What are the differences between migrating with SID History and Translating Security? (NETIQKB4537)

  • 7704537
  • 02-Feb-2007
  • 30-Oct-2007


What are the differences between migrating with SID History and Translating Security?


Migrating with SID History:  If you have migrated with SID History, the user account will have another attribute added during its migration from the source domain to the target domain.  This attribute is the original SID from the source domain. After migration, the user has a new SID generated in the Target domain as well as the original SID brought over from the Source domain (SID History attribute).  This will allow the user account to access the files and folders in the Source domain as long as the original SID is still in the Access Control List of those files/folders. If no changes are made on the file/folder (D)ACLs, this will be the case.

Translating Security:  When you translate security, what you are really doing is changing the security descriptors in the Access Control List on the files/folders. This process adds a copy of the newly migrated user's SID from the target domain to the source domain resources you have specified in the Security Translation Wizard.  However, this doubles the size of your (D)ACLs because you're adding the NEW target domain's SIDs to the source domain where all the original SIDs currently exist.  You can only translate security for objects that have been migrated with Domain Migration Administrator.

The goal in both of these operations is to give the migrated users in the target domain access to the files and folders they were previously able to access using the source domain account.  These are just two different ways to maintain access.

For more information on this topic, please refer to "Understanding the Migration Process and SID History" in Appendix C in the Domain Migration Administrator 7.1 User Guide.

Additional Information

Formerly known as NETIQKB4537