Everyone planning a domain migration probably has to deal with Active Directory SID Filtering sooner or later.
While setting up an Active Directory Forest Trust, I came upon an interesting difference.
SID Filtering and AD Migration
For a newly set up trust between two domains or two forests, the SID Filtering is activated by default. The filter removes all foreign SIDs from the user’s Access Token while accessing a resource via a trust in a trusting domain. An example for a foreign SID would be the SID-history of a migrated user-account. The SID-history of user accounts and groups enables access to resources in the trusting domain – in case the filtering is deactivated.
During an Active Directory migration, the SID-history is used for migrated user accounts in the trusted domain (target) to gain access to resources in the trusting domain (source). With activated SID Filtering this is impossible.
The picture shows how the SID-History (from the source domain) is deleted from the Token while accessing via the trust (with an activated SID filter). Access is not possible.
Deactivate SID Filtering
To access resources in a trusting domain, the SID Filtering has to be deactivated. I recommend using the tool “NetDom” for deactivation. This you achieve on the “outgoing trust” of the “trusting Domain“.
Deactivate SID Filter for Domain Trust
TrustingDomainName: the domain with the resource to be accessed. For migrations this usually is the source domain.
TrustedDomainName: the domain with the accessing user-account. For migrations this usually is the target domain.
quarantine:No: “no” deactivates the SID Filter, “yes” activates SID Filter.
Netdom trust SOURCE /domain:TARGET /quarantine:No
Deactivate SID Filter for Forest Trust
To enable using a SID-history via a Forest Trust, another parameter has to be employed.
enablesidhistory:Yes “yes” deactivates the SID-Filter, “no” activates it.
Netdom trust SOURCE /domain:TARGET /enablesidhistory:yes
It is interesting that there are different parameters (quarantine/enablesidhistory) and notations (No/Yes) for Domain Trust and Forest Trust.
/quarantine:No – deactivates the SID Filter for Domain Trusts.
/enablesidhistory:Yes – deactivates the Filter for Forest Trusts.