| Author | Messages | |
markusw
Posts:10
 | | 07/16/2008 8:48 PM |
| hi @ll,
i have to migrate groups from one to another forest. in the past i did the migrations including the old sIDhistory. now i have the problem, that the kerberos-ticket-size is really big and i decided to migrate only the objectSID to sIDhistory of the new forest. so i opened a case to microsoft and they told me, there is no possibility to do this with microsoft tools. we use w2k3 active directory in native mode.
i tryed to use the miis2003 to map the attributes direct and i wondered about the message of permission-issue. now i found articles where is described a migration in this way isn´t possible. the only way they told me, is to delete the sIDhistory in the old forest, but this is not possible right now.
so now my question, has anybody any idea to solve this problem?
here is some example:
attribute originary forest: new forest should have:
group abc abc
objectSID 1234 5678
sIDhistory 9876 1234
sIDhistory 9875
sIDhistory 9874
the reason i want to solve it on this way is to minimize the sIDhistory. for the acl´s in the past i think the objSID would be set in acl. so the sIDhistory from originary forest is not necasary anymore.
thx and regards Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server / identity lifecycle manager
HVB IS GmbH
Member of UniCredit Group
Am Tucherpark 12
D-80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
You can find the mandatory information about HVB Information Services GmbH using the following link: http://www.hvbis.com/is/de/pub/441.htm
Important Note: This e-mail is only intended for the person or company/organisation named as recipient. It may contain trade secrets or undisclosed and confidential information or information otherwise protected by work-product immunity or other legal regulations. If you have received this email by mistake, we kindly ask you not to copy this message or use it for any purpose nor disclose its contents to any other person. Please inform us immediately and delete the original document. In addition, please let us know if you or your company object to receiving e-mails for messages of this kind.
| | | |
| irishbug
Posts:23
| | 07/16/2008 8:48 PM |
| Quest's domain migration tool (not sure of the name at the moment) does some
pretty funky migrations. For example, it will migrate an object's SID into a
new object in the same forest with the original object still existing.
Although I do not recommend tool that break MS intended functionality, this
might be able to do what you need. I would certainly test, test and test
some more prior to using something like this in production
Steve
On Sat, Jun 14, 2008 at 5:19 AM, <Markus.Wilhelm@hvbis.com> wrote:
> hi @ll,
>
> i have to migrate groups from one to another forest. in the past i did the
> migrations including the old sIDhistory. now i have the problem, that the
> kerberos-ticket-size is really big and i decided to migrate only the
> objectSID to sIDhistory of the new forest. so i opened a case to microsoft
> and they told me, there is no possibility to do this with microsoft tools.
> we use w2k3 active directory in native mode.
>
> i tryed to use the miis2003 to map the attributes direct and i wondered
> about the message of permission-issue. now i found articles where is
> described a migration in this way isn´t possible. the only way they told me,
> is to delete the sIDhistory in the old forest, but this is not possible
> right now.
>
> so now my question, has anybody any idea to solve this problem?
>
> here is some example:
>
> *attribute originary forest: new forest should have:***
> *group* abc abc
> *objectSID* 1234 5678
> *sIDhistory* 9876 1234
> *sIDhistory* 9875
> *sIDhistory* 9874
>
> the reason i want to solve it on this way is to minimize the sIDhistory.
> for the acl´s in the past i think the objSID would be set in acl. so the
> sIDhistory from originary forest is not necasary anymore.
>
> thx and regards Markus
>
>
>
>
>
> kindly regards / Mit freundlichen Grüßen
>
> *Markus Wilhelm*
>
> productmanager directory services and
> microsoft identity information server / identity lifecycle manager
>
> HVB IS GmbH
> Member of UniCredit Group
> Am Tucherpark 12
> D-80538 München
> Germany
>
> Phone +49(89)37828530
> Mobile +49(172)8918842
>
> Email: Markus.Wilhelm@hvbis.com
> Web: *http://www.hvbis.com* <http://www.hvbis.com>
>
> You can find the mandatory information about HVB Information Services GmbH
> using the following link: *http://www.hvbis.com/is/de/pub/441.htm*<http://www.hvbis.com/is/de/pub/441.htm>
>
> Important Note: This e-mail is only intended for the person or
> company/organisation named as recipient. It may contain trade secrets or
> undisclosed and confidential information or information otherwise protected
> by work-product immunity or other legal regulations. If you have received
> this email by mistake, we kindly ask you not to copy this message or use it
> for any purpose nor disclose its contents to any other person. Please inform
> us immediately and delete the original document. In addition, please let us
> know if you or your company object to receiving e-mails for messages of this
> kind.
>
| | | |
| guyt76
Posts:11
| | 07/16/2008 8:52 PM |
| You might consider the following:
1) Migrate with sIDHistory
2) On the target domain script a process of removing the obsolete SIDs from sIDHistory. Should not be that hard - all the SIDs you want to keep will have the same domain part of the SID. Anything else you find in sIDHistory can be wiped.
Have not actually tested this, but looking at http://support.microsoft.com/kb/295758 I see that SIDs in sIDHistory are deleted one-by-one, so I do not expect issues here.
Guy
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
The problem i got, was i planned an other way to migrate without sIDhistory. In my plans i wanted to solve this topic by using group-nesting. But there was on little or better big problem, some applications uased the domainlocal groups to set the acl's and so my plans were obsolete. The only chance i have, is to reduce the sid's.
So for mapping the attributes in usage of ILM is no Problem. The problem is, how to write this to AD without security-issue on attribute-writing.
Thx Markus
Ps. I had only 2 months for the whole planning and to discuss with the collegoues in other countries 
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 16:00:26 2008
Betreff: RE: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
You are running out of options. Whatever suggestion is thrown into the field there seems to be some reason not to do it. Maybe before the migration, you guys need to prep some stuff, like cleaning Sidhistory or whatever to be able to continue.
At this moment you are experience difficulties. Next time it will be even worse if you not do what must be done (e.g. sidhistory cleanup ior whatever)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 15:51
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
That's right and i agree with you, but there yery much involved systems and from some we don't know about. So i think that's a solution which is not compatible for our migration.
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 15:40:11 2008
Betreff: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
sIDHistory is one of the solutions in combination with replacing ACLs (depending on the scenario)
You could also NOT use sIDHistory and ADD new ACLs and later REMOVE old ACLs
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 15:21
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
For users and computers it's not necasary to do this, but they're much more
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 15:01:55 2008
Betreff: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
How many users and computers?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 14:59
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
So in the current forest the user will still use components which are not yet re-acl'ed. The migrated one in the new forest use only re-acl'ed components. Thats the reason, why they're not done yet. We're talking about round 120.000 groups.
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 14:52:40 2008
Betreff: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
If the data has been re-ACL-ed, you can still clean sidhistory
Using ADFIND/ADMOD it will probably take you more time to get coffee than the execution time of the tools.
So why, is Sidhistory not cleaned?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 14:36
To: ActiveDir@mail.activedir.org
Subject: AW: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
Yes and no. The re-acl was done in data, but not the cleaning of sIDhistory.
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 14:27:01 2008
Betreff: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
So to reword what you are saying…
In a previous migration when you migrated from forest A to B you used sIDHistory. However it was never cleaned and the data was not re-ACL-ed? Now you want to migrate to forest C and migrating with sIDHistory results in having a huge access token with too many SIDs?
Is that it?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33 454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 11:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] active directory question: migrate objectSID to sIDhistory
hi @ll,
i have to migrate groups from one to another forest. in the past i did the migrations including the old sIDhistory. now i have the problem, that the kerberos-ticket-size is really big and i decided to migrate only the objectSID to sIDhistory of the new forest. so i opened a case to microsoft and they told me, there is no possibility to do this with microsoft tools. we use w2k3 active directory in native mode.
i tryed to use the miis2003 to map the attributes direct and i wondered about the message of permission-issue. now i found articles where is described a migration in this way isn´t possible. the only way they told me, is to delete the sIDhistory in the old forest, but this is not possible right now.
so now my question, has anybody any idea to solve this problem?
here is some example:
attribute originary forest: new forest should have:
group abc abc
objectSID 1234 5678
sIDhistory 9876 1234
sIDhistory 9875
sIDhistory 9874
the reason i want to solve it on this way is to minimize the sIDhistory. for the acl´s in the past i think the objSID would be set in acl. so the sIDhistory from originary forest is not necasary anymore.
thx and regards Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server / identity lifecycle manager
HVB IS GmbH
Member of UniCredit Group
Am Tucherpark 12
D-80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com <http://www.hvbis.com>
You can find the mandatory information about HVB Information Services GmbH using the following link: http://www.hvbis.com/is/de/pub/441.htm <http://www.hvbis.com/is/de/pub/441.htm>
Important Note: This e-mail is only intended for the person or company/organisation named as recipient. It may contain trade secrets or undisclosed and confidential information or information otherwise protected by work-product immunity or other legal regulations. If you have received this email by mistake, we kindly ask you not to copy this message or use it for any purpose nor disclose its contents to any other person. Please inform us immediately and delete the original document. In addition, please let us know if you or your company object to receiving e-mails for messages of this kind.
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+w֧�B��+v*����r�z��+v*�k}
.+w֧�B��+v*����r�z��+v*�k}
.Böv�rzövk}
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+w֧�B��+v*����r�z��+v*�k}
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+w֧�B��+v*����r�z��+v*�k}
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| ZJORZ
Posts:100
| | 07/16/2008 9:06 PM |
| So, how was it solved?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Wednesday, June 18, 2008 22:20
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
The problem is solved
Many thx to Markus Vilcinskas and Robert Stampfer from Microsoft Germany
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 20:59:57 2008
Betreff: RE: RE: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
You might consider the following:
1) Migrate with sIDHistory
2) On the target domain script a process of removing the obsolete SIDs from sIDHistory. Should not be that hard - all the SIDs you want to keep will have the same domain part of the SID. Anything else you find in sIDHistory can be wiped.
Have not actually tested this, but looking at http://support.microsoft.com/kb/295758 I see that SIDs in sIDHistory are deleted one-by-one, so I do not expect issues here.
Guy
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
The problem i got, was i planned an other way to migrate without sIDhistory. In my plans i wanted to solve this topic by using group-nesting. But there was on little or better big problem, some applications uased the domainlocal groups to set the acl's and so my plans were obsolete. The only chance i have, is to reduce the sid's.
So for mapping the attributes in usage of ILM is no Problem. The problem is, how to write this to AD without security-issue on attribute-writing.
Thx Markus
Ps. I had only 2 months for the whole planning and to discuss with the collegoues in other countries
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 16:00:26 2008
Betreff: RE: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
You are running out of options. Whatever suggestion is thrown into the field there seems to be some reason not to do it. Maybe before the migration, you guys need to prep some stuff, like cleaning Sidhistory or whatever to be able to continue.
At this moment you are experience difficulties. Next time it will be even worse if you not do what must be done (e.g. sidhistory cleanup ior whatever)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 15:51
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
That's right and i agree with you, but there yery much involved systems and from some we don't know about. So i think that's a solution which is not compatible for our migration.
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 15:40:11 2008
Betreff: RE: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
sIDHistory is one of the solutions in combination with replacing ACLs (depending on the scenario)
You could also NOT use sIDHistory and ADD new ACLs and later REMOVE old ACLs
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 15:21
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
For users and computers it's not necasary to do this, but they're much more
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 15:01:55 2008
Betreff: RE: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
How many users and computers?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 14:59
To: ActiveDir@mail.activedir.org
Subject: AW: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
So in the current forest the user will still use components which are not yet re-acl'ed. The migrated one in the new forest use only re-acl'ed components. Thats the reason, why they're not done yet. We're talking about round 120.000 groups.
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 14:52:40 2008
Betreff: RE: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
If the data has been re-ACL-ed, you can still clean sidhistory
Using ADFIND/ADMOD it will probably take you more time to get coffee than the execution time of the tools.
So why, is Sidhistory not cleaned?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | O: +31 (0)6 26.26.62.80 | :: +31 (0)33 454.69.50 | : +31 (0)33 454.66.66 | : Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 14:36
To: ActiveDir@mail.activedir.org
Subject: AW: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
Yes and no. The re-acl was done in data, but not the cleaning of sIDhistory.
Thx Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server
*** this message is answered with blackberry ***
HVB IS GmbH
Am Tucherpark 12
80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com
HVB Information Services GmbH Member of UniCredit Group, Am Tucherpark 12, 80538 München
management: Gabriele Ruf, Klaus Rausch
chairman Supervisory Board: Matthias Sohler
legal form: GmbH, registered office: München, register court: local court München HR B 93804, tax number 143/800/82007
----- Originalnachricht -----
Von: ActiveDir-owner@mail.activedir.org <ActiveDir-owner@mail.activedir.org>
An: ActiveDir@mail.activedir.org <ActiveDir@mail.activedir.org>
Gesendet: Sat Jun 14 14:27:01 2008
Betreff: RE: [ActiveDir] active directory question: migrate objectSID to sIDhistory
So to reword what you are saying…
In a previous migration when you migrated from forest A to B you used sIDHistory. However it was never cleaned and the data was not re-ACL-ed? Now you want to migrate to forest C and migrating with sIDHistory results in having a huge access token with too many SIDs?
Is that it?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33 454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Markus.Wilhelm@HVBIS.com
Sent: Saturday, June 14, 2008 11:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] active directory question: migrate objectSID to sIDhistory
hi @ll,
i have to migrate groups from one to another forest. in the past i did the migrations including the old sIDhistory. now i have the problem, that the kerberos-ticket-size is really big and i decided to migrate only the objectSID to sIDhistory of the new forest. so i opened a case to microsoft and they told me, there is no possibility to do this with microsoft tools. we use w2k3 active directory in native mode.
i tryed to use the miis2003 to map the attributes direct and i wondered about the message of permission-issue. now i found articles where is described a migration in this way isn´t possible. the only way they told me, is to delete the sIDhistory in the old forest, but this is not possible right now.
so now my question, has anybody any idea to solve this problem?
here is some example:
attribute originary forest: new forest should have:
group abc abc
objectSID 1234 5678
sIDhistory 9876 1234
sIDhistory 9875
sIDhistory 9874
the reason i want to solve it on this way is to minimize the sIDhistory. for the acl´s in the past i think the objSID would be set in acl. so the sIDhistory from originary forest is not necasary anymore.
thx and regards Markus
kindly regards / Mit freundlichen Grüßen
Markus Wilhelm
productmanager directory services and
microsoft identity information server / identity lifecycle manager
HVB IS GmbH
Member of UniCredit Group
Am Tucherpark 12
D-80538 München
Germany
Phone +49(89)37828530
Mobile +49(172)8918842
Email: Markus.Wilhelm@hvbis.com
Web: http://www.hvbis.com <http://www.hvbis.com>
You can find the mandatory information about HVB Information Services GmbH using the following link: http://www.hvbis.com/is/de/pub/441.htm <http://www.hvbis.com/is/de/pub/441.htm>
Important Note: This e-mail is only intended for the person or company/organisation named as recipient. It may contain trade secrets or undisclosed and confidential information or information otherwise protected by work-product immunity or other legal regulations. If you have received this email by mistake, we kindly ask you not to copy this message or use it for any purpose nor disclose its contents to any other person. Please inform us immediately and delete the original document. In addition, please let us know if you or your company object to receiving e-mails for messages of this kind.
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+w֧�B��+v*����r�z��+v*�k}
.+w֧�B��+v*����r�z��+v*�k}
.Böv�rzövk}
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+w֧�B��+v*����r�z��+v*�k}
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
.+w֧�B��+v*����r�z��+v*�k}
.Böv�rzövk}
.+w֧�B��+v*����r�z��+v*�k}
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
|
|