Chapter 7. Migrating Existing Environments from Synchronization to Trust
7.1. Migrate from Synchronization to Trust Automatically Using
ipa-winsync-migrateutility is only available on systems running Red Hat Enterprise Linux 7.2 or later.
7.1.1. How Migration Using
ipa-winsync-migrateutility migrates all synchronized users from an AD forest, while preserving the existing configuration in the Winsync environment and transferring it into the AD trust. For each AD user created by the Winsync agreement,
ipa-winsync-migratecreates an ID override in the Default Trust View (see Section 8.1, “Active Directory Default Trust View”).
- The ID overrides for the AD users have the following attributes copied from the original entry in Winsync:
- Login name (
- UID number (
- GID number (
- Home directory (
- GECOS entry (
- The user accounts in the AD trust keep their original configuration in IdM, which includes:
- POSIX attributes
- User groups
- Role-based access control rules
- Host-based access control rules
- SELinux membership
- The new AD users are added as members of an external IdM group.
- The original Winsync replication agreement, the original synchronized user accounts, and all local copies of the user accounts are removed.
7.1.2. How to Migrate Using
- Back up your IdM setup using the
ipa-backuputility. See Backing Up and Restoring Identity Management in the Linux Domain Identity, Authentication, and Policy Guide.Reason: The migration affects a significant part of the IdM configuration and many user accounts. Creating a backup enables you to restore your original setup if necessary.
- Create a trust with the synchronized domain. See Chapter 5, Creating Cross-forest Trusts with Active Directory and Identity Management.
ipa-winsync-migrateand specify the AD realm and the host name of the AD domain controller:
# ipa-winsync-migrate --realm example.com --server ad.example.comIf a conflict occurs in the overrides created by
ipa-winsync-migrate, information about the conflict is displayed, but the migration continues.
- Uninstall the Password Sync service from the AD server. This removes the synchronization agreement from the AD domain controllers.