Home / user-526383

Sranda's questions

Martin Hope
Sranda
Asked: 2025-02-27 18:16:10 +0800 CST
  • 5

I am executing a domain migration project (many single-site domains merged to one global AD) in my company.

I have migrated users, computers and groups (using Quest on-demand migration tool). and I have verified SID history is being written correctly to user+group accounts. I can see the SIDHistory attribute populated for both users and groups with correct values.

The user's account that is migrated to the new domain tries to access a fileserver in the old domain, in the log of the old-domain-fileserver, I see:

A network share object was checked to see whether client can be granted desired access.

Subject:
    Security ID:        NEWDOMAIN\admig2
    Account Name:       admig2
    Account Domain:     NEWDOMAIN
    Logon ID:       0x1B7Dxxxx

Network Information:    
    Object Type:        File
    Source Address:     10.ab.cd.ef
    Source Port:        49782
    
Share Information:
    Share Name:     \\*\SHARE
    Share Path:     \??\D:\SHARE
    Relative Target Name:   \

Access Request Information:
    Access Mask:        0x80
    Accesses:       ReadAttributes
                
Access Check Results:
    ReadAttributes: Not granted

I have run following commands both in old and new domains:

old domain

netdom trust <old domain fqdn> /domain:<new domain FQDN> /enablesidhistory:yes
netdom trust <old domain fqdn> /domain:<new domain FQDN> /quarantine:no

new domain

netdom trust <new domain FQDN> /domain:<old domain fqdn> /enablesidhistory:yes
netdom trust <new domain FQDN> /domain:<old domain fqdn> /quarantine:no

It's been already some hours so everything should be replicated everywhere. Still, I am getting the same error when trying to access the fileshare with the migrated user's credential: access denied, ask your administrator

Besides turning off the SIDfiltering and migrating user's groups as well, are there any other areas I need to check and I have missed in my post above? Thanks.

Outcome of one of the tests: I believe I have ruled the NTLM culprit out - it is not it. When I share new folder for R/W for Everyone and in security ACL, I give the OLDDOMAIN\admig2 permission for this new share, the NEWDOMAIN\admig2 can access this share. It is still the OLDDOMAIN-joined fileserver. I am confused by these symptoms. Yes, OLDDOMAIN\Domain users is a domain local group and NEWDOMAIN\admig2 is not member of it, but this is where SidHistory should kick in and due to old SID being member of OLDDOMAIN\Domain Users, I believe this should still work, but it does not. Or ... ?

I will continue with the tests tomorrow.

active-directory
Martin Hope
Sranda
Asked: 2024-10-23 17:20:54 +0800 CST
  • 7

Being new to VEEAM, I might be troubleshooting problem that's trivial for VEEAM experts.

On Veeam 12.2 and vCenter 8.0.3, my problem is ESXi hosts having multiple networks which causes Veeam's confusion. There's management network and there's vMotion network. The hosts in vCenter are defined as follows:

vCenter hosts

The problem is, Veeam isn't able to back up a single VM. The log is full of these errors:

22.10.2024 11:17:51.481] <  1436> vdl      | [vddk] CnxOpenTCPSocket: Cannot connect to server 172.16.0.13:902: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
[22.10.2024 11:17:51.481] <  1436> vdl      | [vddk] CnxAuthdConnect: Returning false because CnxAuthdConnectTCP failed
[22.10.2024 11:17:51.481] <  1436> vdl      | [vddk] CnxConnectAuthd: Returning false because CnxAuthdConnect failed
[22.10.2024 11:17:51.481] <  1436> vdl      | [vddk] Cnx_Connect: Returning false because CnxConnectAuthd failed
[22.10.2024 11:17:51.481] <  1436> vdl      | [vddk] Cnx_Connect: Error message: Failed to connect to server 172.16.0.13:902
[22.10.2024 11:17:51.481] <  1436> vdl      | WARN|[vddk] warn [NFC ERROR]NfcNewAuthdConnectionEx: Failed to connect: Failed to connect to server 172.16.0.13:902
[22.10.2024 11:17:51.481] <  1436> vdl      | WARN|[vddk] warn [NFC ERROR]NfcNewAuthdConnectionEx: Failed to connect to peer. Error: Failed to connect to server 172.16.0.13:902
[22.10.2024 11:17:51.481] <  1436> vdl      | WARN|[vddk] warn [NFC ERROR]NfcEstablishAuthCnxToServer: Failed to create new AuthD connection: Failed to connect to server 172.16.0.13:902
[22.10.2024 11:17:51.481] <  1436> vdl      | WARN|[vddk] warn [NFC ERROR]Nfc_BindAndEstablishAuthdCnx3: Failed to create a connection with server 172.16.0.13: Failed to connect to server 172.16.0.13:902
[22.10.2024 11:17:51.481] <  1436> vdl      | [vddk] NBD_ClientOpen: Couldn't connect to 10.250.100.13:902 Failed to connect to server 172.16.0.13:902

It's worth noting 172.16.0.0/24 is not accessible outside of VMWare (i.e. also unreachable for VEEAM).

How can I make Veeam to connect to 10.250.100.0/24 and not 172.16.0.0/24?

During the vCenter "object" configuration in VEEAM, the connection from VEEAM to vCenter works perfectly (correct credentials, network visibility, ...)

Thanks in advance

vmware-vcenter