Moving to new AD domain

[cmjtu...@gmail.com]

Morning,

I am wondering if anyone has moved an Isilon from one AD to another. In our case, they are trusted. We only have cifs shares. Isi ver=7.2.1.3.

Anyone have any experience doing this? Pretty simple?

Thanks,

-C.

[Dan Pritts]

I expect you'll have trouble with file ownership.  I think Isilon stores the ownership as the SID, and the SIDs will be different in the new domain.

You can probably write a script on the cluster to change ownership to the appropriate new user. 

that'll take a while.  If you have SSD for metadata accelleration that will help tremendously.   It'll scale roughly linearly with the number of files in the cluster.  You should be able to parallelize the job.

Perhaps as a transitional step, keep the old AD configured as an auth source, and  set up a user mapping rule to tell the cluster that DOMAIN1\username = DOMAIN2\username.  Then run the chown job, specifying the new domain user as the new owner. 

This would work in principle if you had AD + ldap.  I'm not sure whether you can have multiple AD auth sources though. 

cmjtu...@gmail.com

September 13, 2017 at 10:35 AM

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Dan Pritts
ICPSR Computing & Network Services
University of Michigan

[Steve Bogdanski]

I would recommend updating to 7.2.1.5, which is current target code, so that you have support for SID History:

from (https://support.emc.com/docu60143_Isilon-OneFS-7.2.1.0---7.2.1.5-Release-Notes.pdf?language=en_US)

                       Authentication modifications and enhancements in OneFS 7.2.1.5 ID Support was added for the security identifier (SID) history attribute 181080

We were able to use SID History in 7.2 code (now on 8.0.0.4) but it wasn't supported and EMC was rather surprised that it worked.  However, it is fully supported in 7.2.1.5 and that means that you can import the old SIDs from your current AD domain into the respective users in the new AD domain that you want to migrate to.  Setting up user mapping rules should work as well, but I feel it is much more complicated than the simpler SID History method.

[saurabh chaudhary]

I agree with the notes of Daniel in reference to the SIDs. Those will be changed as if the end users will also migrated to the new Domain.

But if you you can add the new the new Domain in the Authentication Providers, Active Directory tab and also proceeding with the new Smart connect Zone name configuration for new domain with access to the old System Access Zone in Isilon. By this you can able to access the shares in Old and New Domain at a same time with Old SmartConnect Zone name and New SmartConnect Zone name.

As a step by step approach you can add new domain AD User\Group IDS access to the each Windows Share. (this is to be done if end user's AD ID or AD Groups are also migrating to new Domain).

At the end remove the old SmartConnect Zone configuration from Isilon and AD. And add an alias of the Old SmartConnect Zone name to the New Smart Connect Zone name in AD.

Regards,

Saurabh Chaudhary