none
Migrated User has no access to Fileserver netdom trust

    Question

  • Hello experts,

    ive got a problem with a migrated user from domainA to domainB which should still have access to a fileserver in domain A.

    I know that at first its mandatory that the User got migradet with its SID from domainA to DomainB which i can see in the HistorySID Field.

    Additionally i need to Enable the SIDHistory via Netdom trust, but this will not work.

    When ill try to enable it with the following command i still get the message that the SIDHistory is still disabled.

    NETDOM Trust domainA /Domain:DomainB /Quarantine:No

    NETDOM Trust domainA /Domain:DomainB /EnableSIDHistory:Yes

    I do this with the elevated Command Line with a user on DomainA which is Domain Administrator.

    What do i do wrong?

    Friday, April 13, 2018 7:31 AM

All replies

  • Hi Ben,

    It's external trust? Or forest trust?

    If you have setup an external trust (e.g not a forest trust) you have to disable 'SID filter quarantining'

    If it is a Forest trust, you need to enable SID History not disable.

    Please refer to the article for more details

    https://blog.thesysadmins.co.uk/admt-series-3-sid-history.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    In addition, please also refer to the thread discussed before.

    https://social.technet.microsoft.com/Forums/en-US/b22b58d9-d3a5-47bc-9faf-7d39dee86c8e/post-migration-users-in-target-domain-unable-to-access-shares-located-in-source-domain-based-on-sid?forum=winserverfiles

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 13, 2018 8:48 AM
    Moderator
  • Hello Mary,

    when i open the mmc with domain trusts i see there thats its an external trust. The problem i get there is that i can use as often i want: 

    NETDOM Trust domainA /Domain:DomainB /Quarantine:No

    But its still quarantining.

    I also tried to

    NETDOM Trust domainA /Domain:DomainB /Verify

    and i get:

    Errors while doing a Group-Lookup on one of those domaincontrollers with the reason:

    Access Denied.

    Which credentials are needed to change the settings? I assume organization Admin should be enough?


    I saw the same behavior on the linked post above from SoumenG. I will update you in 1 Week if the issue is solved with the solution he described.


    • Edited by BenTop Friday, April 13, 2018 12:17 PM
    Friday, April 13, 2018 11:14 AM
  • Hi BenTop,

    Based on my knowledge, usually for access denied, it indicates that you didn't have a appropriate rights to verify the Domain trust, should have a Domain admin/enterprise admin right or use run as with account which has a required access.

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 16, 2018 1:51 AM
    Moderator
  • Hi,

    Any updates?

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 17, 2018 7:53 AM
    Moderator

  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 18, 2018 8:15 AM
    Moderator
  • Hello Mary,

    just finaly changed the GPO to disable SID Translation and did  on both DCs the Netdom Trust Command for each Domain.

    It was currently not successfull. Is there some kind of log which i can check for errors ?

    Thursday, May 03, 2018 1:08 PM
  • Hi,

    Still same error? Maybe you could also follow the KB to do a troubleshooting.

    https://support.microsoft.com/en-sg/help/322970/how-to-troubleshoot-inter-forest-sidhistory-migration-with-admtv2

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 04, 2018 1:45 AM
    Moderator
  • Yes still same error.

    I tried a few weeks ago to migrate Users with the admt and this did work. I have users and groups with are having an SIDHistory entry which is the SID from the old domain. 

    BUT still i cant disable the quarantine function from both domains. the Forest enable SID function does also not work.

    Friday, May 04, 2018 8:00 AM