Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

SengJira

4 Posts

3203

July 9th, 2015 21:00

Moving Isilon to new AD

My customer wants to migrate user from old AD forest to new one. They need to migrate permission for Domain1\User1 to Domain2\User1. For Windows server they would just use ADMT to migrate user to new AD. All sid's and account info will be migrate by ADMT tool.

In this case what happens to share permission on Isilon? Will be permission be retained or should customer do anything else?

johnsonka

130 Posts

July 10th, 2015 09:00

Hello sengjira ,

 

Thank you for your question! Are you looking to utilize the SID history functionality in Active Directory? If so, the cluster cannot currently support that attribute.

 

Your best option for migrating domains and managing your permissions with EMC assistance would be to contact your EMC account representatives and request an engagement with our professional services team. This would allow for someone to sit down with you and design a solution for any permission changes to make your cut over as seamless as possible. Please let me know if there is anything else I can look in to for you!

carlilek

205 Posts

July 12th, 2015 06:00

We recently went through this process, but our ADs had trusts (but not a shared forest) and our on disk identity was UNIX. If that is the case for you, I'd be happy to share some info about what we did.

crklosterman

450 Posts

July 14th, 2015 11:00

EMC PS has a utility called ‘mapsid’ that can perform a treewalk if provided a translation table ahead of time which will find and replace

OLDSID:NEWSID in all file ownership and in all ACE entries in ACLs but it can only be used during a PS engagement so contact your EMC account team. Alternatively there are a ton of Microsoft Technet blogs on using powershell to fix this as part of the AD migration:

Here is one example:

http://blogs.technet.com/b/ashleymcglone/archive/2011/09/16/powershell-sid-walker-texas-ranger-part-2.aspx

~Chris

Chris Klosterman

Email: chris.klosterman@emc.com

Advisory Solution Architect

Offer and Enablement Team

EMC²| Emerging Technologies Division

crklosterman

450 Posts

July 15th, 2015 00:00

No, Isilon does not support SidHistory, you'll need to translate the old security descriptors to new ones. For more information please reference KB88513 on support.emc.com.  Disclaimer: I wrote it.

~Chris

SengJira

4 Posts

July 15th, 2015 00:00

Customer will migrating the Users/Groups/Computers etc. by retaining the SID History.

Share configuration on Isilon, User ids belonging to the source domain are having permissions on the shares.

After migrating the user to a new domain (while retaining SID History), will the users be able to access the shares on the Isilon.

I expect them to be able to access due to the SID History. Is my understanding correct.

View More

View All

No Events found!

Top