Guidance for upgrading to TFS 2010 along with domain move

Recently one of our customers wished to upgrade their TFS 2008 server in one domain to TFS 2010 in a different domain with no trust between the domains. This procedure seems to be of general interest and is hence the subject of this blog post.

The tricky aspect of the procedure is the correct sequence for changing identities to mapped users in the new domain. The Identities Change command in TFS 2010, as well as its equivalent in TFS 2008, have a key restriction that the target account cannot already exist in TFS. That is if you wish to change domainA\foo to domainB\foo, then the latter account cannot already exist in TFS when running the command. If the target account is somehow introduced, either by being granted permissions or by group membership sync, it cannot be undone. Simply "removing" the user from group(s) will not work. Removing identities in TFS simply marks the record as logically deleted, and does not physically delete because the identity may own TFS artifacts such as changesets or work items.

There a few different options to accomplish the goal of upgrading to TFS 2010 along with domain move. Our general recommendation is to perform one operation at a time. Thus you can:

  1. Upgrade TFS 2008 to TFS 2010 in the original domain, followed by migration to new domain. You may follow the instructions at https://msdn.microsoft.com/en-us/library/ms404883(v=VS.100).aspx for moving the TFS 2010 server.
  2. Migrate TFS 2008 to the new domain first, then upgrade to TFS 2010. The instructions for this can be found at https://msdn.microsoft.com/en-us/library/ms404883(v=VS.80).aspx.

Option 1 above is to be preferred because the identity change command in 2010 is more robust and flexible.

If neither of these procedures will work, however, you can follow this combined procedure.

i. Upgrade TFS 2008 to TFS 2010 in the new domain, but do not add any new domain accounts or groups to TFS yet.
ii. Change identities - refer Identities Change command.
iii. Add any AD groups from the new domain.

This will ensure that the new domain accounts are not introduced before running identities change for mapped accounts. The only exception is that a service account from the new domain has to be added to TFS during the upgrade, namely step (i) above. If you wish to domain migrate the old service account also, you will have to use a temporary service account for this step to circumvent this.

When using the identities change command, there are a few points to keep in mind.

  • If account names are the same in both domains, the command can be run in batch mode. Otherwise they can be changed individually, specifying a different target account name.
  • For accounts which were added to TFS by syncing AD groups, the source of the data should also reflect the change.
  • After running the identities change command, you have to wait for the next hourly sync to update all properties.

Comments

  • Anonymous
    July 28, 2010
    We have TFS 2010 installed and in the process of mapping existing users to new domain identities. For some user accounts, the target identities were somehow introduced  after group membership  sync (The new accounts were accidentally added to Builtin administrators group).   The problem is that change identities command is not working. Is there a way to delete these identity records from dbo.tbl_security_identity_cache table? What else can be done to map these identities to new domain accounts? Any help would be greatly appreciated. Thanks.

  • Anonymous
    August 17, 2010
    I have a similar problem to Venu. Is there a way to remove/combine identities if some of the target identities already exist? Thanks

  • Anonymous
    June 04, 2011
    Same issue here. Is there a way to combine old and new identities if some of the target identities were introduced prematurely? Thanks.

  • Anonymous
    June 11, 2012
    Hi Guys, Was anyone able to find the solution for the issue asked in above comments? Thanks

  • Anonymous
    June 10, 2013
    Same issue here.  The built in "administrators" group on TFS had some new domain admin accounts introduced to TFS too early.

  • Anonymous
    January 28, 2014
    yes! i have the same issue as well and found nothing to support a situation where users were added to a domain group that was added to the project collection valid users group in TFS What has everyone done to fix this mess>?