Share via

EnableSidHistory

JBINET 21 Reputation points
2021-05-11T16:49:14.697+00:00

Hello !
I'm facing a strange beahavior when I try to enable SID History for one of two new forests trusts:
the commands always return the same thing (the actual state), no matter I change the switch.

netdom trust old.dom /D:new.dom /enablesidhistory:Yes
is the same as :
netdom trust old.dom /D:new.dom /enablesidhistory
netdom trust old.dom /D:new.dom /enablesidhistory:no
netdom trust old.dom /D:new.dom /enablesidhistory:please

The problem is the same with Quarantine parameter, however he's already in the good state...
From the opposite side and for the other forest, the commands work !
I tried adding user&password arguments, creating a new enterprise admin, reestablishing trust from another controller, switching to a simple external trust = no success.

So, if any of you knows the reason, or even another way to change this parameter, I'll be very grateful !
Anyways, thanks for reading ;)

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,655 questions
0 comments
Accepted answer
  1. Fan Fan 15,341 Reputation points Microsoft Vendor
    2021-05-12T01:53:20.74+00:00

    Hi,
    Would you please tell more information about your questions to narrow down the issue?
    1, You want to do a migration from old.dom to new.dom, at the same time you want the migrated users keep the permissions to access resource in old.dom domain, right?
    In this situation, we need to disable the SID filter from the target domain where the (migrated) users have the sidHistory attribute using the enterprise administrator of the target domain. (new.dom)

    2, You created a 2-way trust (forest or external), right?
    The commands are a little different:
    Command for external \domain trust
    From the source domain (Domain Trust) run command:
    NETDOM TRUST SOURCE_DOMAIN /Domain:APPROVED_DOMAIN /Quarantine:No
    From the destination domain (Domain Trust):
    NETDOM TRUST DESTINATION_DOMAIN /Domain:APPROVED_DOMAIN /Quarantine:No

    Command for forest trust:
    From the source domain (Forest Trust):
    NETDOM TRUST SOURCE_DOMAIN /Domain:APPROVED_DOMAIN /EnableSIDHistory:yes
    From the destination domain (Forest Trust):
    NETDOM TRUST DESTINATION_DOMAIN /Domain:APPROVED_DOMAIN /EnableSIDHistory:yes

    Following link for your reference:
    https://learn.microsoft.com/en-us/archive/blogs/csstwplatform/how-to-disabling-sid-filter-quarantining-allowing-sid-history
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)?redirectedfrom=MSDN

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dittmaier Benjamin 5 Reputation points
    2024-07-24T13:24:41.21+00:00

    its a Bug in none Englisch Version of Windows since Windows 2000. You have to enter /enablesidhistory:Ja --> for german.
    I would assume all none englisch versions are affected and you always have to enter a localized version of the word "Yes".

    i can change the parameter without usage of /UD /UO on both Windows 2019 Forests

    1 person found this answer helpful.
    0 comments
  2. JBINET 21 Reputation points
    2021-05-12T08:18:34.267+00:00

    Hi FanFan,
    that's exactly what I'm trying to do ;)

    Thanks to your link, I've been able to "remotely" enable SID History by specifying admin accounts from both forests !
    Here is the command to remember:

    netdom trust DomainA /D:DomainB /UD:DomainBAdministrator /PD:* /UO:DomainAAdministrator /PO:* /enablesidhistory:Yes

    Hope it will save time to other it crowd ;)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.