I am working on a domain migration for a customer and have run into an odd issue. Here's the background (names changed to protect the innocent):
Customer is a government agency and their existing namespace is "agency.co.countyname.state.us". As part of the migration they are changing their namespace to "agency.countyname.state.us". The old domain is Server 2003 functional levels and servers. The new domain is 2008 R2 servers but is currently at 2003 functional levels.
The county datacenter owns the "co.countyname.state.us" namespace and the old domain is a child domain in their forest. The new domain is in it's own forest and is delegated from the "countyname.state.us" namespace.
Both domains have different NetBIOS names. One is "agency" and the other is "ncy".
And one-way nontransitive trust has been created from "agency" to "ncy". SID Filter Quarantine has been disabled to allow use of SID history during the migration period.
I can add users from the "ncy" domain to groups in the "agency" directory. This works as expected (prompted for "ncy" credentials to connect to the trusted domain, etc), and the icon for the user object in the group list is the correct, lighter-colored foreign security principal icon.
I wanted to add a user from the "ncy" domain to a file share in the "agency" domain to verify that it works properly. When I did so, the share rights worked correctly (everything looks good from the SID perspective) but the users listed in the permissions tab look funny.
For example, let's say I add "ncy\administrator" to the share. I am prompted for "ncy" credentials, and when the user has been added it is listed in the ACL list with the normal, non-FSP icon and the user account is listed as "agency\administrator". If I try to add "agency\administrator" it will also be added without a credentials prompt, but it will be listed as "administrator@agency.co.countyname.state.us" in the ACL list and also have the non-FSP icon.
From what I can tell, in the ACL list it is using the lowest-level portion of the domain's DNS namespace as the domain name rather than the NetBIOS domain. It appears to be a cosmetic issue rather than a functional issue, but since both domains have the same low-level namespace ("agency") it has the potential to be extremely confusing.
Oh...and I just went back into that ACL on the share to check something and now it is displayed correctly as "ncy\administrator". But I still have the screenshot where it showed it the other way. Clearly it needed something to happen before resolution occurred, but I have no idea what.
Has anyone else seen this before? Can I expect this to happen on every share/resource, or was it a one-time thing? Am I making any sense?
________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator
Customer is a government agency and their existing namespace is "agency.co.countyname.state.us". As part of the migration they are changing their namespace to "agency.countyname.state.us". The old domain is Server 2003 functional levels and servers. The new domain is 2008 R2 servers but is currently at 2003 functional levels.
The county datacenter owns the "co.countyname.state.us" namespace and the old domain is a child domain in their forest. The new domain is in it's own forest and is delegated from the "countyname.state.us" namespace.
Both domains have different NetBIOS names. One is "agency" and the other is "ncy".
And one-way nontransitive trust has been created from "agency" to "ncy". SID Filter Quarantine has been disabled to allow use of SID history during the migration period.
I can add users from the "ncy" domain to groups in the "agency" directory. This works as expected (prompted for "ncy" credentials to connect to the trusted domain, etc), and the icon for the user object in the group list is the correct, lighter-colored foreign security principal icon.
I wanted to add a user from the "ncy" domain to a file share in the "agency" domain to verify that it works properly. When I did so, the share rights worked correctly (everything looks good from the SID perspective) but the users listed in the permissions tab look funny.
For example, let's say I add "ncy\administrator" to the share. I am prompted for "ncy" credentials, and when the user has been added it is listed in the ACL list with the normal, non-FSP icon and the user account is listed as "agency\administrator". If I try to add "agency\administrator" it will also be added without a credentials prompt, but it will be listed as "administrator@agency.co.countyname.state.us" in the ACL list and also have the non-FSP icon.
From what I can tell, in the ACL list it is using the lowest-level portion of the domain's DNS namespace as the domain name rather than the NetBIOS domain. It appears to be a cosmetic issue rather than a functional issue, but since both domains have the same low-level namespace ("agency") it has the potential to be extremely confusing.
Oh...and I just went back into that ACL on the share to check something and now it is displayed correctly as "ncy\administrator". But I still have the screenshot where it showed it the other way. Clearly it needed something to happen before resolution occurred, but I have no idea what.
Has anyone else seen this before? Can I expect this to happen on every share/resource, or was it a one-time thing? Am I making any sense?
________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator