huziy
asked on
coping with Active Dir nested groups and Identity Manager 2
Hi there,
i am busy setting up our publisher channel to sync objects back into our edir using IM2 and am just testing what happens when nesting groups within AD..
Obviously IM picks this up as a change of membership and throws an error in the DStrace as follows
Status: Warning
Message: Code(-8011) Error processing reciprocal linking attribute (\tree\company\ou\adgroup# Security Equals): novell.jclient.JCException : modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE
how do people cope with group nests when using identity manager? it does seem that it adds the object in to the group in edir but obviously it wouldnt operate as a nest.
is there anyway to veto out all nests and what do people do at migration time?
i am busy setting up our publisher channel to sync objects back into our edir using IM2 and am just testing what happens when nesting groups within AD..
Obviously IM picks this up as a change of membership and throws an error in the DStrace as follows
Status: Warning
Message: Code(-8011) Error processing reciprocal linking attribute (\tree\company\ou\adgroup#
how do people cope with group nests when using identity manager? it does seem that it adds the object in to the group in edir but obviously it wouldnt operate as a nest.
is there anyway to veto out all nests and what do people do at migration time?
ASKER
Sorry we are not migrating to edir.. we have edir and are implementing AD along side edir
I will be using the current groups we have in edir and syncing them accross as Global groups. These then will be nested into Domain local groups in AD
I will be using the current groups we have in edir and syncing them accross as Global groups. These then will be nested into Domain local groups in AD
ASKER
i ended up creating a rule to place any new DL groups into their own OU in edir.. these can then be ignored in the edir environment. I noticed that if you look at the members of a DL group in edr you can see the other group which normally is impossible to do in edir.. (and has no function)
it seems to cause no problems and if you remove the membership in edir it replicates into AD
it seems to cause no problems and if you remove the membership in edir it replicates into AD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Migration from AD to eDirectory? That's handled with the Server Consolidation utility, not by Identity Manager.
Nested groups is an AD construct to get around its inherent design limitations. It's illogical and cumbersome. However, there should be a way to translate them, somehow, to an eDirectory structure. Maybe it's covered in a more user-friendly fashion in IM3.
If you're migrating from AD to eDirectory and using IM2 as a sync tool during a gradual migration, I'd suggest re-modeling the group structures in AD to eliminate nested groups, unless you're actually hitting AD group membership limits and not using it as a convenience.
Hopefully, someone working directly with IM2 will post back.