6 Replies Latest reply on Dec 3, 2009 10:58 AM by ESB

    Moving Endpoint Encrytion to new domain

      We are getting ready to colapse several of our domains, one of the domains that is going away contains the safeboot server.  The IP address nor the name of the server will not change just the domain (FQDN) will change.  Currently it is Name.123.abc it is going to Name.456.abc.  How will this affect the connector and the users currently connected to AD via the bindings.

       

      What are the steps I need to take to move this from one domain to the other?  We are currently running V5.2.2.  This will not occur for several months so I don't know what version we will be running by the time the switch will occur.  We are currenly coming up with potential issues

       

       

      Thank You!!

        • 1. Re: Moving Endpoint Encrytion to new domain

          Which AD property do you use for EEPC user name? Is it going to change?

          Also, will AD account GUID change when you migrate users between domains?

          Strategy depends on answers to above.

          • 2. Re: Moving Endpoint Encrytion to new domain

            We are currently pulling the SAmAccountName from AD, this will not change.   We will be using the Active Directory Migration tool to migrate the users and machines from various domains into another domain.  I believe the GUID does change when the users get migrated.

             

            Also is there anything I need to do with the clients to prepare them for the server move.  Since the IP and Name will not change I did not think this would be an issue.  Please correct me if I am wrong.  This would be my #1 concern.

             

             

            FYI:  We currently run 5 domains in a single forest, we are colapsing down to two domains.

             

            Edited to add that some of the IDs that are currently in Safeboot will need to change due to duplication.  The IDs may exist in domain A and domain B.  One ID currently be utilized in safeboot.  IF that ID must change due to duplication in the forest we will want that reflected in safeboot.

             

             

            Message was edited by: ESB on 11/30/09 2:25 PM
            • 3. Re: Moving Endpoint Encrytion to new domain

              1. disable your connectors before you touch your domains

              2. in your test environment, use LinkUser.vbs to recreate the GUID links to your accounts based on the ones in the new domain - check that they link up right

              3. change the server names and creds in your connectors, validate the properties and run them (again in your test environment) to make sure everything is synced up right

              4. reproduce in production

               

              If you mess this up, the connector will do what it has been told to do - which probably means it will disable (or worse delete!) all your users, so make sure you TEST this before making any changes in production.

              1 of 1 people found this helpful
              • 4. Re: Moving Endpoint Encrytion to new domain

                OK so I will disable the connector until all users and search groups have been moved.  At that time I will run the LinkUser.vbs to recreate the GUID - can I run this per connector group or is it an all or nothing thing.  For example all users and groups in connector A have been migrated to the new domain.  Can I run the linkuser.vbs to correct these.  I have a connector setup per agency.   We will be migrating one agency at a time. 

                 

                I will test this first.  My test server will also need to be moved.  Will do it early on if possible so I am prepared. 

                 

                We expect this process to take about 18 months to migrate every object - user, computer, group, and application.

                 

                What about the current clients?  Since the name and IP will not change, I don't expect problems, am I incorrect.

                • 5. Re: Moving Endpoint Encrytion to new domain

                  no, the machines don't care a jot about the domain - it's only the connector which really minds.

                  • 6. Re: Moving Endpoint Encrytion to new domain

                    Thank you for the assitance.  After all the information gathering this project has been tabled for now.  I will however keep this in mind for if \ when this project may actually happen.

                     

                    Thank You.