AD Synch - Change in Domain..

[TroyS]

Due to an acquistion, Project Server users (and the Enterprise Resource Pool
-ERP) will be from a new domain (eg DOMAIN123) yet Project Server
was populated from/is synching with DOMAINabc, it's original domain.

What i'm trying to avoid is synching to AD in the new Domain and creating
essentially the same person twice. What is the recommended strategy
with deailing with this issue? I certainly don't want to walk into a client
and create a big mess by synching to the new domain and creating 2 of
everyone as Users and in the ERP.

Also, the login associated with the new domain is different. For example:
Was: Domainabc\FirstInitial_LastName
Is: Domain123\First5CharactersOrLastName_FirstInitial

What kind of issues am i going to encounter with this synching to AD?
Essentially will synching to the new Domain retain the 1 User and 1
Resource in ERP while 'magically' changing the Domain\Login to the correct
value? Is the Project Server Application smart enough to do this?

I think the steps might be:
1) manually change all of the Users in PWA to the new domain and login
2) Remove the PWA Security Groups in the old Domain
3) Estabilish the PWA Security Groups in the new domain and assign resources
to PWA Security Groups
4) Run the AD Synch

Of course this assumes that the 2 domains are trusted and Project Server can
find the new Domain and will synch.

Also, if the above works, does all of the timesheet information stay in tact
with the named resource even though their domain/login may have changed.

please advise as i don't want to:
1) Create duplicate resources under a new domain
2) Lose timesheet history for those resources even though their domain/login
has changed
3) Create a mess where i have to inactivate a bunch of duplicate resources

 

[Rolly Perreaux]

Hi Troy,

A couple of questions

1. Is there a lot of movement of usernames between Active Directory
groups that are synchronized with Project Server Groups ?

2. Where will the Project Server be located?

3. Are these two domains in one AD forest and common root namespace (ie,
contoso.com --> child.contoso.com) or in separate forests and root
namespace ? (ie, contoso.com & nwtrader.com)

4. Do you have any insight on how the future design of Active Directory
will be implemented?

If your domains are in one AD Forest
====================================
Then it's a matter of creating one Universal Group and adding one Global
Group in each domain into the Universal Group. I personally haven't done
an AD sync with a Universal Group, but I can't see why it wouldn't work
since it's base on security principals. Plus this would be the easiest
to implement.

If your domains are in separate AD Forests
==========================================
You would need to establish either an Explicit Domain Trust or a Forest
Root Trust. Typically when a company acquires another company and they
both have Active Directory then they will create a Forest Root Trust
until the acquired company can transition into the other Forest.

A few more questions/comments in your steps...

1) manually change all of the Users in PWA to the new domain and login

Also clear the AD Guid check box

2) Remove the PWA Security Groups in the old Domain

Not required. Leave the PWA Groups alone as the User Accounts
have been modified that point to the PWA Groups.

3) Establish the PWA Security Groups in the new domain and assign
resources to PWA Security Groups.

I'm not too sure what you mean here? The PWA Groups are already
established and they will include the modified PWA User accounts.

4) Run the AD Sync

Unnecessary unless you have users that switch roles on a regular
basis.


Personally I recommend AD Synchronization as a quick way to import
Windows Authenticated users into the Enterprise Resource Pool and
Project Server User Accounts. Once the AD Sync has taken place, you can
remove the AD Group from the Ent Res Pool and/or the Project Server
Groups.

I just don't like the possibility of a Junior AD Administrator
adding/removing AD users from my AD Groups that are synchronized to
Project Server 2003. I heard of one horror story in an large enterprise
environment that did just that and that was enough for me.

However if you are both the AD/Domain Admin and Project Server
Administrator then you control both sides of the equation, then AD Sync
is a good thing.

Hope this helps...

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[TroyS]

Rolly,
thx for the reply...
In response:
1) There is no movement in AD. people are being added to the new domain and
are retaining users in the old domain. Eventually, the old domain will go
away. There is some level of trust between to the 2 domains, but i can't
answer or clarify a particular level of trust.

2) I want to use the same Project Server that exists in the old domain as it
contains projects, timesheets and history before the acquisition. We want to
continue to use the existing Project Serverr.

3) They are in separate forests (ilg.com and emc.com)

4) I assume we'll add to the new domain the PWA Security Groups we currently
have in the old domain/AD. That will bring over the new users from the new
domain.

However, i would like to 'swap' out the existing users in the old domain for
the same users in the new domain and retain timesheets, projects and resource
links in Project Server. So if i had a magic wand, i would wave it and the
existing users would have all of their prior project server information tied
to the same user, but new domain. For example from ILG\Troy to EMC\Troy and
everything would work.

I will review your additional comments ....this does help. thx.

 

[Rolly Perreaux]

Hi Troy,

A couple of additional comments...

It sounds like the critical piece in your scenario will be deciding if
either a) the Forest Trust or b) the Domain Trust is established.

In either case there needs to be a Trust established or you won't be
able to have your users in the emc.com forest/domain access the Project
Server in ilg.com forest/domain. Remember that it must be a two-way
trust.

However, if that trust is established, then just change the Project
Server User credentials in PWA from ILG\Troy to EMC\Troy.

The log out from the EMC domain and log back in.

Try accessing PWA. If you are successful, then change the associated
Windows Account in the Enterprise Resource Pool.

1. Open the Enterprise Resource Pool and select a resource name that you
want to change to Windows Authentication.
2. Right click the resource name and select Resource Information.
3. Under the General tab, change the Windows account associated from
ILG\Troy to EMC\Troy.

Good Luck and let us know what happens!

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com