I am the System Administrator for a company Myretoun Inc which has the domain myretoun.local. Myretoun Inc have just purchased a rival company Dumyat Ltd. Their domain is dumyat.local. I have been tasked with migrating all Dumyat users over to the Myretoun domain.
Having created the Forest Trust between myretoun.local and dumyat.local I’ve started migrating users from myretoun.local to dumyat.local using Microsoft’s Active Directory Migration Tool (ADMT). As part of the migration process I have migrated SID History along with the users and the groups they are members of.
Now the Dumyat users are members of myretoun.local they need to be able to access shares that still reside on servers on the dumyat.local domain. I need to be able accomplish this using the existing dumyat.local domain security groups and thus the sidHistory attribute of the migrated user and groups.
There are two NETDOM commands needed to be run, one on each side of the Forest Trust.
Disable SID Filtering
By default Windows filters (blocks) the sidHistory attribute from traversing the trust from myretoun.local to dumyat.local. To allow it to traverse the trust you must disable SID Filtering from the the domain where the users have the sidHistory attribute, which in this case is myretoun.local
On the myretoun.local domain open a command prompt as a user who is a member of Enterprise Admins group and enter the following command:
Netdom trust myretoun.local /D:dumyat.local /quarantine:Yes /userD:myretoun\enterpriseadminaccount /passwordD:*
by using the /passwordD:* you will be prompted to enter your password to run the command.
Enable SID History
All the previous Quarantine:Yes command does is allow the sidHistory attribute to be passed across the trust, but until SID History is enabled on the other (dumyat.local) domain it cannot be used to grant access to resources. To allow this you must enable SID History, again using the NETDOM command.
On the dumyat.local domain open a command prompt as a user who is a member of Enterprise Admins group and run the following command:
netdom trust dumyat.local /D:myretoun.local /enablesidhistory /userD: dumyat\enterpriseadminaccount /passwordD:*
Once these two commands have been run, allow sufficient time for the changes to be replication throughout your Active Directory topology before you test access with a myretoun.local user accessing dumyat.local resources.
Disclaimer: provided “AS IS” with no warranties and confer no rights