Multiple DOMAINS - SINGLE SIGN ON

  • Thread starter Thread starter MEI
  • Start date Start date
M

MEI

We just set-up a new domain with a 2003 DC and established a trust with our
older domain on a 2000 server. We have roughly 200 gigs of file storage on
the older 2000 server which needs to be accessed by users who have been
migrated to the 2003 domain.. I have set-up their user accounts and
passwords so they are identical on each domain. This does not seem to do the
trick, did I miss a step?

Many Thanks!
 
The older Windows 2000 Domain should "TRUST" the Windows 2003 Domain. In
Windows 2003 terms you would establish an incoming trust on the Windows 2003
domain. Trusts are established via the Active Directory Domains and Trusts
MMC on both Windows 2003 and Windows 2000.

Once you have successfully done this, you should be able to log on to the
old Windows 2000 File server and grant domain accounts from the Windows 2003
domain rights on the shares, folders and files.

No need for the passwords to match between the two domains.
 
Yes, but I don't want to go through my terabyte of data and reassign
permissions... My unbderstanding was you could do this automatically somehow
using the users original logon name??
 
I doubt that this is possible, since NTFS permission are stored in SID
format, not the username.

Unless if anyone knows of a tool to edit SID in objects.
 
We just set-up a new domain with a 2003 DC and established a
trust with our
older domain on a 2000 server. We have roughly 200 gigs of
file storage on
the older 2000 server which needs to be accessed by users who
have been
migrated to the 2003 domain.. I have set-up their user
accounts and
passwords so they are identical on each domain. This does not
seem to do the
trick, did I miss a step?

Many Thanks!
Click to expand...

The reason it does not work is because the ACLs (access control list)
on the data specifies the SIDs of the users in the OLD domain. As you
created the users (although with the same name) in the NEW domain they
will NOT have access. That would be to easy if just creating a user
would give you access to the data other users with the same name have.
The same applies to groups

What you need to do is to use ADMTv3 (Active Directory Migration Tool)
and migrate groups, users, memberships from the OLD domain to the NEW
domain including SIDhistory. This way the users in the NEW domain have
access to the OLD data
After that you need to MIGRATE the data and reacl (also with ADMT)
where the OLD SIDs in the ACLs are replaced with the NEW SIDs. After
data you can cleanup SIDhistory

Fore more info on ADMT and migration see:
http://www.microsoft.com/downloads/...7B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
http://www.microsoft.com/downloads/...A0-76F0-4E25-8DE0-19544062A6E6&displaylang=en
http://whitepapers.silicon.com/0,39024759,60088469p-39000357q,00.htm

Also search for migration ebooks/white papers at Quest, NetIQ
 
Back
Top