List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: Re: [ActiveDir] ADMT: update changes to group membership during migration

Prev Next

You are not authorized to post a reply.

Author

Messages

RickSheikh User is Offline

Posts:373

05/27/2010 6:22 PM
I think it depends on the migration schedule. If your servers (or other resources with ACLs) are getting migrated right after all your users and groups have migrated (with SID), then perhaps its not necessary to continue to modify the group memberships in the source domain i.e Access to the legacy resources where the ACEs were for explicit accounts, the accounts SID come into play, access to the resources via a group membership the Groups SID comes into the pictures. During the computer migrations, as part of the process, the Security Translation translates all ACLs on the resources to the Groups that will now have been migrated to the Target domain and have the reference in the ADMT'S DB. Having said that, you will run into the situation you sighted should there be a long gap between your users/groups migration and the servers migrations. For sync process the "include files" come pretty handy. You still need to maintain the up-to-dateness during the migration however. Others experiences may vary, I have found the best results in pacing migrations as such when the servers are not living in the source domain for far too long after all other resources have been migrated to the target domain. Something which is always not very simple. Other issues arise when the new AD model is that of multi-domain. If your servers (due to various reasons) continue to live in the source domain whereas the users from your new forest (multiple child domains) needing access to the resource in the source domain, and due to the group nesting restriction you end up creating new Domain Local groups in the source domain so that you can take the GGs from the new domains and nest to provision access. Now you end up with new groups in the source domain which you have to play catch up on - If you don't the access will be broken when the servers do get migrated as the Security Translation has no referential groups in target domain to translate it to. One thing you could do in that instance is sweep your old domain for all groups that have been create since a specific date and migrate them before you migrate the servers. Messy. On Thu, May 27, 2010 at 8:21 AM, Thomas Vuylsteke < Thomas.Vuylsteke@realdolmen.com> wrote: > I’m doing some tests with the migration of users/groups between two > forests. From the ADMT guide I read that it is advised to (if necessary) > always perform group membership changes in the source forest and re-run > group synchronization now and then. This way changes can be merged to the > target forest. > > > > Am I correct that this will only synchronize changes such as adding object > X to group Y? And that changes such as remove object X from group Y are not > synchronized. So if a user is removed from a group, this change will notbe performed in the target forest. > > > > Is my understanding correct? I’m not really thinking this is a problem. I > just want to have a clear understanding of the rules for administering group > memberships in the transition phase. > > > > Kind regards, > > Thomas > > >

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > Re: [ActiveDir] ADMT: update changes to group membership during migration

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads