We recently did a domain migration for several windows users and they have existing logins with the old domain. After the migration, they are able to login via the new domain windows account. When I look in syslogins and server_principals I do not see the new domain user login. I only see the old domain user login. When I run SElect suser_sid('domain\user') I get back a different SID. Am I missing something? Any idea what I can do to resolve that and is this going to cause any issues later.
asked Jul 27, 2011 at 01:27 PM in Default
If the old domain is still up and a trusted relationship was created, they will still be able to login with their old domain accounts into the instance of SQL Server. The only issue that will probably occur is when the old domain is brought down, SQL access will stop.
You will need to issue an ALTER LOGIN [old domain\\current login] WITH NAME=[new domain\\login] in order to change them. Someone else that has actually gone through a migration may have more details, truthfully I have not.
Quick read from here might help as well.
When you moved users to a new domain an the servers is on the original domain and users have still account in original domain, then even the two domains are not trusted, users is able to automatically connect to the SQL server under the new domain account using the old domain credentials if those credentials are stored on his machine.
I mean in the user account settings on a desktop you can manage stored passwords and you can specify, that your account will automatically use different credentials for other domains.
We use this approach to connect to QA and DEV servers which are located in their own domains.
answered Jul 27, 2011 at 11:47 PM
If you haven't explicitly added the new domain accounts to the sql server, you won't see them in
If this domain group has the appropriate permissions for the users, you won't need to do anything else. If you need to manage their security on a per-user basis, add their new accounts as logins and assign the appropriate permissions to each account.
answered Jul 27, 2011 at 01:48 PM
They probably did a SID migration from the old domain to the new one. At the authentication level it is all done by Windows SID - the login name is just for human readability.
SQL Server doesn't know anything besides what you tell it. Previously you told it that you would accept authentication from SID XXXX and you will represent that by the login AA\BBBB.
The same authenticated SID can still access SQL Server but they now go by a new name of CC\DDDD.
You can most likely choose to do nothing or will have to manually ALTER LOGIN to correct the discrepancies. The bottom line is that SQL Server doesn't really care about the displayed name.
answered Jul 29, 2011 at 08:54 AM