• State Verified Answer
  • Replies 5 replies
  • Subscribers 20 subscribers
  • Views 3160 views
  • Users 0 members are here
Options
Related

Sidhistory behavior in Intra-forest AD Migration

peter dan rock
over 3 years ago

Hello IT Folks,

As we know, Sid/Sidhistory of Domain Local groups don't cross trust boundary outside of the forest. But within the forest (Intra-forest) if Domain Local Groups were migrated from Domain A to Domain B along with Sidhistory. Then does Sid/Sidhistory of migrated Domain Local group cross outside of Domain B boundary?

Please answer and explain specific to the scenario.

Top Replies

Parents Reply Children
  • +1 over 3 years ago in reply to peter dan rock

    Did you know, that every time you mention me, I get two e-mails? One for posting and one for the mention. I am already alerted to every single post in this forum. You need to have some patience as there is no SLA for replies to a thread. If you are in need a immediate support, please open a support case. However the topic of this thread is not directly product related. 

    I actually like fielding questions here. It is however not in my job description. I field these in my spare time, after my primary tasks are complete. I will get to your thread, when I have time. I am actually still working, 15 hours and counting. These explanation can take some time. 

    I have actually already answers your question in another thread.

    Jeff Shahan said:
    Domain Local Groups can not be used to secure or grant access to resources in a trusting domain. This is a core functional administrative principle for active directory management. So if you migrate the source domain local groups sid to the target domain local group sidhistory, it adds no value. You have effectively given the office "keys" in one building to someone locked in another building. Now if the office is moved to the other building, those keys would work. 

     

  • 0 over 3 years ago in reply to Jeff Shahan

    Thank you for your reply. I will keep your suggestions in my mind now onwards.

    So just want to confirm, Sid & Sidhistory of migrated Target Domain Local groups also don't cross outside of Target Domain boundary within the same forest. Right?

  • 0 over 3 years ago in reply to peter dan rock

    Yes, Jeff has specifically stated that in his answer to yours.

  • 0 over 3 years ago in reply to peter dan rock

    So intra-forest there is an issue with sid history. If there are two sid that are the same in the forest, that creates a management issue. When the ACLs are enumerated and resolved, it two objects are returned, the resolution stops. So you never want to have duplicate sids within the forest.