During the installation of MIIS you are shown a list of groups (MIIS_Admins, MIIS_Joiners etc) which will be created. The groups are local groups, and I expect that most people, on their first installation, just accept that.
But wouldn’t it be nice if, at that point, a little more explanation, or perhaps some alternative options were offered, allowing you to think a little and take the better option of Domain groups.
(Actually the best option would be if Microsoft had provided some sort of tool allowing us to change the admin groups post installation – but I can only hope that will be in ILM…)
Anyway I digress – why are Domain groups better? First there is the sys admin reason that domain memberships are much easier to track than local memberships. Secondly, and more importantly, using domain groups means you can replicate the MicrosoftIdentityIntegrationServer database to another server (in the same domain or a trusting domain) and it will work!
In MIIS 2003 the only way to change the admin groups is to change the SIDs in the MicrosoftIdentityIntegrationServer.mms_server_configuration table.
Theoretically you should be able to find the SIDs using getsid.exe from the Windows Support Tools and update the table accordingly, but for some reason I’ve not had much success with this method the couple of times I’ve tried it.
You may be luckier (or cleverer) than me, but if not here’s a method I have tried and tested successfully.
- Install MIIS onto a new server;
- During the installation change all the group names to have domain\ at the front, so that the domain groups are used instead;
- Once MIIS is installed copy the SIDs from the new mms_server_configuration table to the old one.
