How do I retain source domain membership of Global Groups and Local Groups, so that users that have (NETIQKB34644)

  • 7734644
  • 02-Feb-2007
  • 07-Feb-2008


How do I retain source domain membership of Global Groups and Local Groups, so that users that have not been migrated yet, can maintain access after the resource is migrated and translated?

Domain Migration Administrator 7.x


Please refer to the following:

  1. Unmigrate Global Groups (GG).

    • This step is only necessary if the Global Groups have already been migrated. This will allow migration of the Domain Local Groups which will then contain references to the source domain objects that have not yet been migrated.

  2. Migrate the Domain Local Groups (DLG).

    • After this migration, you would see that the migrated DLG contains pointer objects which are references to the source accounts.  We need these in tact so that the source accounts can still have access.  If we had not removed the GG entries from the table mentioned above, Domain Migration Administrator (DMA) would have exchanged the source accts. with the target accts. thereby removing the source's access.

  3. Re-migrate the GGs you removed from the table in Step 1.

    • You may need to use the Replace and Update ... option since the accounts already exist in the AD, and use the SID History option.  You will not need to migrate the members.

  4. Migrate the shares to the target server.

    •  You would have to do this with Server Consolidator utility.

  5. Translate security on the target shares in Add Mode.

    • DMA translates security based on the accounts and machines you specify in the translation wizard.  You would choose the appropriate accounts for both and choose at least "Shares" and "Local Groups" as objects for translation.  The "Share" option will add the target DLC to the share's ACL.  The "Local Groups" option will add the target GG to the target DLC.

After this process, you should end up with Shares on the target machine which are secured by DLCs from the target domain and those DLCs will contain both source account references (pointers) and actual target GGs.  This should allow access to the appropriate source and target users.

Additional Information

Formerly known as NETIQKB34644