Migration to a new Active Directory | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Migration to a new Active Directory

We are migrating from the existing AD to a new AD and because of that all the network accounts has to be updated, but keeping the rights the users have on the specific SQL Servers/databases. Our environment consist on SQL Server 6.5/7.0/2000 servers on NT 4.0 and Win 2000 servers. Until now I have two solutions, the manual one, and the one that use the sp_sidmap but require the databases to be set offline so the server old logins can be deleted before adding the new network logins, without deleting their database access. Both solutions are not the optimum in my case because first one takes too much time and the second one, because we are doing the migration in multiple steps will require the databases to be offline too many times. Have anyone experience with this, is there somewhere a script that can remap the database users to the new domain accounts? Greatly appreciate any help.

???? How are you doing the AD migration? If you migrate the logins appropriately, the SID should be migrated. Did you maintain the old domain name as an alias? MeanOldDBA
[email protected] When life gives you a lemon, fire the DBA.
I am prepering now for the migration, but as far as I know since I will be changing the users from let’s say olddomainuser to newdomainuser changing the domain will not keep the SID since SID is SQL Server specific not AD specific. I will have to add the newdomainuser and reassign all the database rights from the olddomainuser to the newdomainuser. Ionel
SID is not SQL Server specific. It’s derived from NT/AD. MeanOldDBA
[email protected] When life gives you a lemon, fire the DBA.
Thanks for clarification. The way it is right now users have different SID in each domain. For example newdomainuser0x0105000000000005150000003A00C31BF209C5A22759986BA92B0000
olddomainuser0x010500000000000515000000D170FF04674F830AAB17375D8B1D0000 I will check whith the person that is doing AD users migration. Ionel

Derrick, I think you might be able to explain me why when I have both olddomainuser and newdomainuser and I am looking at the SID in syslogins they have different one, but when I have only the olddomainuser and the user login in like newdomainuser he is able to impersonate the rights of the olddomainuser. If this is a proper SID migration how can I find which user is properly migrated and which one not, since my believed was that the newdomainuser and olddomainuser should have the same SID in syslogins when the migration was done properly. Ionel
I’m not an AD expert Ionel, so I’m sure there are people much more qualified to answer that then me. We just went through an AD migration though. We never changed the SIDs. We migrated and ran just as before. MeanOldDBA
[email protected] When life gives you a lemon, fire the DBA.