AD domain consolidation Notes

Others 2019-08-10 00:40:10 views: null

AD domain environment is very important to Microsoft's entire product system in a system that is the basis for most Microsoft applications. In some cases due to the acquisition of companies or planning reasons, you will need to do the AD domain migration integration, or two cross-domain AD forest resource access.


This is due in part to Microsoft's official explanation have more detailed information and implementation steps, so this will no longer be described in detail, only the implementation of some of the problems encountered relatively easy AD integration process is described, we understand this rich scene .


Authorization of access across forests


background

I recently implemented a domain integration project, because the client company mergers and acquisitions, the need to migrate all users and groups from A domain before where all the new B-domain (using Microsoft ADMT migration tool), but for some other reason, you need to gradual migration, and the duration will be very long, about a year (account group will advance all of migration).


In the meantime there will be some users are still using the old account A domain environment continue to use part of the user is already migrated using the migration to a new account using the B-domain environment.


In this scenario, users need to be considered in this environment are the old and new, and file server resources are still in the case of the old domain A domain user how to plan for licensing issues.


Licensing issues

General file server in order to facilitate the management of the group will be authorized, this article focuses on group authorization scene, that is, B-domain user access authorization scene A domain file server. Individual user authorization scene is relatively simple, is not discussed.


According to the working mechanism of AD user access to resources, we can understand that when a user accesses a file server resources, will be the first domain controller and the resource is located authenticate, verify that the user account has permission. Authorization for the group will view the group membership information of the user account information to judge.


If the user account attribute information belongs to the group of resource permissions just have the same set of permissions settings of press access.


According to the above works, we can conclude that group if you need the authorization granted permission group only needed on the file server A domain of shared resources, and then to the B domain users to be added corresponding to . (A domain all groups have used ADMT cross-forest migration with SID History to the B domain)


But the author actual test, find and our vision is not the same, some users added to the group members B domain corresponding to not get to the corresponding privileges, but requires the user in the A domain is also added to the same group members will have just the effect. Repeated tests are true.


problem causes

After a detailed analysis of the test and we found that in fact, this problem is very simple, it is not our understanding of the work in question, but we ignore the type of group migration issues.


Because group present local, global, universal set of several types, depending on the type of group definition, of course, different types of groups have nowhere. The following will share test results directly to the reader:

0079nlvZly1g5tk4sfa4aj30jb0760t4.jpg

Can be seen on the table, because the scope is a range of different types of groups are not the same, only the user permission types are global and universal groups own the domain prevail, local groups can only permissions to the domain where the resources prevail .


Users can not log in after migration


background

With the project previously described after the completion of the user migration, we found that some users can not log in, the login prompt:

During a logon attempt, the user's security context accumulated too many security IDs

443b3cb7985d0088651df2a4b9cae4fd


Analyze and solve problems

Can more quickly find the error description by direct clues, Microsoft's official documentation describes:


Windows system contains a restriction, limiting the user's security access token no more than 1,000 security identifier (SID ). When the user authentication access permissions to establish a new session with the server when the user is not in the domain of more than 1,000 members of a group, if you exceed this limit, deny access to the server


Reference links:

https://support.microsoft.com/en-us/help/275266/error-message-during-a-logon-attempt-the-user-s-security-context-accum


I checked this environment and recalled the project implementation process, it was found not logged in user belongs to a large number of group members of the group.


Although the implementation of the project of a large international company AD environment, AD has indeed established a lot of groups, but it is quite difficult to achieve the 1000 limit.


Finally, I found that the main reason for this project is the process of AD users and groups have been migrated twice, each time with SID History will want to migrate, so the number of each user group belongs to all "by 3" was. After those users who already belongs more in the group will reach the limit migration of twice 1000's.


Find the cause, the solution is also very simple, for those unable to access the user to sort, it does not need to be removed from the group membership drops below 1000 can be set.


Additional issues


  • When using ADMT is AD user migration, if intra-forest migrations, the user account is moving way, the migration is complete after the source domain user accounts will disappear; if a cross-forest migration mode, the user account is a copy of the way, the source domain user accounts will still be retained.


  • Using ADMT to migrate users can migrate multiple times in multiple domains, as long as the band SID History permission to remain in the source domain.


  • You need to configure the use ADMT to migrate to disable SID filtering, testing found that if you disable SID filtering command in the Chinese version of Windows Server 2016 environment with no effect, while the English version is operational. Chinese version of the solution may be to download the English language pack, all adjustment system language to English language can be executed properly.


Author: Boven

Guess you like

Origin blog.51cto.com/11811406/2428206
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com