Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

translate security with ADMT (after 2 migrations)

Status
Not open for further replies.
vtfglc

vtfglc

Technical User
Sep 30, 2003
19
CH
Here is my problem:

Company C has bought a new company (company A). In order to integrate this
new company to their AD, they have migrated all
user/users/groups/workstations and server to a temp AD (B). Everything has
been migrated with SidHistory successfully. Members servers have just be
moved to domain B WITHOUT REACLING. As we have SIDHistory, everything is
working fine.
Then the trust between A and B has been removed and a new trust between has
been created between B and C. We can migrate users/groups and workstations
without any problem with ADMT.
The problem occurs when we want translate security on member servers. As no
reacling has been done, all ACE are set with SID from domain A. When I run
ADMT to translate security(source=B, target=C), all ACE (from domain A) are
skipped and therefore, nothing is done on my files/folders.
Does anybody has a solution for this problem?
For sure it is possible to script but i want to be able to make this
reacling in a decent time....
Thanks in advance.
 
Sort by date Sort by votes
you will need to resstablish the trust, then run security translation against the member servers to translate domain A\group or user to domain B\group or user(this requires you migrated the users and groups using admt, and have not uninstalled ADMT). Then you will have to migrate users and groups, and servers/systems from B to C using ADMT again, then repeat the security translation from domainB\user or group to domain C\user or group. other than that, your other option is, you MAY be able to use a SID mapping file, but it will require you know all the SIDs.

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.
 
Upvote 0 Downvote
Thanks for your answer.
I have solved my problem by generating a SID mapping file. I used s script to browse all users/groups which have SIDHistory and retrieve all SIDs (from domain A and B) which are in the SIDHistory array.
 
Upvote 0 Downvote
There ya go. Glad to hear you got it worked out :)

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
475
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
276
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
137
DrB0b
DrB0b
Theo2k
  • Locked
  • Question
RDS 2016
Replies
0
Views
185
Theo2k
Theo2k
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
314
suncit
suncit

Part and Inventory Search

Sponsor

Back
Top