VMware Cloud Community
allanclark
Contributor
Contributor
‎08-10-2011 05:42 AM

Moving vCentre server to a new domain

For some reason or another one of out AD domains will be decommissioned so our vcentre servers will need to be moved to this domain. This causes a bit of a headache when it comes to all the permissions assigned to folders & individual within vCentre.

The creation of the AD groups & their members is all taken care of in the new domain and moving the vcentre servers into the new domain is easy enought. The bit that is the pain is how can I quickly go through all the objects and 're-permission' them to be in the equivalent group in the new.

I should probably quote an example.

<old domain>\old group1 has Virtual Machine Administrator rights to vitual machine1

under the new domain then

<new domain>\new group1 should have Virtual Machine Administrator rights to virtual machine 1

The task is pretty major given over we've got 4000 VMs we'll need to ensure have the right level of access.

Reply
0 Kudos
2 Replies
kfkernel
Enthusiast
Enthusiast
‎08-10-2011 06:15 AM

Hi,

You should be able to solve this with some editing in the vCenter database. There is one table in the database called VPX_ACCESS. All logins with their corresponding roles are configured there.

Each row has an unique ID, name of the account should be DOMAIN\username, ROLE_ID, ENTITY_ID and FLAG. I am unsure about what FLAG really is. But i will explain the other fields briefly to you.

a) If you want to just switch all the permission from OLDDOMAIN\username to DOMAIN\username you can just edit the rows and change the PRINCIPAL field from OLDDOMAIN\username to DOMAIN\username. This should be enough. Because role_id will tell vCenter which Role is applicable for this user. Entity_ID specifies where in the vCenter structure the user and permission will be effective. Of course try this with a test account first.

b) If you want to run with duplicate permissions for a transition period. I suggest that for each row in the table you create a duplicate row with a new ID and change the value of PRINCIPAL from OLDDOMAIN\username to DOMAIN\username.

If you have many rows in VPX_ACCESS i suggest you read up on SQL or ask some SQL guy to help you with an UPDATE or INSERT query that will perform any of the above. Otherwise it should be quite easy to update / duplicate the rows with SQL Management Studio.

Of course perform database backup before doing any changes and you proceed at your own risk Smiley Happy

cheers

Reply
allanclark
Contributor
Contributor
‎08-10-2011 06:33 AM

Cheers for that.

I'm Ok with the SELECT commands within SQL for the UPDATE & INSERT commands I'll need to ask a friendly DBA.

Reply
0 Kudos