Resolution
How should accounts be migrated with DMA for master account and resource domains to retain memberships that cross source domains?
fact
Domain Migration Administrator 7.x
fix
Domain Migration Administrator (DMA) 7.0 and later will allow you to update target group memberships for resource and account domains. The migration must be done in a certain order to accomplish this. In the following example, an Accounts Domain contains a User in a Global Group where the Global Group is a member of a Local Group in the Resource Domain. We recommend that you test this in a test environment to verify that the desired results are returned.
- Create two projects in DMA: one from the Master Accounts Domain to the Target domain and another from the Resource Domain to the Target Domain.
- Next, in the Accounts Domain to the Target Domain project, migrate the 'Users' and 'Groups' with membership intact.
- Then use the Resource Domain to the Target Domain project to migrate the 'Local' groups to the target domain.
Since the mapping information of the Account's Domain Users and Groups is in the internal database, the membership of the Local Groups in the target domain will be updated to contain the Target Global Group and any other users and groups that have been migrated and that were original members of the Resource Domain Local Group. DMA will integrate the information from both projects to ensure proper group membership is correctly updated and reflects the source domain membership.
If the Local Groups from the Resource Domain are migrated first, and the option to migrate associated groups is selected, DMA will only add the Source group account from the Accounts Domain. This is because DMA will not migrate associated accounts from another domain, only the membership would be updated. For this reason we suggest that the Accounts Domain accounts be migrated first.