locked
Domain consolidation - Effects on SharePoint RRS feed

  • Question

  • Hi,
    Has anyone gone through a domain consolidation exercise and had to change/administrate the SharePoint side of things? I'm interested in hear your experiences in how you managed this.

    To my mind there are 4 areas to consider:

    1. Permissions obviously - did you use an internally developed application, or are there 3rd party products out there on the market?
    2. My Sites - with new accounts being created how did this affect your deployment? I'm thinking we will have to ditch the existing sites and restore on request - not pretty with hundreds of existing site collections for My Sites, but I doubt they are heavily utilised in our environment.
    3. My Links - we have a tool for migrating those if necessary, thankfully!
    4. SSP Profile Import configuration - not expecting anything too difficult here??

    Information provided by my AD technical team:

    They are using the Quest migration software for the AD migrations

    We will be using SID history which will help with a lot of the security aspects as the migrated account will appear to be the same as the original from an AD security point of view, but obviously a lot of testing we will need to do - and by the sounds of it a fairly big clean up exercise as well!

    Does SharePoint store the actual SID for the domain account at all? If so, we might not have such a major issue with the permissions aspect.

    Thanks,
    Jason.
    Wednesday, June 20, 2012 8:30 AM

Answers

  • When you migrate the users  from one Domain to another they are assigned a new SID in the new domain. The old SID is still part of their AD record, so AD
    groups recognize them by either SID. That's why users who gain access  to SharePoint via AD group membership still work, because the SID of the AD group
    hasn't changed. SharePoint doesn't recognize History SIDs, only the main SID of a user account. So after migrating you need to run STSADM -migrateuser to
    change the SharePoint entries to the NEW domain's SID or -ignoresidhistory flag  reason for the -migrateUser command in STSADM.

    Friday, June 22, 2012 10:04 AM