moving accounts retaining SID

  • Thread starter Thread starter Eric B. Twing
  • Start date Start date
E

Eric B. Twing

Is there a way to preserve the SID to user and computer accounts? What i
wish to attempt is to dismantle a domain then to recreate it as a child
domain in another forest. However, there is mission critical software that
is sensitive to the SID of an account in relation to an extensive SQL
database. I dont want to orphan several hundred account refences within that
database for the loss of the SID. The domain is currently Server 2000 and
will be joined under 2003. Because its 2000 the option to rename/reasign it
itsnt there. Id like to export the accounts with the SID and import them
once the domain is restored while retaining the original SID's.

Thanks in advance

Eric Twing
 
Look at sidHistory and ADMT. Create a child domain and migrate the current
domain into this new child domain.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Why wouldn't sidHistory work over the long term? I must be missing
something.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"
 
because sidhistory does not have the intention to be used for longterm,
shortterm only. it is a mechanism to help you to go from A to B and after
the transition it should not be used anymore and be cleaned

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Paul Bergson said:
Why wouldn't sidHistory work over the long term? I must be missing
something.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"
probably that answer will not hold for the long term....

it is not possible import the SID into an account. The userSid depends on
the domainSid and that cannot be changed either

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
Click to expand...
Click to expand...
 
I would agree, but I have spoken with Dean W and he feels that it is a
viable long term solution. I am confused on its intent from Microsoft and I
have not seen any official guidance on this and that is why I ask. I
dislike phantoms and think people forget they even exist after a migration.
I have even requested a change to dcdiag to have an option to list out
phantoms. Do you know what Microsoft's official stance on this is?


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"
because sidhistory does not have the intention to be used for longterm,
shortterm only. it is a mechanism to help you to go from A to B and after
the transition it should not be used anymore and be cleaned

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Paul Bergson said:
Why wouldn't sidHistory work over the long term? I must be missing
something.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"
probably that answer will not hold for the long term....

it is not possible import the SID into an account. The userSid depends
on the domainSid and that cannot be changed either

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Look at sidHistory and ADMT. Create a child domain and migrate the
current domain into this new child domain.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

Is there a way to preserve the SID to user and computer accounts? What
i
wish to attempt is to dismantle a domain then to recreate it as a
child
domain in another forest. However, there is mission critical software
that
is sensitive to the SID of an account in relation to an extensive SQL
database. I dont want to orphan several hundred account refences
within that
database for the loss of the SID. The domain is currently Server 2000
and
will be joined under 2003. Because its 2000 the option to
rename/reasign it
itsnt there. Id like to export the accounts with the SID and import
them
once the domain is restored while retaining the original SID's.

Thanks in advance

Eric Twing
Click to expand...
Click to expand...
Click to expand...
 
Back
Top