questions on AD Migration and sidHistory

  • 110 Views
  • Last Post 05 December 2016
BrianB posted this 05 December 2016

All:   We are considering (Copy) migration for selectively duplicating some users and groups into a new forest using sidHistory attribute. Carbon-Based-Lifeform’s (CBL) will have an digital-based-lifeforms (DBL)  in the old and new environment and sidHistory will be copied to the new DBL. The CBL will have to use either identity depending on the application they are using or accessing.   In the case of a migrated user, group where co-existence is required between a new forest and an old:   1.      If the Old DBL is added to the another group in the old forest, will the sidHistory need to be updated for the corresponding New DBL in the new forest each time this occurs? 2.      In the case of a group, if new members are added to a group in the old forest that has been migrated to the new forest is there any type of migration update that needs to occur to the corresponding group in the new forest?     Brian Britt        

Order By: Standard | Newest | Votes
bdesmond posted this 05 December 2016

SID History for groups is a property of the group so the first time you bring the group over with your migration tool, it will set SID History. Going forward, anyone in that group will get the group’s SID

plus any SIDs in the sidHistory in their token.

 

 

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

BrianB posted this 05 December 2016

Thanks Brian,

 

So migrating the group is a one-time effort, if I understand correctly. What about users that are migrated and their old account is added to a new group that has not been migrated in the old forest. Will their

sidhistory have to be migrated again, and again for each subsequent add to a new group?

 

Brian Britt  

 

show

bdesmond posted this 05 December 2016

Correct, the group itself is a one-time migration.

 

The sidHistory on a user is also a one-time operation. Going forward, any group membership is just group membership – how you want to add them to groups (manually, script, rerun migration tool, etc.) is up

to you.

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

kebabfest posted this 05 December 2016

Based on what you described you will have to sync the changes across.
Quest migration manager manages this type of coexistence for you from a gui as opposed to having to script.
However another way would be to repermission the resources you need in the old forest with the new groups.
Then if you add the users to the new groups they will automatically get permission and also reduce the need for admin tasks on the old forest.
I am assuming you are decommissioning the old forest.

show

BrianB posted this 05 December 2016

Yes, we will decommission the old forest but we predict that it will take a few years. In which case, we will have to keep co-existence in both forests for some

time to come.

 

Brian.



 

show

Close