Recently one of our customers wished to upgrade their TFS 2008 server in one domain to TFS 2010 in a different domain with no trust between the domains. This procedure seems to be of general interest and is hence the subject of this blog post.
The tricky aspect of the procedure is the correct sequence for changing identities to mapped users in the new domain. The Identities Change command in TFS 2010, as well as its equivalent in TFS 2008, have a key restriction that the target account cannot already exist in TFS. That is if you wish to change domainA\foo to domainB\foo, then the latter account cannot already exist in TFS when running the command. If the target account is somehow introduced, either by being granted permissions or by group membership sync, it cannot be undone. Simply "removing" the user from group(s) will not work. Removing identities in TFS simply marks the record as logically deleted, and does not physically delete because the identity may own TFS artifacts such as changesets or work items.
There a few different options to accomplish the goal of upgrading to TFS 2010 along with domain move. Our general recommendation is to perform one operation at a time. Thus you can:
- Upgrade TFS 2008 to TFS 2010 in the original domain, followed by migration to new domain. You may follow the instructions at http://msdn.microsoft.com/en-us/library/ms404883(v=VS.100).aspx for moving the TFS 2010 server.
- Migrate TFS 2008 to the new domain first, then upgrade to TFS 2010. The instructions for this can be found at http://msdn.microsoft.com/en-us/library/ms404883(v=VS.80).aspx.
Option 1 above is to be preferred because the identity change command in 2010 is more robust and flexible.
If neither of these procedures will work, however, you can follow this combined procedure.
i. Upgrade TFS 2008 to TFS 2010 in the new domain, but do not add any new domain accounts or groups to TFS yet.
ii. Change identities - refer Identities Change command.
iii. Add any AD groups from the new domain.
This will ensure that the new domain accounts are not introduced before running identities change for mapped accounts. The only exception is that a service account from the new domain has to be added to TFS during the upgrade, namely step (i) above. If you wish to domain migrate the old service account also, you will have to use a temporary service account for this step to circumvent this.
When using the identities change command, there are a few points to keep in mind.
- If account names are the same in both domains, the command can be run in batch mode. Otherwise they can be changed individually, specifying a different target account name.
- For accounts which were added to TFS by syncing AD groups, the source of the data should also reflect the change.
- After running the identities change command, you have to wait for the next hourly sync to update all properties.