data which is used when building the "token" on the machine to which you are authenticating). SIDs from a user's SID History appear in this "additional" section in the protocol. Versions of Windows NT prior to 4.0 do NOT have this capability. Windows NT 3.51 machines, for example, cannot grok SID History. By the way, if I could go back in time (still working on the time machine; stay tuned) I would change the name of Native mode to something more precise, like "No more Windows NT 4.0 BDC mode." It's just that; a mode in which the system knows it can safely enable functionality that downlevel DCs will not understand (like SID History, group nesting, and universal groups). - Stuart [This posting is provided "AS IS" with no warranties, and confers no rights.] -----Original Message----- From: Graham Turner [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 1:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Migration tools and AD Dave, thanks for the sanity check ! That was my understanding. Would be VERY interested in knowing how this works - as we know and Roger has alluded to this - NT4 is not "directory aware" and cant get this attribute of the user account from a query of the directory ?? i would guess one of the undocumented features of a "native mode" domain as a slight aside this has always been one of the greatest mysteries of AD to me - how such a significant change (ie no rollback) has so little documentation - we know things like no replication to BDC's, universal groups and the like but there MUST be more to it than that ??!! GT ----- Original Message ----- From: "Thornley, Dave H" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 9:07 AM Subject: RE: [ActiveDir] OT: Migration tools and AD > As I understand it SIDHistory entries are added to the access token in the same way that group membership SIDs are, client version isn't an > issue. > > dave > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: 03 December 2002 12:54 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT: Migration tools and AD > > > I don't follow your question - NT4 has no concept of SID history in the access tokens, unless I presume the ADClient has been installed. NT4 > tokens don't handle multiple user SIDs. > > Roger > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Graham Turner [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 03, 2002 7:43 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] OT: Migration tools and AD > > > > > > but interestingly enough the NT 4 workstation is obviously > > SIDHISTORY aware > > in its construction of the access token ??? > > > > any takers yet on how DMW actually works ?? - i guess it must > > undergo an > > exercise of duplication of all of the references of the > > source user domain > > with an identical reference to the target domain ??? > > > > > > ----- Original Message ----- > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, December 03, 2002 12:40 PM > > Subject: RE: [ActiveDir] OT: Migration tools and AD > > > > > > > While you're technically correct, native mode still makes a > > difference. > > > > > > Downlevel (i.e. NT4) domain controllers don't understand > > SID history - one > > > account, one SID. Therefore, it is more correct to say that > > while the > > > migration tool doesn't care, the SID history functionality > > won't work > > > correctly without being in native mode. > > > > > > Roger > > > ------------------------------------------------------ > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Inovis - Formerly Harbinger and Extricity > > > Atlanta, GA > > > > > > > > > > -----Original Message----- > > > > From: Weston Rogers [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, November 26, 2002 4:58 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] OT: Migration tools and AD > > > > > > > > > > > > Not true, although I don't know what the requirements of the Quest > > > > software are, I know DMW doesn't care about modes. > > > > > > > > -- > > > > Weston Rogers > > > > [EMAIL PROTECTED] > > > > 800.849.5147 x255 > > > > > > > > -----Original Message----- > > > > From: Graham Turner [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, November 26, 2002 4:50 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: [ActiveDir] OT: Migration tools and AD > > > > > > > > > > > > is the target domain in native mode ?? > > > > > > > > understood to be mandatory for the sidhistory attribute > > > > > > > > GT > > > > ----- Original Message ----- > > > > From: Pelle, Joe > > > > To: [EMAIL PROTECTED] > > > > Sent: Tuesday, November 26, 2002 9:15 PM > > > > Subject: [ActiveDir] OT: Migration tools and AD > > > > > > > > > > > > Hello there! > > > > I'd like to know if anyone has had any experience using Quest > > > > migration tools? If so, I am having some specific issues > > > > migrating > > > > SIDHistory: I > > > > am unable to move the SID history from my NT domain to my new AD > > > > structure. I am successful migrating the user(s) but unable to > > > > get the SID to come with them! > > > > Quest suggests that I have SP2 installed for 128bit > > encryption when > > > > migrating SIDHistory from client to server. I have SP3 already... > > > > Any suggestions?! Thanks! > > > > Joe Pelle > > > > Systems Administrator > > > > Information Technology > > > > Valassis / Targeted Print & Media Solutions > > > > 35955 Schoolcraft Rd. Livonia, MI 48150 > > > > Tel 734.632.3753 Fax 734.632.6240 > > > > [EMAIL PROTECTED] > > > > http://www.valassis.com/ > > > > This message may have included proprietary or protected > > information. > > > > This message and the information contained herein are not to be > > > > further communicated without my express written consent. > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
