We are facing a TFS domain migration.
As written in TFS documentation Move user accounts and service accounts the user identities will be moved with the TFSConfig Identities command.
Can I move the identity within the same domain from userA to userB?
And would this happen in a way that there are no references to userA left in TFS database?
Before the migration we will upgrade from TFS 2017.3 to TFS 2018 or Azure Devops Server 2019.
Our general domain migration happend one year ago. The TFS resides in the former domain, say OLDDOMAIN. Every user OLDDOMAIN\initials got a new account as NEWDOMAIN\name.surname.
Unfortunately some users from the new domain where added to the local administrator group of TFS not knowing that TFS will sync them and create TFS identities and without having a clue about the consequences.
The idea is to change those identities from NEWDOMAIN\name.surname to a new user NEWDOMAIN\admin.name.surname OR OLDDOMAIN\initialsAdmin so that OLDDOMAIN\initials can be moved to NEWDOMAIN\user.surname.
The Identities Command is a powerful tool, but it has certain limitations. To help ensure a successful move, make sure that you understand the following requirements:
Once a user account is present in Azure DevOps Server, it cannot be removed or have another account mapped to it. For
example, if you are moving DomainA/UserA to DomainB/UserB, the
Identities command would only work to migrate the user if
DomainB/UserB is not already present in Azure DevOps Server.
Because the members of the local Administrators group are automatically added to Azure DevOps Server, make sure to remove any
accounts that you want migrated from that group before you change the
domain or environment.
As clearly declared in the document you referred, it's not able to map/move idenfity within the same domain from userA to userB.
If you are in this boat then you are hosed already. You may have 2 users as the same people and it will not allow you to change. Sorry for any inconvenience.
Related
I have worked with TFS for server years. We will move to Azure DevOps in next month.
After go through some docs, got some questions in below:
Why we call an organization for a url not account?
Why Azure DevOps only have one collection (default collection) unlike TFS server?
If one organization corresponding to one collection, when we move TFS to Azure DevOps, do we have to create multiple organizations for multiple collections?
This is a problem left over by history, some old docs/blogs may not updated timely.
For example, in documentation:
To sign in to your Azure DevOps account at any time, go to https://{youraccount}.visualstudio.com.
… should become:
To sign in to your AzureDevOps organization at any time, go to https://{yourorganization}.visualstudio.com
This change rolled out with our Sprint 137 Update:
Adopt the word "organization" when referring to a collection of projects in Azure DevOps
We've made a change to our terminology when it comes to referring to a
collection of projects in Azure DevOPS.
Previously we used the term "account" but have found that this has
caused a lot of confusion for the broader developer and open source
community. We've chosen to replace the term "account" with
"organization". You'll start seeing this change roll out in
documentation and in-product with this Update.
You account could create or be added in multiple organizations, for example:
As for moving TFS to Azure DevOps, create multiple organizations or not, it's based on your company's need. We suggest to do this if you use TFS Database Import Service
It provides a high fidelity way to migrate collection databases from
Team Foundation Server (TFS) to Azure DevOps Services. It's
recommended that you download the migration guide if you're
looking to use this service to import your collection(s).
The guide
serves as a walk through of the different steps involved in an import.
Providing best practices, checklists, and helpful tips to make your
import as easy as possible. The guide should be used in conjunction
with the more technical documentation referenced below to successfully
import to Azure DevOps Services.
Is there a way for our development team to point Visual Studio at an instance of TFS on another domain?
Pretty green when it comes to Team Foundation Server and not sure if this should go in the overflow that handles IT admin stuff (from my understanding stackoverflow is more code related).
We just got bought by another company and they want us to use their TFS that resides on their domain. We are working on getting to one domain, but in the mean time we still have two separate domains that talk enough to get by.
Just as Daniel said, just make sure there is a trust relationship between the domains.
Generally if you can access the TFS that resides on another domain with you current domain user, then everything should be OK.
More information please see Trusts and Forests Considerations for Team Foundation Server and Grant the Allowed to Authenticate permission on computers in the trusting domain or forest for details.
You can also reference this related thread : TFS Cross-domain authentication without trust
I am currently setting up TFS 2018 on premise. We also are in the process of moving to a new domain. The users are in the old domain and the new TFS is in the other domain. When I go to the TFS url, i get prompted to select my cert or user name and password. When i use username and password it works just fine. When i select my cert that my user account in the new domain has i get prompted for my pin 3 times and then it says access denied.
is there something that has to be done in IIS to allow the site to leverage certificates or will that not work and my users will have to have username and password?
This is my first time setting this up and Im not finding alot of documentation around the authentication methods for TFS mainly around smartcards. TFS is setup for windows authentication.
Generally speaking, TFS must exist in the same domain as your users, or there must be a trust relationship between the domains.
There is some documentation on the subject although it's very old.
I am in a little bit confusing situation. Below diagrams are supposed to tell the case:
I had 2 different tfs servers serving to 2 different teams on my company. The users were local on those servers. So, no active directory, no central control. Hence we decided to merge these 2 servers into 1 TFS.
Now I have 1 big TFS server containing all the collections, without any problem at that level. But as you can see from the users names, the users are imported to this new server with their local computer names - A\user1, A\user2, B\user3, B\user4. Which violates my sense of harmony.
What I want to do is, install an Active Directory service on a new machine, and have all my users included in this new domain as below:
My ultimate goal is to use the same users, only changing their netbios names like C\user1, C\user2, C\user3, C\user4, in order to keep old informations in TFS valid.
Microsofts documentations calls the first step I have achived so far a "Hardware Migration", and the second step as "Environment Migration". Then tells to not to do them at the same time. So I completed, the hardware migration, and now I need to do the environment migration, but since I don't have a deep knowledge on this domain things I am taking it slowly.
I haven't installed Active Directory yet, since I don't know what I need to change beforehand.
My questions are:
What I am dreaming is possible?
How can I achive it?
Environment-based migration scenario means changing the domain of the TFS deployment, whether it's a domain name change or going from a workgroup to a domain. So what you want can be achieved.
You can use Identities command to change the security identifier (SID) of users and groups in your deployment of TFS. This command supports the following scenarios:
changing the domain of your deployment
changing from a workgroup to a domain (your scenario) or from a domain to a workgroup
migrating accounts across domains in Active Directory
Command:
TFSConfig Identities /change /fromdomain:DomainName1 /todomain:DomainName2 [/account:AccountName] [/toaccount:AccountName]
More information is described here: https://msdn.microsoft.com/en-us/library/ms404883(v=vs.120).aspx
I have a TFS express configured on my windows server. Is it possible to invite a remote user on his email address, so that he can connect to the server and access project collections? I had been through few similar SO posts, and tried to explore almost all parts of the admin panel, but could't found such feature.
(I know this is available in case of visualstudio.com, but I need to invite a remote user to my locally hosted TFS).
Question:
- Is it even possible to allow remote user to access my TFS?
- If so, how to authenticate him?
Other Info: TFS is perfectly configured, and is accessible remotely as http://xyz:8080/tfs
No this is not possible. When TFS is installed on-premise it reads its users from the Windows Active directory and/or local Windows Server users.
When TFS is configured to be accessible remotely, like you say using an externally visible domain name, you need to register a Windows user either in Active Directory (preferred) or locally on the server.
To make your life easier, consider employing Visual Studio Team Services, the cloud service based offering that offers mostly the same services TFS does. It also provides 5 free users, doesn't need to be installed and maintained on a Windows Server, doesn't cost you a Windows Server license and allows you to invite people using their Microsoft Account/Windows Live ID.