Resolution
Domain Migration Administrator 7.x
symptom
After translating security, the Security References by Server report still shows 'Untranslated'.
cause
This will occur if the accounts have been migrated with SID history due to the way Active Directory resolves these accounts.
fix
The 'Security References by Servers' report provides results as expected when accounts are not migrated with SID history. However, this report does not work well for accounts that have been migrated with SID history. This is because the accounts that have been migrated with SID history are being resolved as the target account, even if it is the source account. (For more information on this, please see NETIQKB13885.) Thus, for accounts migrated with SID history, whether you have translated security on the server or not, the account always appears as targetdomain\account and 'Untranslated' and you cannot tell if it is the source account or the target account.
An alternate report that provides similar information is the Migration Tasks Performed / By Server / 'Translated Security by Servers' report. This will list the server(s) and the accounts for which security has been translated and whether the account was Appended or Replaced on the ACL. This is based on the action history of security translations performed by DMA. However, this will not be helpful for accounts that have been migrated with SID history due to source accounts being displayed as the Active Directory accounts.
Alternate ways to identify the servers that need to have security translated would be to do one of the following:
- Maintain a list of all the servers, then check off each server as you translate security.
- You can obtain this information using Configuration Assessor. In Configuration Assessor, under the heading of File System Reports, select the 'Security Analysis of NT Filesystems' and 'Security Analysis of Shares' reports. To avoid the issue of source accounts being displayed as target accounts if they have been migrated with SID history, the CA console should be logged in to the source domain.
- You can also obtain this information using File Security Administrator. The FSA Reporting tool contains built-in reports, 'Security Reports - Folder Security' and 'Security Reports - Shares Security', that will provide information on the NTFS and share permissions respectively. To avoid the issue of source accounts being displayed as target accounts if they have been migrated with SID history, the FSA console should be logged in to the source domain.