Good day!
I have 2 SQL 2000 Servers, in a NT4 domain, that will be staying tehre
for the time being. But I am starting to move users from that domain
to an AD domain. We are doing them bit by bit. I want the Windows
Authentication-based SQL Logins to move over so that I don't have to
re-create the logins.
What is the best way to do this, assuming I want to do them slowly?
Thanks.Have you considered creating Groups on the new domain, give the groups the
relevant SQL permissions and when you're ready to migrate a user simply add
him to the new group.
HTH
Ryan Waight, MCDBA, MCSE
"Bob" <Bob@.nospam.com> wrote in message
news:nkkfqvg1fvjnc0j8lu9l8c2i2trtvvf8jq@.4ax.com...
> Good day!
> I have 2 SQL 2000 Servers, in a NT4 domain, that will be staying tehre
> for the time being. But I am starting to move users from that domain
> to an AD domain. We are doing them bit by bit. I want the Windows
> Authentication-based SQL Logins to move over so that I don't have to
> re-create the logins.
> What is the best way to do this, assuming I want to do them slowly?
> Thanks.
>|||I suppose I could do that. But is there a way to do what I am looking
to do?
On Tue, 4 Nov 2003 16:52:42 -0000, "Ryan Waight"
<Ryan_Waight@.nospam.hotmail.com> wrote:
>Have you considered creating Groups on the new domain, give the groups the
>relevant SQL permissions and when you're ready to migrate a user simply add
>him to the new group.|||Bob wrote:
> Good day!
> I have 2 SQL 2000 Servers, in a NT4 domain, that will be staying tehre
> for the time being. But I am starting to move users from that domain
> to an AD domain. We are doing them bit by bit. I want the Windows
> Authentication-based SQL Logins to move over so that I don't have to
> re-create the logins.
> What is the best way to do this, assuming I want to do them slowly?
you might try running sp_help_revlogin and then editing the script to your
liking.|||Hi Bob,
Thank you for using MSDN Newsgroup! It's my pleasure to assist you with your issue.
From your description, I understand that you would like to transfer the Windows Authentication
Logins and passwords to a new AD domain between the instances of SQL Server. Have I fully
understood you? If there is anything I misunderstood, please feel free to let me know.
I agree with Chxxx that you can create sp_help_revlogin stored procedure on the source
server, which this procedure generates a script that you can run on the destination server to re-
create logins with the original security identification number (SID) and retain the current
passwords.
For how to transfer Logins and Passwords between SQL Server 2000, please refer to the
following step by step articles:
246133 HOW TO: Transfer Logins and Passwords Between Instances of SQL Server
http://support.microsoft.com/?id=246133
240872 HOW TO: Resolve Permission Issues When You Move a Database Between
http://support.microsoft.com/?id=240872
274188 PRB: "Troubleshooting Orphaned Users" Topic in Books Online is Incomplete
http://support.microsoft.com/?id=274188
Bob, does this answer your question? Please apply the suggestion above and let us know if it
helps you resolve your problem. If there is anything more we can assist you with, please feel
free to post it in the group.
Best regards,
Billy Yao
Microsoft Online Partner Support
----
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only. Thanks.|||> From your description, I understand that you would like to transfer the
Windows Authentication
> Logins and passwords to a new AD domain between the instances of SQL
Server. Have I fully
> understood you? If there is anything I misunderstood, please feel free to
let me know.
If Bob is interested in the Windows authentication logins, why would he like
to transfer the passwords?
One of the problems with migrating the NT user accounts to AD how to deal
with the following scenario:
1. NT user NTDomain\myUser is migrated to ADDomain\myUser (likely with
SIDHistory)
2. The SID of NTDomain\myUser is different from ADDomain\myUser
3. The system tables sysxlogins and sysusers still store the SID for
NTDomain\myUser
4. If the NTDomain domain is completely disabled, SIDHistory will not be
useful any more
(Note, not being an AD migration expert, I don't know whether you can
migrate NT user accounts to AD without assigning them new SIDs. It's not how
we are migrating user account anyway.)
--
Linchi Shea
linchi_shea@.NOSPAMml.com
"Billy Yao [MSFT]" <v-binyao@.online.microsoft.com> wrote in message
news:7GUTrC0oDHA.2148@.cpmsftngxa06.phx.gbl...
> Hi Bob,
> Thank you for using MSDN Newsgroup! It's my pleasure to assist you with
your issue.
> From your description, I understand that you would like to transfer the
Windows Authentication
> Logins and passwords to a new AD domain between the instances of SQL
Server. Have I fully
> understood you? If there is anything I misunderstood, please feel free to
let me know.
> I agree with Chxxx that you can create sp_help_revlogin stored procedure
on the source
> server, which this procedure generates a script that you can run on the
destination server to re-
> create logins with the original security identification number (SID) and
retain the current
> passwords.
> For how to transfer Logins and Passwords between SQL Server 2000, please
refer to the
> following step by step articles:
> 246133 HOW TO: Transfer Logins and Passwords Between Instances of SQL
Server
> http://support.microsoft.com/?id=246133
> 240872 HOW TO: Resolve Permission Issues When You Move a Database Between
> http://support.microsoft.com/?id=240872
> 274188 PRB: "Troubleshooting Orphaned Users" Topic in Books Online is
Incomplete
> http://support.microsoft.com/?id=274188
>
> Bob, does this answer your question? Please apply the suggestion above and
let us know if it
> helps you resolve your problem. If there is anything more we can assist
you with, please feel
> free to post it in the group.
>
> Best regards,
>
> Billy Yao
> Microsoft Online Partner Support
> ----
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
> Please reply to newsgroups only. Thanks.
>
>|||Hi Bob,
I agree with Linchi's comments and thanks for his reminder.
If you transfer logins to an instance of SQL Server in a different domain than the source
instance of SQL Server, you should edit the script generated by the sp_help_revlogin
procedure, and REPLACE the domain name with the new domain in the sp_grantlogin
statements. Because the integrated logins granted access in the new domain will not have the
same SID as the logins in the original domain, the database users will be orphaned from
these logins.....
This is announced in the "Remarks" of the KB 246133. I recommend you review the remarks
carefully before you apply this logins transference, so that you will not miss some important
points you should pay attention to.
246133 HOW TO: Transfer Logins and Passwords Between Instances of SQL Server
http://support.microsoft.com/?id=246133
If there is anyting unclear or anything more I can assist you with, please feel free to post it in the
group.
Best regards,
Billy Yao
Microsoft Online Partner Support
----
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only. Thanks.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment