|
|
|
Security Identifier (SID) Translation |
|
Access to network resources (printers, files, folders, and shares) is protected by access control lists (ACLs) contained in security descriptors associated with each resource. Active Directory Migration Tool can change security descriptors that reference a user account or a group in a source domain to reference another user account or group in a target domain.
For example, when you migrate a user account or group from domain A to domain B, a new account is created (cloned) in domain B. This new account can have the same name as the original account in domain A, but the new account has a different security identifier. Active Directory Migration Tool changes the security descriptors for various resources to refer to the SID for the new account in domain B. This process ensures the new user account or group provides the same access to resources that the original user account or group provided. The process of changing the security descriptors, which is called security translation, is performed by the Security Translation Wizard.
Note
The security on resources does not need to be translated before the source account is deleted. However, for cosmetic reasons, you probably want to translate security before deleting the source account. After the source account is gone, the resource can no longer resolve the SID to a name. The security properties show as "account unknown." The access still works, but you cannot resolve the SID name. If you upgrade the resource domain to Windows 2000 or
When security is translated, ADMT uses its internal information about migrated accounts to decide which Access Control Lists need to be translated and how. You can use a SID mapping file to overwrite this information and map a source object to a target object. This SID mapping file can be used as an input file for security translations. By using it, you can translate security for accounts that were not migrated with ADMT, such as Domain Admins that were referenced in an Access Control List, or to perform security translations independent of migrated objects.
A SID mapping file specifies the name or SID of a source object followed by a comma, then the name or SID of a target object. Each source/target pair must be placed on its own line.
The following example shows one line in a SID mapping file that uses a SID to identify the source object and a name to identify the target object:
S-1-5-21-397955417-626881126-188441444-1234, HAY-BUV\JoeD
S-1-5-21-397955417-626881126-188441444-1234, HB-ACCT\JimS
Active Directory Migration Tool can also change the security descriptors for Exchange mailboxes, distribution lists, custom recipients, organizations, sites, and containers, as well as the primary user account for each mailbox, to reflect the SID for the new security principal in the target domain. This process ensures that the new security principal has the same access to resources and Exchange components as the original.
To translate Exchange security, you must install Microsoft Exchange Administrator on a computer running Active Directory Migration Tool. If you want to translate Exchange security for Exchange mailboxes, distribution lists, custom recipients, organizations, sites, and containers, the account credentials you specify during the translation process must be a Permissions Admin in the Exchange site of the specified Exchange server.
For more information about security descriptors, SIDs, and general security issues, see Understanding security.