Active Directory Migration

Hello Josh,

Thanks a lot for getting back. I am using PowerScale OneFS 9.2.1.11. I have seen the post from Klosterman on some other topic - "Moving Isilon to new AD" ... But I'm however, unable to lay my hands on the utility called "MapSid". Any and all help in pointing me to its location, is highly appreciated,

Hi,

Thanks for your question. This thread has some information. https://dell.to/43EYIzB what version of OneFS are you using?

Let us know if you have any additional questions.

I have not been able to find it either, the best option is to call phone support and they should be able to assist. 

@Singular1bh, which Klosterman post mentioned  "MapSid"?

@Phil.Lam 

Here it is ... "Moving Isilon to new AD" Thanks.

crklosterman

3 Zinc
In response to calilek
2026
‎07-14-2015 01:37 PM

EMC PS has a utility called ‘mapsid’ that can perform a treewalk if provided a translation table ahead of time which will find and replace

OLDSID:NEWSID in all file ownership and in all ACE entries in ACLs but it can only be used during a PS engagement so contact your EMC account team. Alternatively there are a ton of Microsoft Technet blogs on using powershell to fix this as part of the AD migration:

~Chris

Chris Klosterman

Advisory Solution Architect

Offer and Enablement Team

EMC²| Emerging Technologies Division

@Phil.Lam Here it is ... "Moving Isilon to new AD" Thanks.

crklosterman

@Singular1bh , I did find this KB with mention of "MapSID", but link for "MapSID" did not work. FWIW, the latest EMCopy or Robocopy should handle SID history.

https://www.dell.com/support/kbdoc/en-ed/000061692/isilon-onefs-data-and-permissions-cannot-be-accessed-after-being-migrated-from-celerra-or-other-nas-platforms-sidhistory

I am facing a similar scenario today.  Need to migrate AD users to a new, trusted AD forest., and eventually move the Isilons as well.

Why would mapsid or a permissions repair be necessary today?  I thought Isilon supported SID History now?

https://infohub.delltechnologies.com/l/powerscale-onefs-authentication-identity-management-and-authorization/sid-history-2

OneFS 8.0.1 introduced support for SID history. SID history is an Active Directory attribute that maintains a history of previous SID values if an object is moved from another domain. SIDs are prefixed with a unique domain identifier. If users and groups are migrated from one Active Directory domain to another domain, each migrated object will have a new SID with a domain identifier of the new domain. When migrated users to the new domain attempt to access older files, access would be denied because the file permission would have the new SID. SID history retains the old SIDs, allowing them to be used for access checks.

Before OneFS 8.0.1, historical SIDs were not included in the access token because they were not recognized. In OneFS 8.0.1 and later versions, information from the Active Directory PAC is no longer discarded. For LDAP, OneFS queries the SIDHistory field to add the historical SIDs. If OneFS has a historical SID, then an RPC lookup is performed to find the current SID. Next, another RPC lookup is performed for SID to name resolution.

---

@anonymous_stranger , right, so I don't know what @Singular1bh was talking about.