Reputation: 2271
Change Active Directory Domain
We have a particular request where we needs to change Active Directory domain. Acumatica is installed on-premises (not SaaS).
What is the technical procedure to achieve this?
I tried to look for Acumatica documentation but could not find something directly related to this.
I am aware we would need to change the Active Directory web.config file settings to the new LDAP.
However, how we also need to migrate users in Acumatica.
Let's say that we have user johnsmith on old AD and we need to migrate same user and permissions to the new AD (with a different domain). What is the procedure?
Also we have instances where the user has the same username and other situations where the user has changed, example johnsmith to jsmith.
We would like to avoid having to re-create the users from scratch and assigning Roles etc. Ideally, we would be able to map users. Is this possible? In other systems, such as SharePoint there are specific scripts to migrate users.
Upvotes: 0
Views: 152
Answers (1)
Reputation: 1010
I do not see any documentation or existing scripts on how to do this. That said, here is how I would go about doing this.
First, you need to look at the username format. Is it user@domain, or domain\user? Those could be updated in bulk. If you are using user@domain and the old domain is listed as a UPN suffix in AD, you won't have to update the usernames.
You would then need to get the SID of the new AD Account and update it. If the domain is prepped and ready to go ahead of time it would be much better.
I would then make a custom process screen that would loop through each user and update.
- Replace the username with the new UserPrincipalName if different
- Replace the email address if different
- Connect to LDAP (or powershell) and query the "mapped" username
- Pull the SID of the user and update the ExtRef field of the current user
Next you would need to update the group / role mappings.
- Get all entires form RoleActiveDirectory table
- Search for the GroupID (SID) in the old domain
- Search for a group with the same SID in the new domain
- Update the GroupID with the SID
I tested updating the SID of one group mapping with a different SID and it loaded properly. The UI on SM201005 loads the group name and description dynamically.
Any of these that can be just pre-loaded into Excel and then imported/replaced and may be much easier than writing the code to pull the data from the domains, but possible. I have written many applications to query AD through either powershell or LDAP.
Then I would test and test... build a few test domains to switch between. I am not sure if the hooks are anywhere else in Acumatica and would search the codebase for any other references, and possibly contact support to validate anywhere else that it may be hooked in.
Upvotes: 1
Related Questions
- Trying to modify Active Directory with PowerShell
- Change Active Directory / Domain Controller in Ms CRM
- Active Directory - Cross Domains
- Change configuration in Active Directoy with code?
- Changing a specific Active Directory attribute programmatically
- Changing my Domain
- Sharepoint Server 2007 - Change Authentication to AD
- Modifying Active Directory Properties
- Active Directory Problems
- DomainPolicy object