Difference between Windows 2000 and Windows NT
NT WIN 2000
1. Supports Fat 16, & NTFS 4+.0 FAT 16, 32, NTFS 5
2. Default Internet Explorer is 4.0 Internet Explorer 5.5
3. Single Master Domain Model Multi Master Domain Model
4. Security Accounts stored in SAM Security Accounts stored in ADS
5. Database size is 40 Mb. Database size is 17 TB
6. Supports upto 40,000 Objects Supports more than 1 million Objects
Limitations of NT Security
n Restricted SAM size
n Single point of failure at the primary domain controller
n Poor operational performance
n Poor replication performance
n Lack of management granularity
n Nontransitive trust relationships
Security Account Manger (SAM) Database Size
Security accounts in classic NT are stored in the Security Account Manager database, called the SAM for short.The SAM is a flat-file database consisting of a set of Groups and a set of Users. Computer accounts are also included in the SAM as a special form of user account. The total number of users, computers, and groups in classic NT is limited because the SAM cannot grow above a certain size.
Single Point of Failure
The PDC is the only server that has read/write access to the SAM in a classic NT
domain. If the PDC crashes or the telecommunications link to it goes down, you cannot
make any changes to the domain. You cannot add new users to a group or join computers to the domain. Users can still log on via a backup domain controller (BDC) but they cannot change their passwords. To correct this problem, an administrator must promote a BDC to PDC .
Lack of Management
A major weakness in the SAM structure is its inability to support hierarchical
Nontransitive Trust Relationships
Of all the limitations in classic NT, the ugliest is the inability to link domains together
seamlessly while maintaining separate administrative roles.
Classic domains are linked by trust relationships.
Active Directory : Active Directory stores information about the resources / objects on the entire network and make it easy for the users to locate, manage, and use these resources.
Improvements Made by Active Directory
1. The Active Directory account database in Windows Server 2003 can hold a billion objects. This resolves scalability concerns.
2. Multiple domain controllers can host read/write copies of Active Directory, eliminating the problems with a single point of failure and poor operational performance.
3. A Windows 2000 server can be promoted to a domain controller and demoted back to a member server without the need to reinstall the operating system.
4. Active Directory domains still use “trusts” that now give full, two-way access to resources and are fully transitive between domains.
Introduction: Active Directory is made up of components that constitute its logical and physical structure. To administer Active Directory, we must understand the purpose of these components
Logical Structure : The logical structure of Active Directory provides methods for organizing network resources such as computers, printers, users and groups. It is made up
of objects, organizational units, domains, domain trees, and forests.
The object is the most basic component of the logical structure. Object classes are template for the types of objects that can be created in Active Directory. Each object class is defined by a group of attribute. Attributes define the possible values that can be associated with an object. Each object has a unique combination of attribute values.
2. Organizational units
Organizational units are container objects that are used to group other objects in a manner that supports your administrative purposes. By grouping objects by organizational unit in a logical fashion, it becomes easier to locate and administer objects. We can also delegate the authority to administer an organizational unit. Organizational units can be nested in other organizational units. By nesting organizational units, we can further simplify the administration of objects.
Domains are the core functional units in the Active Directory logical structure. A domain is a collection of objects that share a common directory database, security policies, and security relationships with other domains. Domains provide the following three functions:
• Serve as an administrative boundary for objects
• Help to manage security for shared resources
• Serve as a unit of replication for objects
4. Domain Trees
Domains can be grouped together in hierarchical structures that are called trees. When a second domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain. A child domain may in turn have its own child domain. The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.
Forests are made up of one or more trees, although a single two-level tree is recommended for most organizations. A two-level tree is when all child domains are made children of the forest root domain to form one contiguous tree. The first domain in the forest is called the forest root domain, and the name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory. By default, the information within Active Directory is shared only within the forest. In this way, the forest is a security
boundary for the information contained in the instance of Active Directory.
Physical Structure : The physical structure of Active Directory models the physical structure of the network, and is made up of domain controllers and sites. The physical structure of Active Directory defines where and when replication and logon traffic occur, and is used to and manage network traffic. The physical structure enables you to optimize network traffic by determining when and where replication and logon traffic occur. The elements of the Active Directory physical structure are :
1. Domain controllers Domain controller performs storage and replication functions. A domain controller can support only one domain. A domain can have one or more domain controllers.
2. Active Directory sites Created mainly to optimize replication traffic and to enable users to connect domain controllers by using reliable , high speed connection. A site is a group of well-connected computers. When sites are established, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site. Latency is the time required for a change that is made on one domain controller to be replicated on other domain controllers. You create sites to optimize the use of bandwidth between separated domain controllers. There can be multiple domains in a single site and single site can have multiple sites.
Note : We use Logical structure to organize the network resources and Physical structure to manage the network traffic.
To View the Logical and Physical Sctructure of Active Directory
The logical and physical structure of Active Directory can be viewed by using tools such as Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Schema, ADSI Edit, and Active Directory Domains and Trusts. To view the Active Directory logical and physical structure, perform the following steps:
1.Open Active Directory Users and Computers and view the organizational
units in Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Users and Computers.
b. In the left pane, double-click Active Directory Users and computers.
c. In the left pane, double-click the domain for which you want to view the organizational units.
d. Display the Properties page for each container in the left pane and determine the object type by using the Object class information on the Object tab.
You can also view the organizational units in Active Directory by using the
ADSI editor. The ADSI Edit snap-in is not installed by default. To install it, use the
support tools installer, Suptools.msi, which is located in the \Support\Tools
folder of the Windows Server 2003 product CD.
2. Open Active Directory Domains and Trusts to view the logical structure
of Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Domains and Trusts.
b. In the left pane, expand the node that represents the forest-root domain
to view the domains that make up the logical structure of Active
3. Open Active Directory Sites and Services and view the physical structure
of Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Sites and Services.
b. In the left pane, expand the Sites folder.
c. Click the folder that represents the site for which you want to view a list
d. Click the Servers folder to view a list of servers in the right pane.
What Does Active Directory Do?
1. Active Directory stores information about users, computers and network resources, and makes the resources accessible to users and applications. It does this by providing a consistent way to name, describe, locate, access, manage, and secure information about these resources.
2. Active Directory provides centralized control of network resources, such as servers, shared files, and printers, and allows only authorized users to gain access to resources throughout Active Directory.
3. With Active Directory, you can centralize or delegate the administration of resources and objects as appropriate. Administrators can manage distributed desktops, network services, and applications from a central location by using a consistent management interface, or they can distribute administrative tasks by
delegating control of resources to other administrators.
4. When Active Directory is installed, all resources in a Windows Server 2003 network are stored in Active Directory as objects. These objects are organized in a secure, hierarchical logical structure.
5.The physical structure of Active Directory enables you to optimize the use of network bandwidth. For example, the physical structure of Active Directory ensures that, when users log on to the network, they are authenticated by the authentication authority that is nearest to the user, thus reducing the amount of network traffic.
Active Directory Schema is the structure of the database which contains the definitions of objects. Active Directory objects represent users, groups and network resources such as computers and printers. All servers, domains, and sites in the network are also represented as objects. Because Active Directory represents all network resources as objects in a distributed database, a single administrator can centrally manage and administer these resources. There can be only one schema for entire forest , so that all objects created in Active Directory conform to the same rules.: Two types of definition of the objects are :- Classes and Attributes
When you create an object, the properties, or attributes, of that object store the information that describes the object. Some of these attributes are mandatory and must be assigned value to create the object. For example, when you create a user object, you must assign a value to the SAM Account Name attribute. Users can locate objects throughout Active Directory by searching for specific attributes. For example, you can search for a particular object by searching on an attribute value that makes it unique, such as a printer name, or you can search for an object that has a combination of attribute values, such as a printer with a location value of building 118, a floor value of 3.
Structure of Active Directory DatabaseAll databases have a schema which is a formal definition (set of rules) which govern the database structure and types of objects and attributes which can be contained in the database. The schema contains a list of all classes and attributes in the forest.
The schema keeps track of:
- Class attributes
- Class relationships such as subclasses (Child classes that inherit attributes from the super class) and super classes (Parent classes).
Active Directory SchemaAll databases have a schema which is a formal definition (set of rules) which govern the database structure and types of objects and attributes which can be contained in the database. The schema contains a list of all classes and attributes in the forest.
The schema keeps track of:
PartitionsActive Directory objects are stored in the Directory Information Tree (DIT) which is broken into the following partitions:
Schema ContainerThe schema container is a special container at the top of the schema partitionand is an object created from the directory Management Domain (dMD). It can be viewed using the MMC "Active Directory Schema" console or the Active Directory Services Interface (ADSI) edit utility from the installation CDROM. The distinguished name schema container address is:
/CN=schema/CN=configuration/DC=forest rootClasses and attributes are stored in classSchema objects and attributeSchema objects respectively.
attributeSchema Mandatory AttributesThese attributes provide information about attributes of another Active Directory object.
- attributeID - Identifies the attribute with a unique value.
- attributeSyntax - Identifies the object which defines the attribute type.
- cn - A unicode string name of the attribute.
- isSingleValued - A boolean variable which when true indicates there is only one value for the attribute. If false, the attribute can have several values.
- LDAPDisplayName - LDAP unicode name string used to identify the attribute.
- NTSecurityDescriptor - The object security descriptor.
- ObjectClass - Is always attributeSchema.
- OMSyntax - Identifies the object syntax specified by the open object model.
- SchemaIDGUID - Unique global ID value of the attribute.
classSchema Mandatory AttributesThese attributes provide information about another Active Directory object.
- cn - A unicode string name of the object.
- DefaultObjectCategory - A distinguished name of where the object belongs.
- GovernsID - A unique number identifying the class.
- LDAPDisplayName - LDAP unicode name string used to identify the object.
- NTSecurityDescriptor - The object security descriptor.
- ObjectClass - Is always classSchema.
- ObjectClassCategory - An integer describing the object class type. The class type is one of the following with values in "()" indicating the integer value used to signify them:
- Abstract class (2) - A class that can't be an object, but is used to pass attributes down to subclasses.
- Auxillary class (3) - Used to provide structural or abstract classes with attributes
- Structural class (1) - These classes can have objects created from them and are the class type that is contained as objects in the directory.
- Type 88 class (0) - These classes don't have a type and they are class types created before 1993 before class types were established in the X.500 standard.
- SchemaIDGUID - Unique global ID value of the class.
- SubClassOf - Identifier of the class parent class.
System AttributesThese system attributes can only be changed by the Directory System Agent (DSA) which manages the Active directory database.
- systemAuxillaryClass - Identifies the auxiliary protected classes that compose the class.
- systemMayContain - Optional system protected class attributes.
- systemMustContain - Required system protected class attributes.
- systemPossSuperiors - Parent system protected classes.
SAM Read Only AttributesThe SAM is the Security Access Manager.
Schema ModificationsThe schema should only be modified when absolutely necessary. Control mechanisms include:
- The schema operations master domain controller is the only controller that the schema can be changed from.
- The Schema console must have schema modification set to enabled.
- Each schema object has permissions set through the Windows 2000 security model.
- Using an application programming interface (API).
- Lightweight Directory Interface Format (LDIF) scripts.
- LDIFDE bulk schema modification tool.
- CSVDE bulk schema update tool.
- Object issuing authority
- Object ID
- Class heirarchy
- NT security descriptor
- LDAP display name
- Common name
- Class attributes
Resources in Active Directory can be shared across domains and forests. Active Directory must therefore provide a method that makes searching for resources across domains and forests transparent to the user. The global catalog feature of Active Directory makes such searches possible. Global Catalog is a repository containing information which is necessary to determine the location of any object in Active Directory. For example, if you search for all of the printers in a forest, a global catalog server processes the query in the global catalog and then returns the results. Without a global catalog server, this query would require a search of every domain in the forest.
GLOBAL CATALOG SERVER
A Global Catalog is a searchable master index with data about all objects in a forest. The schema is stored in the global catalog. Only information required to find an object is stored in the global catalog. When the first domain controller in the forest is established, a default catalog is created automatically on that controller. More than one server can house the global catalog
A global catalog server is a domain controller that stores two forest-wide partitions, schema and configuration, a read/write copy of the partition from its own domain, and also a partial replica of all other domain partitions in the forest. These partial replicas contain a read-only subset of the information in each domain partition
It is a domain controller that stores a copy of queries such as user’s first name, last name, and logon name and process them to Global Catalogue. Eg. If we search a printer in a forest, a global catalogue server process the query in Global catalogue and returns the result. Without a Global catalogue Server, this would require a search in every domain in the forest. Global Catalog Server hold a partial replica of every object in the forest.
Distinguished and Relative Distinguished Names
Distinguished Name : To search for and modify objects in the Active Directory database, clients use the Lightweight Directory Access Protocol (LDAP). LDAP is a protocol for accessing on-line directory services. LDAP is a subset of X.500, an industry standard that defines how directories should be structured. LDAP uses information about the structure of a directory to find individual objects, each of which has a unique name. The name that LDAP uses represents an Active Directory object by a series of components that relate to the logical structure. This representation is called the distinguished name of the object. The distinguished name identifies the domain where the object is located and the complete path by which the object is reached. A distinguished name must be unique in the
. Active Directory Forest
Example of Distinguished Name
For a user named Suzan Fine in the Sales organizational unit in the Contoso.msft domain, each element of the logical structure is represented in the following distinguished name:
CN is the common name of the object in its container.
OU is the organizational unit that contains the object. There can be more than
one OU value if the object resides in a nested organizational unit.
DC is a domain component, such as .com. or .msft.. There will always be at
least two domain components, but there might be more if the domain is a child
domain. The domain components of the distinguished name are based upon the Domain
Name System (DNS).
Relative Distinguished Name:The relative distinguished name of an object uniquely identifies the object within its container. No two objects in the same container can have exactly the same name. The relative distinguished name is always the first component of the distinguished name, but it might not always be a common name.
Example of a Relative Distinguished Name
Sales is the relative distinguished name of an organizational unit that is represented by the following LDAP naming path: OU=Sales,DC=contoso,DC=msft
How Active Directory Enables a Single Sign-on ?
Active Directory enables a single sign-on, which makes the complex processes of authentication and authorization transparent to the user. A single sign-on is made up of authentication, which verifies the credentials of the connection attempt, and authorization, which verifies that the connection attempt is allowed. With a single sign-on, users do not have to manage multiple sets of credentials and can access the resources for which they are authorized without thinking about the processes that occur behind the scenes. However, as a systems engineer, we must understand how these processes work in order to troubleshoot the Active Directory structure.
The single sign-on process occurs as follows:
- The user enters credentials at a workstation to perform an interactive logon.
- The credentials are encrypted by the client and sent to a domain controller for the client.s domain.
- The encrypted credentials that are sent from the client are matched against the encrypted credentials on the domain controller. A Kerberos service, the Key Distribution Center (KDC), resides on each domain controller and stores the encrypted user credentials. If the credentials sent by the client match the credentials stored by the KDC, the process continues.
- The domain controller creates a list of the domain-based groups to which the user belongs.
- The domain controller queries the global catalog to identify the universal groups to which the user belongs. If the domain controller has Universal group membership caching enabled, the global catalog is not queried and the Universal group memberships are obtained from the cache on the domain controller.
- The KDC issues the client a ticket-granting ticket (TGT). The TGT contains the encrypted security identifiers (SIDs) for the groups of which the user is a member.
- The client requests access to a resource that resides on a specific server.
- The client uses the TGT to gain access to the ticket-granting service (TGS), on the domain controller.
- The TGS issues a service ticket, which is also called a session ticket, for the server where the resource resides to the client. The session ticket contains the SIDs for the user.s group memberships.
- The client presents the session ticket to the server where the resource resides. The Local Security Authority (LSA) on the server uses the information in the session ticket to create an access token.
- The LSA compares the SIDs in the access token with the groups that are assigned permissions in the resources discretionary access control list (DACL). If they match, the user is granted access to the resource.
Active Directory Management
Active Directory allows administrators to manage large numbers of users, computers, printers, and network resources from a central location by using the administrative tools that Windows server 2003 provides. Active Directory also supports decentralized administration by allowing an administrator with the proper authority to delegate a selected set of administrative privileges to appropriate users or groups within an organization. Active Directory provides a number of features that allow administrators to manage resources centrally. The following describes
How Active Directory enable Centralized Administration.
- Active Directory contains information about all objects and their attributes. The attributes hold data that describes the resource that the directory object identifies. Because information about all network resources is stored in Active Directory, a single administrator can centrally manage and administer network resources.
- Active Directory can be queried by using protocols such as LDAP. Administrators can easily locate information about objects by searching for selected attributes of the object, using tools that support LDAP.
- Active Directory allows you to group objects with similar administrative and security requirements into organizational units. Organizational units provide multiple levels of administrative authority for both applying Group Policy settings and delegating administrative control. This delegation of administrative authority simplifies the task of managing these objects and allows administrators to structure Active Directory to fit their needs.
- Active Directory uses Group Policy to provide administrators with the ability to specify Group Policy settings for a site, domain, or organizational unit. Active Directory then enforces these Group Policy settings for all of the users and computers within the container.
How Active Directory Supports Decentralized Management:
Active Directory enables you to delegate administrative privileges for certain objects to appropriate groups within an organization. This is possible because the structure of Active Directory allows you to assign permissions and grant user rights in very specific ways. We can delegate the following types of administrative control:
- Assigning permissions, such as Full Control, for specific organizational units to different domain local groups.
- Assigning the permissions to modify specific attributes of an object in a single organizational unit. For example, assigning the permission to change name, address, and telephone number, and to reset passwords on a user account object.
- Assigning the permissions to perform the same task, such as resetting passwords, in all organizational units of a domain.
Some common GUI tools for administering Active Directory.
1. Active Directory Users and Computers A Microsoft Management Console (MMC) hat you can use to administer and publish information in the directory. Using Active Directory Users and Computers, you can manage user accounts, groups, and computer accounts, add computers to a domain, manage account policy, user rights, and audit policy.
2. Active Directory Domains and Trusts An MMC that you can use to administer domain trusts and forest trusts, add user principal name suffixes, and change the domain and forest functional levels.
3. Active Directory Sites and Services An MMC that you can use to administer the replication of directory data.
4. Active Directory Schema The Active Directory Schema MMC is an Active Directory administrative tool for managing the schema. It is not available by default on the Administrative Tools menu, and must be added manually.
5. CSVDE Imports and exports Active Directory data by using comma-separated format.
6. LDIFDE Can be used to create, modify, and delete Active Directory objects. This tool can also be used to extend the Active Directory schema, export user and group information to other applications or services, and populate Active Directory with data from other directory services.
7. ADSI Editor The ADSI editor is an MMC snap-in that can be used to view, create, modify and delete objects in Active Directory.ADSI provides a simple, powerful, scriptable interface to Active Directory to enable administrators to create reusable scripts for managing Active Directory. ADSI uses the LDAP protocol to communicate with Active Directory.
You can create scripts by using ADSI to perform the following tasks:
- Retrieve information about Active Directory objects
- Add objects to Active Directory
- Modify Active Directory object attribute values
- Delete objects form Active Directory
- Extend the Active Directory schema
ADS and DNS Integration
DNS domains and Active Directory domains use identical domain names for different Namespaces. Using identical domain names enables computers in a Windows Server 2003 network to use DNS to locate domain controllers and other computers that provide Active Directory.related services.The integration of DNS and Active Directory is essential because a client computer in a Windows Server 2003 network must be able to locate a domain controller to allow users to log on to a domain or to use the services provided by Active Directory. To locate a domain controller, a computer uses DNS to locate the IP address for a computer that provides the required service within Active Directory.
Active Directory Integrated Zones
One of the benefits of integrating DNS and Active Directory is the capability to integrate DNS zones into the Active Directory database. A zone is a portion of the domain namespace that has a logical grouping of resource records allowing zone transfers of these records as a single unit.
Microsoft DNS servers store information that is used to resolve host names to IP addresses and IP addresses to host names, in a database file with the extension .dns, for each zone. Active Directory integrated zones are primary and stub DNS zones that are stored as objects in the Active Directory database. Zone objects can be stored in an Active Directory application partition or in an Active Directory domain partition. If zone objects are stored in an Active Directory application partition, only domain controllers that subscribe to the application partition will participate in the replication of this partition. However, if zone objects are stored in an Active Directory domain partition, they will be replicated to all Domain Controllers in the Domain
SRV RESOURCE RECORDS
For Active Directory to function properly, client computers must be able to locate servers that provide specific services such as authenticating logon requests and searching for information in Active Directory. To achieve this, Active Directory stores information about the location of the computers that provide these services in DNS records known as SRV resource records.
SRV resource records link the name of a service to the DNS computer name for the computer that offers that service. For example, an SRV record can contain information to help clients locate a domain controller in a specific domain or forest.
When a domain controller starts, it registers SRV records, which contain information about the services it provides, and an A resource record that contains its DNS computer name and its IP address. A DNS client later uses this combined information to locate the requested service on the appropriate domain controller.
All SRV records use a standard format, which consists of fields that contain the information used to map a specific service to the computer that provides the service.
SRV records use the following format:
The following is an example of an SRV record of a computer:
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 london.contoso.msft
The SRV record indicates that the computer provides the following services:
- Provides the LDAP service
- Provides the LDAP service by using the TCP transport protocol
- Registers the SRV record in the contoso.msft DNS domain
- Has a time to live (TTL) of 600 seconds or 10 minutes.
- Has an FQDN of london.contoso.msft
Procedure for viewing SRV records by using the DNS Snap-in
You can use either the DNS console or the NSLookup utility to view the SRV records registered by domain controllers. To view the SRV resource records registered domain controllers by using the DNS snap-in, perform the following steps:
- Open DNS from the Administrative Tools menu.
- Double-click Server (where Server is the name of your DNS server),double-click forward Lookup Zones, and then double-click domain
- Open the following folders in the domain folder to view the SRV resource records that are registered:
How clients locate resources ?
To log on to a Windows Server 2003 domain or to search Active Directory, a client computer must contact a domain controller. All domain controllers register both A resource records and SRV records. The A resource record contains the FQDN and IP address for the domain controller. The SRV record contains the FQDN of the domain controller and the name of the service that the domain controller provides. Therefore, the client computer can query DNS
to locate a domain controller.
The following describes the process of how a computer locates a domain controller:
- A user logs on to the domain, initiates an Active Directory search, or performs other tasks that require a domain controller. The Net Logon service on the client (the computer that is locating the domain controller) starts the DsGetDcName application programming interface (API).
- Net Logon collects information about the client and the specific service required; this information will be included in the DNS query. This information is specified by the following DsGetDcName parameters:
• ComputerName. The name of the client computer.
• DomainName. The name of the DNS domain that will be queried.
• SiteName. The name of the site in which the domain controller should be located. I
if the site is not specified, the domain controller that will be located is in the site that is
closest to the site in which the client computer is located. The client also specifies that
the domain controller should be an LDAP server in the domain named by DomainName,
or a global catalog server or KDC server for the forest in which DomainName is located.
- The Net Logon service sends a DNS query to a DNS server. This DNS query contains the information it collected from the client and specifies the service that is required.
- The DNS server queries the DNS zone database for SRV records that match the service required by the client in the domain named by DomainName. T
- he DNS server returns a list of IP addresses of domain controllers that provide the service requested in the domain specified by the client.
- The Net Logon service sends a datagram (an LDAP UDP message) to one or more of the located domain controllers to determine whether it is running and whether it supports the specified domain.
- Each available domain controller responds to the datagram to indicate that it is currently operational, and then returns the information to DsGetDcName. The Net Logon service returns the information to the client from the domain controller that responds first.
- The client computer chooses the first domain controller that responds and meets the criteria, and then sends the request to that domain controller. The Net Logon service caches the domain controller information so that it is not necessary that the client computer repeat the discovery process for subsequent requests. Caching this information also encourages the consistent use of the same domain controller.
The purpose of SID
Windows uses a data structure known as a Security ID (SID) to identify users, computers and groups. SIDs have two components. The first part uniquely identifies a domain; the second part uniquely identifies a user account, computer account, or group managed by that domain. Windows uses SIDs to identify users and groups in access control lists (ACLs) and group
memberships. When a user account is migrated to a different domain, it is assigned a new SID, which results in the loss of group memberships based on the old account SID. SID history is an attribute on user and group objects in Active Directory and is used to hold the previous SID of a migrated user account. If a user account is migrated multiple times, SID history stores a list of all the SIDs the user was assigned. SID history provides a migrated user with continuity of access to resources, until all the necessary groups or ACLs can be updated using the new account SID.
When a Windows Server 2003 domain controller authenticates a user, it computes group memberships using both the current user account SID, and any SIDs in SID history. If the user account has been migrated, access to resources based on the previous account is maintained.