Skip to main content

Move Team Foundation Server to a new domain

Since we want to simplify administration by minimizing our server farm the subdomain that currently hosts our Team Foundation Server is going to be removed. This means that we will have to move the entire installation to the parent domain. Luckily we only have one server as application-tier and data-tier, and we are very few users, which makes the process a whole lot less dramatic.

First of all we have to make sure that the new domain is ready to incorporate the server. It is not possible to perform any kind of user mapping, so all user accounts must have the same login name on the new domain as on the current domain. This also applies to the service accounts used by Team Foundation Server.

The documentation around this procedure is well documented on MSDN. The article describes the scenario to move from a workgroup to a domain, but the scenario from one domain to another works exactly the same. The entire process can be summarized in 5 steps:
  1. Ensure that all users have accounts on the new domain and that the login names are the same as on the current domain.
  2. Stop all services and application pools that concerns Team Foundation Server.
  3. Move the servers to the new domain.
  4. Use TFSAdminUtil to change service accounts and update user accounts.
  5. Start all services and application pools again.
The move went absolutely perfect and I could connect with he server on the new domain on the first try. There were some small issues with the SharePoint configuration since the SharePoint service account was not changed. Luckily there is a tool for that:

stsadm.exe -o updatefarmcredentials -userlogin DOMAIN\user -password ******

Comments

Popular posts from this blog

Binding Enum with DescriptionAttribute in WPF

Binding an enumeration to a ComboBox can be done in several ways. In most cases you don't want to display the value itself, but a more user friendly description. One common approach is to use the DescriptionAttribute on the Enum values to supply a description for each value.  This is all possible in a very MVVM friendly way. First step is to add the  DescriptionAttribute  to the values of the enumeration. public enum MyValues { [Description("First value")] First, [Description("Second value")] Second } To retrieve the description from the enum we use a simple extension method. This method returns the value of the DescriptionAttribute if it exists, otherwise the string representation of the enum value is returned. public static string GetDescription(this Enum value) { var fieldInfo = value.GetType().GetField(value.ToString()); var attribute = fieldInfo.GetCustomAttributes(typeof(DescriptionAttribute), false).FirstOrDefault() as

User.Identity returns old login name after name change

When a person gets married or makes a name change for some other reason this usually means that the login name for the Active Directory-account changes as well. This is rarely a problem, but it turned out to cause some issues on our web server, where the  User.Identity  property was still returning the old login name. The user logged on with the new login name, but was identified by the web application as the old login name. The reason this occurs is because the  User.Identity  property relies on the  LsaLookupSids  method to convert the user SID to a login name. The method first calls the local  LSA-cache , which is not synchronized with the Active Directory. For this purpose a simple reboot of the web server to clear the  LSA-cache  propably would have sufficed. But since we didn't want to take the application offline rebooting was not an option. Instead, it is possible to set the registry value  LsaLookupCacheMaxSize in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. If this val

Programming AD with C#.NET – part 4

Our transition to the  System.DirectoryServices.Protocols  has in the whole gone very smooth, but there have been some issues with one environment that contains subdomains. Most things are working fine, but writing to a subdomain does not work in the same way as it did before. What is generally bad with the  System.DirectoryServices.Protocols is the documentation, which is practically non-existent. But most things can  be figured out anyway since most classes just are wrappers for the wldap32.dll, which in turn is way better documented. I would like to have as little bindings to a specific server as possible but still be able to access the domain. In the  LdapConnection  it is possible to set the identifier to null and use the executing computer as a starting point to find a domain controller. But sometimes I must know that I am using a Global Catalog, and with more and more RODC in the environment I sometimes must know that I am working against a writeable domain controller.