Reapply SID Filter Quarantining

Applies To: Windows Server 2008, Windows Server 2008 R2

You can use this procedure to reapply security identifier (SID) filter quarantining to an external trust that has had SID filter quarantining disabled. Also, use this procedure to apply SID filter quarantining to any external trust that has been created using Windows 2000 administrative tools/domain controllers. By default, SID filter quarantining is enabled automatically on all external trusts that are created using Windows Server 2003 or later domain controllers. For more information about how SID filter quarantining works, see Security Considerations for Trusts (https://go.microsoft.com/fwlink/?LinkID=111846).

You can reapply SID filter quarantining by using the Netdom command-line tool. For more information about the Netdom command-line tool, see Netdom Overview (https://go.microsoft.com/fwlink/?LinkId=111537).

Membership in Domain Admins in the trusting domain or Enterprise Admins in the forest of the trusting domain Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To reapply SID filter quarantining for the trusting domain

1. Open a Command Prompt.

2. At the command prompt, type the following command, and then press ENTER:

   Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:Yes /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

To reapply SID filter quarantining for the trusting forest

1. Open a Command Prompt.

2. At the command prompt, type the following command, and then press ENTER:

   Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> enablesidhistory/:Yes /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

Placeholder reference table

The following table describes the placeholder values in the syntax for the netdom command.