• State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 20 subscribers
  • Views 9970 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not sure how to approach this migration scenario (5 Forests > 1) Domain E is not clear to me

questmigrator
over 6 years ago

Hello All,

Source Domains a mix of 2003 & 2008R2 > Target 2012 R2

Migrate Domains A-E > Domain F
Everyone trusts each other (SidHistory enabled)

The following is just one example of the way groups have been setup and nested
(User and resource Forest)
Source Domain A
GG-DomainA (Global security Group)

(User and resource Forest)
Source Domain B
GG-DomainB (Global security Group)

(User and resource Forest)
Source Domain C
GG-DomainC (Global security Group)

(User and resource Forest)
Source Domain D
GG-DomainD (Global security Group)

(Resource Forest for above forests)
Source Domain E
DL-DomainE (Domain Local Security Group) With all GG-Domain (A-D) nested within.  This is just one of a number of groups that are DLs in this forest that were created to give access to data.  100's of DLs with nested groups from the other Domains (GG-DomainA-D).  In turn these DLs (DL-DomainE) have been assigned permissions on the Data that resides in this Forest.


Target Forest F
Migrate Forests A-E here.

Which is the best way to tackle (migrate) such a scenario?

Please assist,
Jeffrey

Parents
  • 0 over 6 years ago

    * For a one to one migration
    DomainA\GG-Resource = DomainF\GG-Resource-DA
    DomainB\GG-Resource = DomainF\GG-Resource-DB
    And so on

    * For a many to one migration
    DomainA\GG-Resource = DomainF\GG-Resource
    DomainB\GG-Resource = DomainF\GG-Resource
    And so on

    Will the user (with Sidhistory along with the Groups SidHistory) that has been migrated from A > F still have access to the resources in E? Actually, no. The domain local group Sid will not present in the users access token, so access will be denied.

    To resolve this you will use the Active Directory Processing Wizard (ADPW) to process group membership in domain E. This will add domain F global groups to the domain E domain local groups, and maintain access.

Reply
  • 0 over 6 years ago

    * For a one to one migration
    DomainA\GG-Resource = DomainF\GG-Resource-DA
    DomainB\GG-Resource = DomainF\GG-Resource-DB
    And so on

    * For a many to one migration
    DomainA\GG-Resource = DomainF\GG-Resource
    DomainB\GG-Resource = DomainF\GG-Resource
    And so on

    Will the user (with Sidhistory along with the Groups SidHistory) that has been migrated from A > F still have access to the resources in E? Actually, no. The domain local group Sid will not present in the users access token, so access will be denied.

    To resolve this you will use the Active Directory Processing Wizard (ADPW) to process group membership in domain E. This will add domain F global groups to the domain E domain local groups, and maintain access.

Children
No Data