Discussion:
SIDhistory limitations
(too old to reply)
Mike
2005-03-14 20:29:02 UTC
Permalink
Hello Community,

I am trying to understand the limitation of SIDhistory - MS TechNet article
“How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2” (KB
322970) states “The sIDHistory is a multivalued attribute of security
principals in the Active Directory that may hold up to 850 values”

However, can I relate this to how many users and groups I can clone to my
target domain with SIDhistory attached? (To preserve access to resources
without re-ACLing).


Many thanks!

Mikey.
Chriss3 [MVP]
2005-03-14 23:10:59 UTC
Permalink
This means each security principal can have 850 values stored in there
SIDHistory attribute. This means you can store 850 different SIDs for each
security principal (user,group,computer). And there is no need for that :)
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
Post by Mike
Hello Community,
I am trying to understand the limitation of SIDhistory - MS TechNet article
"How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2" (KB
322970) states "The sIDHistory is a multivalued attribute of security
principals in the Active Directory that may hold up to 850 values"
However, can I relate this to how many users and groups I can clone to my
target domain with SIDhistory attached? (To preserve access to resources
without re-ACLing).
Many thanks!
Mikey.
Ryan Hanisco
2005-03-15 01:58:24 UTC
Permalink
Hey Mikey,

There is no reason I can even think of where you would have anywhere near
850 values in the SIDHistory. I wouldn't expect you to run into this
limitation unless you were actually trying. You can clone as many objects
as you want with ADMTv2 (I have done tens of thousands). What the article
is talking about is a single object with 850 aliased SIDs assigned to it.

Domain migrations and consolidations are my specialty, let me know if you
have any other questions.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Post by Mike
Hello Community,
I am trying to understand the limitation of SIDhistory - MS TechNet article
"How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2" (KB
322970) states "The sIDHistory is a multivalued attribute of security
principals in the Active Directory that may hold up to 850 values"
However, can I relate this to how many users and groups I can clone to my
target domain with SIDhistory attached? (To preserve access to resources
without re-ACLing).
Many thanks!
Mikey.
Mike
2005-03-19 17:19:02 UTC
Permalink
Chriss3 / Ryan, thanks for the great responses!

Apologies for the late reply!

Mikey.
Post by Ryan Hanisco
Hey Mikey,
There is no reason I can even think of where you would have anywhere near
850 values in the SIDHistory. I wouldn't expect you to run into this
limitation unless you were actually trying. You can clone as many objects
as you want with ADMTv2 (I have done tens of thousands). What the article
is talking about is a single object with 850 aliased SIDs assigned to it.
Domain migrations and consolidations are my specialty, let me know if you
have any other questions.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Post by Mike
Hello Community,
I am trying to understand the limitation of SIDhistory - MS TechNet article
"How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2" (KB
322970) states "The sIDHistory is a multivalued attribute of security
principals in the Active Directory that may hold up to 850 values"
However, can I relate this to how many users and groups I can clone to my
target domain with SIDhistory attached? (To preserve access to resources
without re-ACLing).
Many thanks!
Mikey.
khudwrx03
2007-10-10 19:23:36 UTC
Permalink
Post by Ryan Hanisco
Domain migrations and consolidations are my specialty, let me know if you
have any other questions.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Ryan,

I am currently supporting a domain migration. Child domain school into
the forest school system domain.

Is there a danger to not using ADMT v3.0 to move member servers into
the forest domain? We are experiencing an issue where the users and
groups are being moved using ADMTv2.0 successfully with the domain
controllers still in place. The ACL list comes up in the GUI windows
box with the child domain tag still in place. XCACLS from a command
prompt shows the correct forest domain tag. Users still have access to
the resources.
Once the child domain controllers have been collasped, the ACL domain
tag issue goes away. Users still have access to the member server
resources without using ADMT to migrate them -- basically just rename
the domain and reboot.

Any thoughts would be greatly appreciated.

Keith

MCSE -- Windows Admin Lead
Fairfax County Public Schools
Fairfax, VA
--
khudwrx03
------------------------------------------------------------------------
khudwrx03's Profile: http://forums.techarena.in/member.php?userid=32707
View this thread: http://forums.techarena.in/showthread.php?t=65052

http://forums.techarena.in
Ryan Hanisco
2007-10-11 03:53:00 UTC
Permalink
Hi khudwrx03,

I have had no problems moving even large complex (4 domain into one)
migrations with ADMT v2. likewise, no issues with v3 either. Really it
comes down to limiting your exposure by going slowly, running the security
translation to ensure that you migrate all objects, and testing thoroughly.

Remember that things will still work with the SID History until the PDCe and
the foreign DNS go out of scope (it'll continue to work afterwards, but it
gets dicey and you'll lose SID to name resolution). If you are seeing that
you are relying on the SIDHistory for the permissions, you can try the
security translation again. remember that it all comes down to SID. If you
are seeing the SID from the target domain on the ACE in the ACL when you view
it from xcacls, then you have done the translation correctly.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.
Post by khudwrx03
Post by Ryan Hanisco
Domain migrations and consolidations are my specialty, let me know if you
have any other questions.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Ryan,
I am currently supporting a domain migration. Child domain school into
the forest school system domain.
Is there a danger to not using ADMT v3.0 to move member servers into
the forest domain? We are experiencing an issue where the users and
groups are being moved using ADMTv2.0 successfully with the domain
controllers still in place. The ACL list comes up in the GUI windows
box with the child domain tag still in place. XCACLS from a command
prompt shows the correct forest domain tag. Users still have access to
the resources.
Once the child domain controllers have been collasped, the ACL domain
tag issue goes away. Users still have access to the member server
resources without using ADMT to migrate them -- basically just rename
the domain and reboot.
Any thoughts would be greatly appreciated.
Keith
MCSE -- Windows Admin Lead
Fairfax County Public Schools
Fairfax, VA
--
khudwrx03
------------------------------------------------------------------------
khudwrx03's Profile: http://forums.techarena.in/member.php?userid=32707
View this thread: http://forums.techarena.in/showthread.php?t=65052
http://forums.techarena.in
Loading...