AW: [ActiveDir] Accessing NT4 resource domain via sIDHistory
Thanks for all of your answer - BUT I know about sIDHistory and how it works. I am looking for how the authentication using sIDHistory works. Does there have to be a secure channel in place between the target AD domain and the not-trusted NT4 resource domain? I also know that as soon as the trust between NT4 account domain and NT4 resource domain breaks accessing resources of the NT4 resource domain permissioned to accounts (SIDs) from the NT4 account domain using the a migrated account of the target AD domain (so via sIDHistory) stops working (I guess you already got such an experience) - so there are dependencies on trusts. Please re-read my questions below... ;-) Regards, Bert -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rick Kingslan Gesendet: Donnerstag, 12. Mai 2005 07:50 An: ActiveDir@mail.activedir.org Betreff: FW: [ActiveDir] Accessing NT4 resource domain via sIDHistory AND - in addition to what Jorge and Deji said: Target Domain technically needs to be in Native mode to support sIDHistory. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, May 12, 2005 12:39 AM To: '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory In addition to what Deji said, you need the trust to populate sidhistory and to migrate accounts from the source domain #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/12/2005 4:29 AM Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory When you migrate a user with SIDHistory in place, the user (in the new domain) now effectively has 2 SIDs - one from the old domain and one from its new domain. OK. You have resources (say fileshare) in the old domain and the resource was permissioned for users in the old domain. Say the user you migrated above is one of the users who has access to this resource. This means this user's SID is on that list of authorized users. OK. You now migrate this resource from the old domain AND you retained the old permissions. Now, the user you migrated above tries to access the resource you have just migrated. When it requests the resource, he supplies his token which contains (remember?) 2 SIDs. The resources then compares the SIDs inside the token with what it has in its DACL and goes Oh I see that your SID XYZ is on my control list and here it says to grant access for that SID, so I'm all yours. If you now reACL the resource to match the new domain (removing the old permission), this user will now NOT be able to access the resource unless you specifically grant it access. This is because the SID it was using before is now no longer on the list. When you grant this new access (using accounts from the new domain) and this user again tries to access the resource, the resource will go through the motion again and see that the user's new SID in the new domain is also now present in its DACL, so again, the user is able to access the resource using the new SID - even though his old SID is no longer on the list. Users are Security Principals and Security Principals are all about SIDs rather than names or anything else; if you remember that, the above will make sense to you - I think. As an aside, security groups are also security principals and have SIDs, so even if a user's SID is not directly on a resource DACL, a user can still access the resource by virtue of its membership in a security group whose SID is on the DACL Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bert Skorupski Sent: Wed 5/11/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accessing NT4 resource domain via sIDHistory Hey guys, Today I got really confused about trusts and sIDHistory. I always thought that you have to use a trust for accessing resources in an old NT4 resource domain. But today I found a Microsoft technote telling the following: In this way SIDHistory ensures that migrated users can continue to access resources located in a trusting (resource) domain, even though the user's new domain does not have a trust relationship with the resource domain. Can be found here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/9d688a18-15c7-4d4e-9d34-7a763baa50a1.mspx Scenario: NT4 Account Domain -- User migrated to target AD domain including sIDHistory, Trust relationship exists to NT4 resource domain and to target AD domain NT4 Resource Domain -- hosting resources (e.g. files folders) permissioned to users of NT4 account domain, Trust relationship to NT4 account domain
AW: [ActiveDir] Accessing NT4 resource domain via sIDHistory
My god... guess I got it at the end... ;-) The sentence I mentioned in the mail below (the one out of the MS technote) was misleading me completely (I'd love to use being a non-native-English speaker as an excuse ;-). I think the sentence below does only mean that there has to be a trust relationship established between NT4 resource and target AD domain, but the target AD domain does not have to trust the NT4 resource domain. So uni-directional NT4 trusting the target AD domain should work. I am happy as everything seems to be as I understood it before...I was simply misled by the wording. Or did I get it wrong again? Cheers, Bert -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bert Skorupski Gesendet: Donnerstag, 12. Mai 2005 10:16 An: ActiveDir@mail.activedir.org Betreff: AW: [ActiveDir] Accessing NT4 resource domain via sIDHistory Thanks for all of your answer - BUT I know about sIDHistory and how it works. I am looking for how the authentication using sIDHistory works. Does there have to be a secure channel in place between the target AD domain and the not-trusted NT4 resource domain? I also know that as soon as the trust between NT4 account domain and NT4 resource domain breaks accessing resources of the NT4 resource domain permissioned to accounts (SIDs) from the NT4 account domain using the a migrated account of the target AD domain (so via sIDHistory) stops working (I guess you already got such an experience) - so there are dependencies on trusts. Please re-read my questions below... ;-) Regards, Bert -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rick Kingslan Gesendet: Donnerstag, 12. Mai 2005 07:50 An: ActiveDir@mail.activedir.org Betreff: FW: [ActiveDir] Accessing NT4 resource domain via sIDHistory AND - in addition to what Jorge and Deji said: Target Domain technically needs to be in Native mode to support sIDHistory. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, May 12, 2005 12:39 AM To: '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory In addition to what Deji said, you need the trust to populate sidhistory and to migrate accounts from the source domain #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/12/2005 4:29 AM Subject: RE: [ActiveDir] Accessing NT4 resource domain via sIDHistory When you migrate a user with SIDHistory in place, the user (in the new domain) now effectively has 2 SIDs - one from the old domain and one from its new domain. OK. You have resources (say fileshare) in the old domain and the resource was permissioned for users in the old domain. Say the user you migrated above is one of the users who has access to this resource. This means this user's SID is on that list of authorized users. OK. You now migrate this resource from the old domain AND you retained the old permissions. Now, the user you migrated above tries to access the resource you have just migrated. When it requests the resource, he supplies his token which contains (remember?) 2 SIDs. The resources then compares the SIDs inside the token with what it has in its DACL and goes Oh I see that your SID XYZ is on my control list and here it says to grant access for that SID, so I'm all yours. If you now reACL the resource to match the new domain (removing the old permission), this user will now NOT be able to access the resource unless you specifically grant it access. This is because the SID it was using before is now no longer on the list. When you grant this new access (using accounts from the new domain) and this user again tries to access the resource, the resource will go through the motion again and see that the user's new SID in the new domain is also now present in its DACL, so again, the user is able to access the resource using the new SID - even though his old SID is no longer on the list. Users are Security Principals and Security Principals are all about SIDs rather than names or anything else; if you remember that, the above will make sense to you - I think. As an aside, security groups are also security principals and have SIDs, so even if a user's SID is not directly on a resource DACL, a user can still access the resource by virtue of its membership in a security group whose SID is on the DACL Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bert Skorupski Sent: Wed 5/11/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accessing NT4 resource domain via sIDHistory