Resolution
goal
What are the reasons for translating security and removing SID History instead of using SID History as a long term solution?
fact
Domain Migration Administrator 7.1
fix
note
For more information about using DMA to remove SID History, please see Chapter 7, "Performing Individual Migration Tasks" and Chapter 2, "Planning and Performing Your Migration" in the DMA/SC 7.1 User Guide.
note
What are the reasons for translating security and removing SID History instead of using SID History as a long term solution?
fact
Domain Migration Administrator 7.1
fix
There are several reasons why we recommend you remove SID History:
- If users and their related groups are migrated to the AD using SID History, the group membership of the NT groups migrated becomes static. If the user is then removed from the group in NT, the user?s Windows 2000 account will still have access to data that this group has access to. This is because the user?s access token includes the SID of the target account, the SID of the target groups, as well as the SID History of any of the target groups of which he is a member. Taking a user out of the group in NT does not remove that source group SID from the SID History of the group in Windows 2000. The Windows 2000 group has access to everything that the NT group has access to because of the SID History attribute of the NT group.
- Auditing (File, Registry, etc.) is not tracked on accounts (users & groups) that have access to data based on SID History attributes. Consider for example, a user?s account is migrated to Windows 2000 using SID History and auditing is setup on a directory for his old account. If the user then makes changes to data in this directory using with Windows 2000 account, there will be no entries in audit log on the system the user is accessing.
- Windows NT tools, such as Windows Explorer, only show that the source domain accounts have access to resources, even though Windows 2000 account also have access via SID History.
- Windows 2000 tools, such as Windows Explorer, only show that the target domain account has access to objects, even though Windows NT 4.0 accounts also have access. Please see NETIQKB13885 for more information on this topic.
- Most likely, the source domain will eventually be taken out of service. Once the PDC is removed from the source domain, accounts from that domain will resolve to SIDs only when using Windows NT tools; permissions will show an unknown account or no account permissions will be displayed.
- Technical Issues
- SID information for each user and all of the groups the user is a member of is added to the target user or group; this increases the size of the Active Directory. This impacts the size of the Kerberos authentication packet, which does have a size limit. For more information, see Microsoft TechNet article Q263693.
- There is a potential security leak in SID History.
note
For more information about using DMA to remove SID History, please see Chapter 7, "Performing Individual Migration Tasks" and Chapter 2, "Planning and Performing Your Migration" in the DMA/SC 7.1 User Guide.
note
Please contact Technical Support to create a 'Support Request' for any issues you encounter that are not addressed by the User Guide, any Knowledge Base articles found on the website, or current Hotfixes available for download.
Additional Information
Formerly known as NETIQKB5955