o Problem: What do you do when a user tries to use a network printer post ReACL process and/or cutover and receives an access denied error?
Solution: Synchronize the SID History for that user to resolve the problem.
o Problem: ASP.NET will sometimes not register properly with IIS, which can cause errors when the SMART AD Migrator agent tries to communicate with the Web Service. How do I address this?
Solution: During installation, the installer needs to enable the IIS feature for the server if the feature was not enabled so that web-service can be installed and configured. To address this problem, you should manually re-register the ASP.NET with IIS. To do this, run the below command on the server under
C:\Windows\Microsoft.NET\Framework\v4.5.2:
aspnet_regiis -i
o Problem: What do I do if the Agent_<datetime>.log shows an Error: Login failed for user 'IIS APPPOOL\ADM AppPool' in System.Data.SqlClient.SqlException?
Solution: To fix this:
1. Open SQL Management Studio where DirSync databases were setup.
2. Go to SQL Server Security -> Logins.
3. New Login.
4. User name: IIS APPPOOL\ADM AppPool.
5. Click on User Mappings.
6. Select BTCodex for the database.
7. Select db_datareader and db_datawriter for Roles.
8. Click OK.
9. Restart the agent on the workstation or wait for the next polling interval
o Problem: Observed Access Denied error when trying to ReACL a Windows NAS Shared Drive.
Solution: To fix this:
1. Add the user credential in the NAS screen in the SMART AD Migrator Console. This user should be installed on a workstation with Local Admin Rights.
2. After the agent installed on the workstation, change the SMART AD Migrator Agent Service account from Local System to the user credential specified in step 1. This user should also be logged in on the workstation as well.
3. Turn off UAC on the workstation.
4. ReACL the Windows NAS Shared Drive.
o Problem: Users are getting an error message that their Recycle Bin has been corrupted once their computer has been migrated.
Solution: This is a common issue with Domain Migrations and is caused when the Recycle Bin is not empty. This is happening because the name of the Recycle Bin is the user’s SID and the Recycle Bin cannot be reACL’d. After the workstation has been reACL’d and migrated when the user logs on, if the existing Recycle Bin is not empty
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 98
the user cannot access it. But if the existing Recycle Bin is empty a new one is created and the Target user’s SID is the name of the Recycle Bin.
Resolution:
Empty the Recycle Bin as part of the Cutover process.
o Problem: SMART Directory Sync does not start if SQL Authentication method is used with Windows Authentication.
Solution: Manually add the computer account to the SQL server and granted with the sysadmin role. To accomplish this, perform the following steps.
1. Via the SQL Management Studio, open a new query window. Enter the below script.
2. CREATE LOGIN [Domain\machine_name$] FROM WINDOWS
3. Via the Security and Logins, located the newly created Computer Name.
4. Grant this user with sysadmin role.
o Problem: A workstation that has been successfully cutover no longer responds to any additional jobs, such as Cleanup.
Solution: If a workstation that has been successfully cutover now fails to respond to any additional jobs, such as Cleanup, check the Application event log. If you see a "The remote name could not be resolved" error, this most likely means that the SRV record for the ADM server can no longer be resolved due to a DNS lookup failure.
If you cannot "Ping" the ADM server from any other machines in the target domain, then you will need to remedy this on a more global scale, such as creating a conditional forwarder on the target machines' current DNS server pointing to the appropriate location.
If you are able to "Ping" the ADM server, then check the Network Profile that was used during the Cutover to verify that the DNS settings were correct in that profile.
Password Sync Troubleshooting
o Problem: If you encounter "Access is denied" errors when syncing passwords with Directory Sync.
Solution: This is most likely because the utility (psexec.exe) used for remote calls to the Global Catalog is failing.
Some things you can try are:
1. Try the GC server's IP address, FQDN and Shortname. IP address often works when others do not.
2. From the Directory Sync machine browse to \\[GC]\admin$ with the admin username\password.
3. Run the Directory Sync service with credentials that have access to the GC instead of as LocalSystem.
4. Firewalls\Anti-Virus software should not be a problem but turning them off may help.
AD Migrator BITS Troubleshooting
o Problem: The AD Migrator UI issued the ‘Upload Logs’ command to the Agent for a device, but nothing was uploaded to the web server.
Solutions:
IIS Web Server where ADM Web Service is installed:
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 99
1. Open IIS Manager.
2. Verify that Default Web Site > adm > DeviceLogs exists.
a. Verify there is a BITS Uploads option icon in the Feature View (at the bottom).
If not, use PowerShell to install.
Import-Module ServerManager Add-WindowsFeature BITS-IIS-Ext
b. Verify in the BITS Upload view, that "Allow clients to upload files" is checked.
1. Open IIS Manager.
2. Go to Default Web Site -> adm -> DeviceLogs.
3. Click on Basic Settings in the right pane.
a. Verify the Application Pool is set to "ADM AppPool".
4. Click on Edit Permissions -> Security tab
a. Verify the IUSR account is in the list and has the following permissions: Modify, Ready & execute, List folder contents, Read, Write
On the Device where the ‘Upload Logs’ command was issued:
1. Navigate to C:\Program Files (x86)\Binary Tree\ADMigrator Agent\Files.
2. Open the agent_<date>.log in Notepad.
a. Verify the URI for the server /api and /devicelogs location is correct.
1. Navigate to C:\Program Files (x86)\Binary Tree\ADMigrator Agent\Files.
2. Open the PowerShell-<date>-<time>-BT-UploadLogs.log file.
a. Check for problems or errors.
1. Go to Start -> Run -> services.msc.
2. Verify the Background Intelligent Transfer Service is started.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 100
Appendix A. AD Source – AD Target Default Mapping
The below table displays the default values of the AD Source to AD Target mapping table.
Source Field Internal Field Target Field So
accountExpires AccountExpires accountExpires any any
altRecipient ForwardingAddress altRecipient any any
deletedItemFlags DeletedItemFlags deletedItemFlags any any
delivContLength DelivContLength delivContLength any any
department Department department any any
departmentNumber DepartmentNumber departmentNumber any any
description Description description any any
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 101
dLMemSubmitPerms DLMemSubmitPerms dLMemSubmitPerms any any dLMemRejectPerms DLMemRejectPerms dLMemRejectPerms any any
employeeID EmployeeID employeeID any any
employeeNumber EmployeeNumber employeeNumber any any
employeeType EmployeeType employeeType any any
extensionAttribute1 Extension1 extensionAttribute1 any any These are Exchange defined custom attributes.
extensionAttribute10 Extension10 extensionAttribute10 any any These are Exchange defined custom attributes.
extensionAttribute11 Extension11 extensionAttribute11 any any These are Exchange defined custom attributes.
extensionAttribute12 Extension12 extensionAttribute12 any any These are
Exchange
defined
custom
attributes.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 102
extensionAttribute13 Extension13 extensionAttribute13 any any These are Exchange defined custom attributes.
extensionAttribute14 Extension14 extensionAttribute14 any any These are Exchange defined custom attributes.
extensionAttribute15 Extension15 extensionAttribute15 any any These are Exchange defined custom attributes.
extensionAttribute2 Extension2 extensionAttribute2 any any These are Exchange defined custom attributes.
extensionAttribute3 Extension3 extensionAttribute3 any any These are Exchange defined custom attributes.
extensionAttribute4 Extension4 extensionAttribute4 any any These are
Exchange
defined
custom
attributes.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 103
extensionAttribute5 Extension5 extensionAttribute5 any any These are Exchange defined custom attributes.
extensionAttribute6 Extension6 extensionAttribute6 any any These are Exchange defined custom attributes.
extensionAttribute7 Extension7 extensionAttribute7 any any These are Exchange defined custom attributes.
extensionAttribute8 Extension8 extensionAttribute8 any any These are Exchange defined custom attributes.
extensionAttribute9 Extension9 extensionAttribute9 any any These are Exchange
generationQualifier Suffix generationQualifier any any
givenName FirstName givenName any any
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 104
HomePostalAddress HomePostalAddress HomePostalAddress any any
Info Info Info any any
internetEncoding internetEncoding internetEncoding any any
ipPhone IPPhone ipPhone any any
jpegPhoto JPEGPhoto jpegPhoto any any
l OfficeCity l any any
language Language language any any
legacyExchangeDN LegacyExchangeDN legacyExchangeDN any any
localeID LocaleID localeID any any
mail InternetAddress mail any any
mailNickname PrimaryAlias mailNickname any any
manager Manager any any
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 105
msExchALObjectVersion msExchALObjectVersion msExchALObjectVersion any any
msExchArchiveGuid msExchArchiveGuid msExchArchiveGuid any any
msExchArchivename msExchArchivename msExchArchivename any any
msExchAssistantName msExchAssistantName msExchAssistantName any any
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 106
msExchBypassAudit msExchBypassAudit msExchBypassAudit any any
msExchELCExpirySuspen
msExchELCMailboxFlags msExchELCMailboxFlags msExchELCMailboxFlags any any
msExchExternalOOFOpti
msExchMailboxGuid msExchMailboxGUID msExchMailboxGuid any any
msExchMDBRulesQuota msExchMDBRulesQuota msExchMDBRulesQuota any any
msExchMessageHygiene
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 107
msExchModerationFlags msExchModerationFlags msExchModerationFlags any any
msExchPoliciesExcluded msExchPoliciesExcluded msExchPoliciesExcluded any any
msExchPoliciesIncluded msExchPoliciesIncluded msExchPoliciesIncluded any any
msExchProvisioningFlag
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 108
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 109
msExchResourceDisplay msExchResourceDisplay msExchResourceDisplay any any
msExchResourceMetaDa
msExchUMDtmfMap msExchUMDtmfMap msExchUMDtmfMap any any
msExchUMSpokenName msExchUMSpokenName msExchUMSpokenName any any
msExchUserCulture msExchUserCulture msExchUserCulture any any
msExchVersion msExchVersion msExchVersion any any
name Name name any any
O O O any any
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 110
objectGUID AdminDisplayName adminDisplayName any any
otherFacsimileTelephon
otherHomePhone OtherHomePhone otherHomePhone any any
otherIpPhone OtherIpPhone otherIpPhone any any
otherMobile OtherMobile otherMobile any any
otherPager OtherPager otherPager any any
otherTelephone OtherTelephone otherTelephone any any
pager PagerNumber pager any any
pOPCharacterSet POPCharacterSet pOPCharacterSet any any
pOPContentFormat POPContentFormat pOPContentFormat any any
postalAddress PostalAddress postalAddress any any
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 111
primaryTelexNumber PrimaryTelexNumber primaryTelexNumber any any
proxyAddresses ProxyAddresses any any
roomNumber RoomNumber roomNumber any any
sAMAccountName SAMAccountName sAMAccountName any any The following
restricted
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 112
streetAddress OfficeStreetAddress streetAddress any any
telephoneAssistant TelephoneAssistant telephoneAssistant any any
telephoneNumber OfficePhoneNumber telephoneNumber any any
terminalServer TerminalServer terminalServer any any
textEncodedORAddress TextEncodedORAddress textEncodedORAddress any any
thumbnailLogo ThumbnailLogo thumbnailLogo any any
userCertificate UserCertificate userCertificate any any
userPrincipalName UserPrincipalName userPrincipalName any any
userSMIMECertificate UserSMIMECertificate userSMIMECertificate any any
wWWHomePage WWWHomePage wWWHomePage any any
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 113
groupType GroupType groupType gro
up grou p
* thumbnailPhoto values are synced directly from the Source to the Target.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 114
Appendix B. Customizing Overrides
To add a View Override:
1. From the Mapping tab, click Overrides. The View Overrides window appears.
2. Click Add. The Override dialog appears.
3. Select a Person or Groups from the View drop-down list.
4. Enter a Field Name for the new override. This must be a valid internal field name in SQL.
5. Enter a Field Value for the new override. This must be a correctly formatted SQL statement.
6. Enter Comments for the new override.
7. Click Save.
8. Click Yes for the confirmation message.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 115
When you save an override, SMART Directory Sync re-generates the Person or Groups view. It does this by dynamically generating a single SQL statement using the snippet of SQL code that is part of all overrides. The max size for this SQL statement is 8000 total characters. If many new overrides are added, this limit could be exceeded and an error when adding the overrides will occur. In addition to the default overrides, approximately 15-20 more Person and 20-25 Group overrides can be added before hitting the size limit.
To edit a mapping override:
1. From the Mapping tab, click Overrides. The View Overrides window appears.
2. Select an Override and click Edit. The Override dialog appears.
3. Edit the Field Value for the override. The View and Field Name cannot be edited.
4. Edit Comments for the override.
5. Click Save.
6. Click Yes for the confirmation message.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 116
To delete a mapping override:
1. From the Mapping tab, click Overrides. The View Overrides window appears.
2. Select an Override and click Delete.
3. Click Yes for the confirmation message.
Controlling actions with Overrides
SMART Directory Sync uses the TypeOfTransaction column from the BT_Person table, or the Operation column from the BT_Groups table to determine what action to perform on the target object. These may have overrides applied to them, to control what actions Directory Sync will take for an object. The below image shows an example of this kind of override.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 117 Matching user accounts with Overrides
The values used for matching can have overrides applied to them. This is accomplished by setting up a new override using the field names MatchValue1, MatchValue2, MatchValue3 and MatchValue4. Each MatchValue1-4 corresponds the respective Source and Target pair on the matching tab.
These values are used for matching only. Values that get written to the target are based on the mappings, not the matching.
Example Overrides
Field Name Field Value Description
TargetAddre ss
CASE EntryType WHEN 'user' THEN 'SMTP:' + P.BTCustom020 + '@domino.contoso.com' ELSE 'SMTP:' +
'SMTP:' + dbo.UpdateInternetAddress(InternetAddress,'domino.') This formula will set
the TargetAddress
value based on the
InternetAddress
and prefix the
domain with the
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 118
Field Name Field Value Description
value specified, in
CASE WHEN InternetAddress LIKE '%@kodak.com' THEN 'smtp:' + dbo.UpdateInternetAddress(P.InternetAddress, 'domino.') WHEN InternetAddress LIKE '%@knotes.contoso.com' THEN 'smtp:' + dbo.ReplaceDomain(P.InternetAddress, 'domino.contoso.com')
If the first domain is found then the
CASE EntryType WHEN 'user' THEN 'do$$' + SourceDirectoryID WHEN 'sharedmail' THEN 'do$$' + SourceDirectoryID ELSE CommonName END
This formula will
dynamically set the
CommonName
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 119
Field Name Field Value Description
value based on the EntryType.
CommonNa me
CASE WHEN LEN(CommonName) > 64 THEN
LTRIM(RTRIM(LEFT(CommonName,64))) ELSE CommonName
CASE ProxyAddresses WHEN '' THEN 'smtp:' +
dbo.ReplaceDomain(InternetAddress,'@contoso.mail.onmicrosoft.
Company LTRIM(RTRIM(LEFT(company, 50))) This formula will
Trim, then limit the string value by 50 characters.
BTCustom0X X
"this is a string" This formula will set
any string value to the any SQL field.
BTCustom0X X
REPLACE(InternetAddress,'@','.') This formula will
replace the '@'
LEFT(InternetAddress,CHARINDEX('@',InternetAddress)-1) This formula will
extract the localpart
of InternetAddress.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 120
Appendix C. Cutover Job Result Codes
Cutover Job Result Codes
Result Code
Error Rollback
Possible
1 Unidentified Error - PowerShell Command Error No
2 Source Domain could not be contacted No
4 Bad Source Credentials No
8 Target Domain could not be contacted No
16 Bad Target Credentials No
32 Target DNS Server could not be contacted or could not resolve the target DNS domain
4096 Enable Dynamic DNS Registration
8192 Set NIC Specific DNS Suffix
16384 Domain Disjoin Failed
32768 Domain Join Failed
65536 Source domain name does not match the system's domain No
131072 Computer Reboot failed
262144 Target Domain Name could not be resolved via existing DNS, and new DNS Servers were not provided
No
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 121
An odd number result codes represents an error running the Cutover PowerShell script. The most common cause of an odd numbered result code during cutover is that the device either has no network card with default gateway or more than one network card with a default gateway.
Result codes are additive. There are likely multiple errors if the result code is not represented in the table.
Upload Logs Result Codes
This table includes result codes for BT-UploadLogs PowerShell jobs.
Result Code
Error Rollback
Possible
32 (zip folder) could not be created. No
64 Failed to Zip log files on device. No
128 Upload failed to contact the server. Please verify the URL (url) is correct and BITS is enabled.
No
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 122
Appendix D. SMART Active Directory Reporter
Overview
SMART Active Directory Reporter (AD Reporter) provides a query-based interface that allows network administrators and IT personnel to easily build custom queries for issues specific to their network.
AD Reporter queries Windows 2003/2003 R2/2008/2008 R2/2012 Active Directories across forests from a central console, allowing you to perform customized searches by domain, object, object property and by using wildcards. AD Reporter search results can be set to any or all object properties.
Installing AD Reporter
To install AD Reporter:
1. Open the zip file and then launch the Setup.exe.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 123
2. Select the Install SMART Active Directory Reporter Software checkbox and click Install.
3. Select the Installation Drive and Path and click on Select.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 124
4. Wait for installation to complete.
Uninstalling AD Migrator
To uninstall AD Reporter:
1. Select Uninstall from the Start menu.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 125
2. Click on OK to continue with the uninstall.
3. Select ADReporter and click on OK
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 126
4. Click on Exit when the uninstall is complete.
Opening AD Reporter
To open AD Reporter:
1. Click Start, click Binary Tree, click the AD Migrator Suite folder and then right-click on the AD Reporter icon and select to Run as administrator.
Setting the screen size
You can change the size of the AD Reporter application to better fit your screen.
To set the screen size:
1. On the Configuration menu, click Set Screen Size.
2. In the Screen Size Options, select a screen size resolution.
3. Click OK.
4. Close and reopen the application to view the application in the selected size.
Configuring AD Reporter
Configuring AD Reporter requires you to define one or more active directory domains and select the current active directory domain to search.
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 127
To configure AD Reporter:
1. On the Configuration menu, click Add Active Directory Domain.
2. In the Domain Configuration Wizard, enter the domain NetBIOS name in the Active Directory Domain NetBIOS in Upper Case field, and then click Verify.
3. Click Add.
4. On the Configuration menu, click Set Current Active Directory Domain.
5. Select the current active domain to search, and then click OK.
Searching
To search:
1. Click the type of object to search for from the Object Type list. The list includes:
o Domain o User o Group
o Organizational Unit (OU) o Computer
o Print Queue
o Volume (Shared Folders) o Contact
o Exchange (user properties)
2. Select the property to search for from the Search For list.
3. Select one or more properties to return in the results from the Return results list. Use Ctrl-Click or Shift-Click to select more than one property to return.
4. Click Begin Search. You can also click Search Active Directory on the Active Directory Search and Report menu.
5. In the Narrow Search Option window, enter known property information to narrow the search criteria.
Wildcards can be used in the search criteria. The default "All" will search for all of the instances of the selected property.
6. Click OK. The results are displayed.
If results appear to take a long time to retrieve, DNS server may not be properly configured, there may be broken trust relationships – the domain AD Reporter is querying is not reachable, or the account or proxy account may not have adequate rights to the domain being queried (check user rights).
Results
Viewing results To view results:
SMART ACTIVE DIRECTORY MIGRATOR 9.2 USER GUIDE 128
o In the results list, click a column header to sort by the column.
o In the results list, click a column header to sort by the column.