[TFS 2015]:将用户从一个 AD 域迁移到另一个
我们计划将用户从我们公司的域 (domainA) 迁移到我们母公司的域 (domainB).用户的登录 ID 将从 domainA\firstname.lastname 更改为 domainB\employee#
We are planning to migrate users from our company domain (domainA) to our parent company's domain (domainB). The login IDs for the users are going to change from domainA\firstname.lastname to domainB\employee#
目前,TFS 服务器将驻留在域 A 中.
For now, the TFS servers will reside in domainA.
迁移我们的 TFS 用户并确保他们仍然保持当前权限的最佳方法是什么?
What would be the best way to migrate our TFS users and still ensure that they still maintain their current permissions?
我确实找到了有关 Identities 命令的文档:https://docs.microsoft.com/en-us/vsts/tfs-server/admin/move-across-domains
I did find this document regarding the Identities command: https://docs.microsoft.com/en-us/vsts/tfs-server/admin/move-across-domains
谢谢
如果您只想在 Active Directory 中跨域迁移帐户并将 TFS 服务器保持在域 A 中.
If you just want to migrate accounts across domains in Active Directory and keep the TFS sever reside in domain A.
您可以使用 TFSConfig Identities 命令,用于列出或更改 TFS 部署中用户和组的安全标识符 (SID).
You could use TFSConfig Identities command which lists or changes the security identifier (SID) of users and groups in your deployment of TFS.
首先,您的两个域之间应该存在信任关系.然后按照以下步骤操作:
Fist of all, there should has the trust-relationship between your two domains. Then follow below steps:
- 在新域上创建所有新帐户,不要将它们添加到TFS
以管理员身份打开命令行并导航到
C:Program文件Microsoft Team Foundation Server 14.0Tools
使用正确的参数(例如
Run the TFSConfig Identities with the right parameters such as
TFSConfig Identities/change/fromdomain:Domain1/todomain:Domain2/account:OldAccount/toaccount:NewAccount
查看结果
注意:一旦用户帐户出现在 TFS 中,就不能将其删除或将另一个帐户映射到它.例如,如果您将 DomainA/UserA 移动到 DomainB/UserB,则 Identities 命令仅在 TFS 中不存在 DomainB/UserB 的情况下才能用于迁移用户.
更多详细步骤请参考这个教程.
More detail steps please refer this tutorial.
如果您还想将 Team Foundation Server 安装从一个域移动到另一个域,则需要完全按照说明进行操作:将 Team Foundation Server 从一个环境移动到另一个环境
If you also want to move a Team Foundation Server installation from one domain to another, you need to follow the instructions exactly: Move Team Foundation Server from one environment to another
来自 OP 的更新:
为了防止迁移的用户恢复到以前的帐户,我必须确保他们不属于任何 domainA 组.删除后,我运行以下命令:
To prevent migrated users from reverting back to previous account, I had to make sure that they weren't part of any domainA groups.Once removed, I ran the following:
TFSServiceControl quiesce TFSConfig Identities /change /fromdomain:OldDomainName /todomain:NewDomainName /account:OldAccountName /toaccount:NewAccountName TFSServiceControl unquiesce
然后我运行了一个强制 AD 与 TFS 同步的 poweshell 脚本:
I then ran a poweshell script that forced AD sync with TFS :
[Reflection.Assembly]::Load("Microsoft.TeamFoundation.Client, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
# connect to the server
$credProvider = new-object Microsoft.TeamFoundation.Client.UICredentialsProvider $tfsConnection = new-object Microsoft.TeamFoundation.Client.TfsConfigurationServer "localhost:8080/tfs";, $credProvider $tfsConnection.EnsureAuthenticated()
# force a full sync on the next sync execution.
$tfRegistry = $tfsConnection.GetService([Microsoft.TeamFoundation.Framework.Client.ITeamFoundationRegistry]) $tfRegistry.SetValue('/Service/Integration/Settings/IdentitySyncFull', $true)
# Kick the IMS periodic job so that it syncs.
$jobIds = [Guid[]] @('544DD581-F72A-45A9-8DE0-8CD3A5F29DFE') $jobSvc = $tfsConnection.GetService([Microsoft.TeamFoundation.Framework.Client.ITeamFoundationJobService]) $jobSvc.QueueJobsNow($jobIds, $true)