Domain A is old domain. Domain B is new Domain.
Step1:check sidhistory sid. 1. On a domain controller in Domain B, run ldp.exe, click the Connection menu, click Connect, type the domainB DC name and port 389, click OK to connect to the server.
2.Click the Connection menu again and click bind, input the user name, password and domainB domain name, click OK to bind to it.
3. Click the View menu, click Tree, select the corresponding domain partition in the dropdown menun and click OK.
4.After that, in the left pane, expand the domain and locate the corresponding migrated user, double click the user and check the user properties in the right pane. Please find the sidhistory attribute to find the migrated sid.
5.In domain A, install psgetsid from the link below: <http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx> Then run psgetsid.exe on a DomainA DC: psgetsid <SID> Note: replace the sid with the one that you get from sidhistory to verify the account. 6.Then check the resource’ security and share permissions to verify that the user who present the sid in sidhistory is listed.
Step 2: Run the following command on a Domain B DC which has netdom. (netdom.exe can be installed with Support Tools which you can install from support\tools folder on Windows installation CD.)
Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:
Only domain administrators or enterprise administrators can modify SID filtering settings. To disable SID filter quarantining for the trusting domain, type a command using the following syntax at a command-prompt:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd
Note: For Windows 2008 /quarantine: N or Y EX: netdom trust DomainA /D:DomainB /UD:DomainB\Administrator /PD:* /UO:DomainA\Administrator /PO:* /Quarantine:No note:please replace the domainA and domainb with the actual domain name. * option would mask the admin password and you would be prompted to enter DomainA admin password first & then DomainB admin password.
If users are migrated from one domain to another in different forests, you may want to allow the migrated users to access resources in their original forest using their migrated (SID history) credentials. The default SID filtering applied to forest trusts prevents user resource access requests from traversing the trusts with the credentials of the original domain. If you want to enable users to use the credentials that were migrated from their original domain, you can allow SID history to traverse forest trusts by using the Netdom command.
Only domain administrators or enterprise administrators can modify SID filtering settings. To allow SID history credentials to traverse a trust relationship between two forests, type a command using the following syntax at a command-prompt:
Netdom trustTrustingDomainName/domain:TrustedDomainName/enablesidhistory:Yes/usero:domainadministratorAcct/passwordo:domainadminpwd Note: For Windows 2008 /enablesidhistory: N or Y
EX: netdom trust DomainA /D:DomainB /UD:DomainB\Administrator /PD:* /UO:DomainA\Administrator /PO:* /enablesidhistory:Yes note:please replace the domainA and domainb with the actual domain name. * option would mask the admin password and you would be prompted to enter DomainA admin password first & then DomainB admin password.
Additional information: =================== For the detailed information, you may refer to the session “Disabling SID Filter Quarantining on External Trusts” and “Allowing SID History to Traverse Forest Trusts” in the following article: http://technet.microsoft.com/en-us/library/cc755321(WS.10).aspx