Problems with user sets in cross forest scenarios

In cross forests scenarios, where users are migrated from one Active Directory forest to another using ADMT and enabling sidHistory, users from one forest may be denied traffic by ISA if policy rules are restricted to certain user sets.

For example, consider the following scenario:

1. You have user accounts in an Active Directory forest ForestA.

2. You have another active directory forest, ForestB.

3. You use the ADMT tool to migrate users from ForestA to ForestB, with sidHistory enabled. Now all users from ForestA exist in ForestB too.

4. Your ISA server is installed in ForestB.

In ISA MMC, you create a new user set and add a Windows user from ForstA, for example, ForestA\User.

With this scenario, the user which eventually appears in the user set is ForestB\User, not forestA\user as entered.

Because of this problem, if the user set is used in a policy rule to limit access to that user set, User from ForestA will not have access to the resources protected by that rule.

To work around that problem, do the following:

1. On a domain controller in ISA domain, create a domain local security group and populate it with the relevant user accounts from both forests.

2. On the ISA Server, create a user set which includes only this security group.

3. Use this user set in the relevant policy rule.

This problem is resolved in Forefront TMG 2010.

Reference:
ADMT:
http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en

sidHistory:
http://technet.microsoft.com/en-us/library/bb727125.aspx

Author:

Doron Juster,  Microsoft Forefront TMG

Reviewers: Jim Harrison, Jonathan Barner