Solved

coping with Active Dir nested groups and Identity Manager 2

Posted on 2006-07-19
5
613 Views
Last Modified: 2013-12-03
Hi there,

i am busy setting up our publisher channel to sync objects back into our edir using IM2 and am just testing what happens when nesting groups within AD..

Obviously IM picks this up as a change of membership and throws an error in the DStrace as follows

Status: Warning
Message: Code(-8011) Error processing reciprocal linking attribute (\tree\company\ou\adgroup#Security Equals): novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE

how do people cope with group nests when using identity manager? it does seem that it adds the object in to the group in edir but obviously it wouldnt operate as a nest.

is there anyway to veto out all nests and what do people do at migration time?
0
Comment
Question by:huziy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 17140264
"migration time?"  

Migration from AD to eDirectory?  That's handled with the Server Consolidation utility, not by Identity Manager.

Nested groups is an AD construct to get around its inherent design limitations.  It's illogical and cumbersome.  However, there should be a way to translate them, somehow, to an eDirectory structure.  Maybe it's covered in a more user-friendly fashion in IM3.

If you're migrating from AD to eDirectory and using IM2 as a sync tool during a gradual migration, I'd suggest re-modeling the group structures in AD to eliminate nested groups, unless you're actually hitting AD group membership limits and not using it as a convenience.

Hopefully, someone working directly with IM2 will post back.
0
 

Author Comment

by:huziy
ID: 17140680
Sorry we are not migrating to edir.. we have edir and are implementing AD along side edir

I will be using the current groups we have in edir and syncing them accross as Global groups. These then will be nested into Domain local groups in AD
0
 

Author Comment

by:huziy
ID: 17173601
i ended up creating a rule to place any new DL groups into their own OU in edir.. these can then be ignored in the edir environment. I noticed that if you look at the members of a DL group in edr you can see the other group which normally is impossible to do in edir.. (and has no function)

it seems to cause no problems and if you remove the membership in edir it replicates into AD
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17399772
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Read our guide on how to survive being on-call.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question