SID based

Name mapping).

Activities to achieve the step:

1 Preparation of the synchronization settings in the migration and co-existence solutions.

For SID-based mapping, the migration with SID History is necessary.

8.4.4.2 SID based

8.4.4.2.1 C3 - some security principals are migrated and active

Figure 17 C3 - SID based - some security principals are migrated and active Description:

Some of the migrated user accounts with SID History are active in the new environment. They will access the resources in the existing environment. The access control check is passed by using the SIDs from the SID History attribute of the user or group account of the new environment.

Activities to achieve the step:

1 Some user objects are active in new forest.

a The users can access the existing app data by the use of SID History in the access token.

Effort drivers:

 No additional effort than the migration itself.

8.4.4.2.2 C3 - SID based migration options

The SID based migration offers two options for the reACLing process.

option 1 - sequential migration option 2 - Migrate users / groups in parallel with the ACL based resources

Steps  All users and groups are migrated first to the new environment.

 Finish the complete migration with all users active in new forest.

 Migrate the resource servers to the new forest

 ReACL all the resources during the system migration

 Convert all DLGs to universal groups to enable

o Global groups as members o Group availability in a trusted

domain / forest

 Migrate the users / groups in parallel with the resources

 Migrate the resource servers to the new forest

 ReACL the resources after all users / groups are migrated

o Requires analysis of the used users / groups in the ACLs Advantages  reduced complexity of operation  shorter time frame

Disadvantag

es  longer time frame  higher complexity of operation

The following chapters will describe both SID-based migration approaches.

8.4.4.2.3 C3 - option 1 - all security principals are migrated and active

Figure 18 C3 - SID based - option 1 - all security principals are migrated and active Description:

All users and groups are migrated with SID History to the new environment. They will access the resources in the existing environment. The access control check is passed by using the SIDs from the SID History attribute of the user or group account of the new environment.

The existing user accounts are disabled and can’t access the resources.

Activities to achieve the step:

1 All users and groups are migrated to the new environment

a The users can access the “existing” App Data by the use of SID History.

2 Ready to migrate and reACL resources Effort drivers:

 The challenge is that all users and groups must be migrated and active in the new forest. This process can take considerably longer than planned.

8.4.4.2.4 C3 - option 1 - server migration

Figure 19 C3 - SID based - option 1 - server migration Description:

The existing application server systems or only the app data is migrated without ACL change to the new forest. The app data is reACLed in the new forest environment.

Activities to achieve the step:

1 Migrate the server object or the app data to the new domain a Keep the ACLs on the resources

b During the migration users can access the app data by the use of SID History.

2 reACL the resources

a “New” SIDs will be used for further data access.

Effort drivers:

 The reACLing process can be very time consuming. The reACLing performance depends on the number of objects that have to be reACLed.

8.4.4.2.5 C3 - option 2 - some objects are migrated and active

Figure 20 C3 - SID based - Option2 - some objects are migrated and active Description:

Option 2 requires that all security principals in the ACLs are available across domain boundaries. The user accounts, global and universal groups are available across the domain by default. Domain local groups are bound to the domain and can have users, global, and universal groups as members. To fulfill the

requirements “available across the domain boundary” and “can have users, global and universal groups as members,” all domain local groups of the existing environment must be converted to universal groups. Then these groups can be used across the domain and forest boundary.

Some of the existing user accounts are active in the existing environment. They will access the resources with the existing ACLs in both the existing and new environment. The access control check is passed by using the original SIDs of the user or group account of the existing environment.

Some of the migrated user accounts with SID History are active in the new environment. They will access the resources with the existing ACLs in the existing and new environment. The access control check is passed by using the SIDs from the SID History attribute of the user or group account of the new environment.

Activities to achieve the step:

1 Change all existing domain local groups to universal groups in the existing forest.

2 Migrate the server object or the app data to the new forest a Keep the ACLs on the resources

8.4.4.2.6 C3 - option 2 - reACL the resources

Figure 21 C3 - SID based - option 2 - reACL the resources Description:

In this step, the existing (old) SID in the ACL will be replaced by the new forest (new) SID. This will break user access from the existing environment.

The challenge is the management of closed migration sets of security principals and data.

Activities to achieve the step:

1 Replace existing (old) SID with new forest SIDs in the ACLs.

a This cuts off access for users/groups from existing forest.

Effort drivers:

 The definition and organization of closed migration sets of security principals and data.

 The reACLing process can be very time consuming. The reACLing performance depends on the number of objects that have to be reACLed.

 Depending on the migration situation and closed user groups, the reACLing process must be run multiple times on a server or app data set.

8.4.4.2.7 C3 - SID based - final

Figure 22 C3 -SID based - final Description:

All users and groups are migrated with SID history to the new environment. They will access the resources in the existing environment. The access control check is passed by using the new SIDs from new forest.

The SID history information of all user and groups in the new forest can be removed to reduce the access token and Kerberos token size.

Activities to achieve the step:

1 Remove all SID History information of the existing domain from the migrated objects.

Effort drivers:

 Remove of SID history information based on filters.

8.4.4.2.8 C3 - SID based - in trusting domains

Application in trusting domains can also use SID based mappings. For these applications to work, a domain or forest trust from the existing to the new forest is necessary, because Windows authentication is used.

The application server migration in the trusted domain isn’t necessary.

ReACLing is only required if direct permission assignments from the existing domain (DTM) security principals have been used.

Most likely DTM principals are nested into the trusted Active Directory domain local groups. These memberships must be replaced by the corresponding groups from the new forest.