Determining Your Account Migration Process

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

ADMT enables you to use SID history to maintain resource permissions when you migrate accounts. However, if SID filtering is enabled between your source and target domains, and you do not trust the administrators in the source domain, then you cannot disable SID filtering and use SID history to enable access to resources in the source domain. In this case, you must use a different migration process.

You can choose one of the following three methods to migrate accounts between forests while maintaining user rights to access resources in the source domain:

• Migrate user accounts without using SID history for resource access, but translate security for all resources before the migration process to ensure resource access. For more information about migrating accounts without using SID history, see "Migrating Accounts Without Using SID History" later in this chapter.

• Migrate user accounts while using SID history for resource access. With this method, you remove SID filtering on the trusts between the domains to enable users to access resources in the source domain by means of their SID history credentials.

  • If you have a cross-forest trust in place, you remove SID filtering on the cross-forest trust. (You can also override the cross-forest trust by creating an external trust so that the domain that holds the resources trusts the target domain, and then removing SID filtering on the external trust.)

  • If you do not have a cross-forest trust in place, you establish external trusts between the source and target domains. You then need to remove SID filtering on the external trusts if the domain controller used to create the trust is running Windows Server 2003 or Windows 2000 Service Pack 4 (SP4) or later.

  For more information about this process, see "Migrating Accounts While Using SID History" later in this chapter.

• Migrate all users, groups, and resources to the target domain in one step. For more information about this process, see "Migrating Accounts While Using SID History" later in this chapter.

To determine which account migration process is best for your organization, you must first determine if you can disable SID filtering and migrate accounts while using SID history for resource access. You can safely do this if the administrators of the source domain fully trust the administrators of the target domain. You might choose to disable SID filtering if one of the following conditions applies:

• The administrators of the trusting domain are the administrators for the trusted domain.

• The administrators of the trusting domain trust the administrators of the trusted domain and are confident that they have secured the domain appropriately.

If you disable SID filtering, you remove the security boundary between forests, which otherwise provides data and service isolation between the forests. For example, an administrator in the target domain who has service administrator rights or an individual who has physical access to a domain controller can modify the SID history of an account to include the SID of a domain administrator in the source domain. When the user account for which the SID history has been modified logs on to the target domain, it presents valid domain administrator credentials for and can obtain access to resources in the source domain.

For this reason, if you do not trust the administrators in the target domain or do not believe that the domain controllers in the target domain are physically secure, enable SID filtering between your source and target domains, and migrate user accounts without using SID history for resource access.

Figure 11.3 shows the decision process involved in determining which migration process is appropriate for your organization.

Figure 11.3   Determining Your User Account Migration Process