Hi,

if you want to install a RHEL8 or RHEL9 server with the same domain name, the recommended procedure would be to install a RHEL8 replica from your RHEL7 server, then a RHEL9 replica from your RHEL8 server.
You can check this documentation:
ipa migrate-ds is used when the new domain name is different from the old one and does not migrate all the data (only users and groups are migrated, not HBAC rules, sudo rules etc...). On the contrary, installation of a replica does not lose any data. And you don't need to worry about the SIDs.

HTH,
flo

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9

On Tue, May 9, 2023 at 2:35 PM Finn Fysj via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Planning to migrate users and groups from an old dusty IPA server running Red Hat Enterprise Linux 7 to RHEL9.
I'm aware of SID issues from following thread: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/MO63NXS63KSI6QJMZRN6JK32VUGKEICH/

Should I ignore the attribute `ipaNTSecurityIdentifier` when migrating from old to new instance?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue