When users are moved from one domain to another, they don’t
maintain their permissions to previous resources. This is caused by the fact
that authentication is actually performed by the objects’ SID rather that the
displayed information we see in Active Directory.
SIDs (Security Identifiers) are assigned in a similar method
to DHCP. The RID master role on a domain controller creates a pool of RIDs
(relative IDs) that can be used for assignment to created objects. When a
security object is created (user, computer, group, etc), that object is assigned
the domain SID plus an available RID. This combination makes up the object SID.
This SID is what is actually being used to authenticate objects.
So how do we maintain access to both resources in each
domain? The answer is SID History. Since each domain has its own domain SID,
that object will be assigned a new SID when it’s migrated. We can enable SID
History to allow that object to authenticate against a list of any previous
SIDs assigned to that object. Depending on whether the existing trust is
external or forest based, the syntax will be “netdom trust
for a forest trust.
SID History does cause some concern for security and should
only be used temporarily in a migration situation. It is possible to add a SID
to objects manually which can grant access to resources that shouldn’t be
available. For this scenario, we would use SID Filtering.
When users are authenticated, they first authenticate to
their object SID which is their primary SID. The system then looks at their history
SIDs to grant any additional access. By using SID Filtering, authentication
attempts ignore the history and only authenticate based on the objectSID, preventing
any manually added entries from gaining additional access. In Microsoft Windows
Server 2008, SID Filtering is enabled by default. The syntax for
enabling/disabling SID Filtering is the same as SID History: “netdom
. This is because they work together. By
disabling SID Filtering, you are effectively enabling SID History and vice
versa. In the case of the /quarantine:
disabling filtering, but enabling history, while yes would perform the