During an AD domain migration in a customer environment I faced the problem that group permissions for file shares did not work any more. This is why.
Finding the Error after a Successful AD Domain Migration
The migration of source domain to target domain seemed successful. All users and groups were migrated by using SID-History. The domain migration seemed to follow the plan:
- Users moved
- Clients moved
- Exchange environment moved
- Majority of servers linked
This also included the NAS systems that provide the CIFS shares. That is basically it for a successful migration. All accesses worked out just fine.
No access to resources
But one day the access to resources did not work anymore.
After some serious research it became clear. The types of group did not match. The domain migration was not perfect by then:
- The problem affected only the resources on the source domain.
- The type of authorization groups on the target domain read „domain local“.
Setting the Group Type on the Source Domain
After some consideration there were two solutions:
- Setting the authorization group on “domain local” in the source environment. Then the types would be identic on both domains.
- Migrating the server in the target environment
Behaviour of the SID-History
You use ID history for a lot of tasks. That would be i.e. working with certification authority access, user profile access, resource access and software installation access in general. After some research we found out that the SID-History behaves different with domain local groups from global or universal groups.
If you have to change the type of an access group during an AD migration you should change it everywhere. It really has to be the same on both domains. This is how you ensure access to all resources.