Solved

coping with Active Dir nested groups and Identity Manager 2

Posted on 2006-07-19
5
608 Views
Last Modified: 2013-12-03
Hi there,

i am busy setting up our publisher channel to sync objects back into our edir using IM2 and am just testing what happens when nesting groups within AD..

Obviously IM picks this up as a change of membership and throws an error in the DStrace as follows

Status: Warning
Message: Code(-8011) Error processing reciprocal linking attribute (\tree\company\ou\adgroup#Security Equals): novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE

how do people cope with group nests when using identity manager? it does seem that it adds the object in to the group in edir but obviously it wouldnt operate as a nest.

is there anyway to veto out all nests and what do people do at migration time?
0
Comment
Question by:huziy
  • 2
5 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 17140264
"migration time?"  

Migration from AD to eDirectory?  That's handled with the Server Consolidation utility, not by Identity Manager.

Nested groups is an AD construct to get around its inherent design limitations.  It's illogical and cumbersome.  However, there should be a way to translate them, somehow, to an eDirectory structure.  Maybe it's covered in a more user-friendly fashion in IM3.

If you're migrating from AD to eDirectory and using IM2 as a sync tool during a gradual migration, I'd suggest re-modeling the group structures in AD to eliminate nested groups, unless you're actually hitting AD group membership limits and not using it as a convenience.

Hopefully, someone working directly with IM2 will post back.
0
 

Author Comment

by:huziy
ID: 17140680
Sorry we are not migrating to edir.. we have edir and are implementing AD along side edir

I will be using the current groups we have in edir and syncing them accross as Global groups. These then will be nested into Domain local groups in AD
0
 

Author Comment

by:huziy
ID: 17173601
i ended up creating a rule to place any new DL groups into their own OU in edir.. these can then be ignored in the edir environment. I noticed that if you look at the members of a DL group in edr you can see the other group which normally is impossible to do in edir.. (and has no function)

it seems to cause no problems and if you remove the membership in edir it replicates into AD
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17399772
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
ConnectWise and their customers need to ensure critical alerts automatically reach the right person at the right time. MSP superheros efficiently respond to these alerts key is providing automatic, intelligent alerting that generates a complete audi…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question