How to Disabling SID Filter Quarantining & Allowing SID History
Domain A is old domain. Domain B is new Domain.
Step1: check sidhistory sid.
1. On a domain controller in Domain B, run ldp.exe, click the Connection menu, click Connect, type the domainB DC name and port 389, click OK to connect to the server.
2.Click the Connection menu again and click bind, input the user name, password and domainB domain name, click OK to bind to it.
3. Click the View menu, click Tree, select the corresponding domain partition in the dropdown menun and click OK.
4.After that, in the left pane, expand the domain and locate the corresponding migrated user, double click the user and check the user properties in the right pane. Please find the sidhistory attribute to find the migrated sid.
5.In domain A, install psgetsid from the link below:
Then run psgetsid.exe on a DomainA DC:
Note: replace the sid with the one that you get from sidhistory to verify the account.
6.Then check the resource’ security and share permissions to verify that the user who present the sid in sidhistory is listed.
Step 2: Run the following command on a Domain B DC which has netdom. (netdom.exe can be installed with Support Tools which you can install from supporttools folder on Windows installation CD.)
Disabling SID Filter Quarantining on External Trusts
Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:
- You have an equally high level of confidence in the administrators who have physical access to domain controllers in the trusted domain and the administrators with such access in the trusting domain.
- You have a strict requirement to assign universal groups to resources in the trusting domain, even when those groups were not created in the trusted domain.
- Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on the SID history attribute.
Only domain administrators or enterprise administrators can modify SID filtering settings. To disable SID filter quarantining for the trusting domain, type a command using the following syntax at a command-prompt:
Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /usero: domainadministratorAcct /passwordo: domainadminpwd
Note: For Windows 2008 /quarantine: N or Y
EX: netdom trust DomainA /D:DomainB /UD:DomainBAdministrator /PD:* /UO:DomainAAdministrator /PO:* /Quarantine:Nonote:please replace the domainA and domainb with the actual domain name. * option would mask the admin password and you would be prompted to enter DomainA admin password first & then DomainB admin password.
Allowing SID History to Traverse Forest Trusts
If users are migrated from one domain to another in different forests, you may want to allow the migrated users to access resources in their original forest using their migrated (SID history) credentials. The default SID filtering applied to forest trusts prevents user resource access requests from traversing the trusts with the credentials of the original domain. If you want to enable users to use the credentials that were migrated from their original domain, you can allow SID history to traverse forest trusts by using the Netdom command.
Only domain administrators or enterprise administrators can modify SID filtering settings. To allow SID history credentials to traverse a trust relationship between two forests, type a command using the following syntax at a command-prompt:
Netdom trustTrustingDomainName /domain: TrustedDomainName /enablesidhistory:Yes/usero: domainadministratorAcct /passwordo: domainadminpwd
Note: For Windows 2008 /enablesidhistory: N or Y
EX: netdom trust DomainA /D:DomainB /UD:DomainBAdministrator /PD:* /UO:DomainAAdministrator /PO:* /enablesidhistory:Yes
note:please replace the domainA and domainb with the actual domain name. * option would mask the admin password and you would be prompted to enter DomainA admin password first & then DomainB admin password.
- The same security considerations for removing SID filter quarantining from external trusts apply to allowing SID history to traverse forest trusts.
For the detailed information, you may refer to the session “Disabling SID Filter Quarantining on External Trusts” and “Allowing SID History to Traverse Forest Trusts” in the following article: