• No results found

How To Migrate To A Networks Dmain Name Service On A Pc Or Macbook (For Pc) On A Linux Computer (For Macbook) On An Ipad Or Ipad (For Ipad) On Pc Or Ipa (For

N/A
N/A
Protected

Academic year: 2021

Share "How To Migrate To A Networks Dmain Name Service On A Pc Or Macbook (For Pc) On A Linux Computer (For Macbook) On An Ipad Or Ipad (For Ipad) On Pc Or Ipa (For"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

Report: April 12, 2011 By Erick Engelke

I have organized my tasks around two major problems: 1. Define the new active directory

a. Domain Name Service for the domain - complete

b. Domain layout, structuring of Organizational Units – almost complete, working closely with Manfred and soon with Sean Mason.

2. Planning the migration

a. Inventory of account types/needs - complete

b. Investigating migration tools – Manfred and I have been studying and will soon test, also getting quote from outsourcers.

c. Planning all aspects of the migration – when to do servers, etc. Still quite incomplete

Domain Name Service

Together with the AD-DNS subgroup, I conducted an analysis of the existing domain name service in Nexus (MS Dynamic DNS, zero touch, automatic) and ADS use of the campus DNS.

The complete notes are available at http://www.eng.uwaterloo.ca/~erick/ad/dns.htm

Resolutions:

IST has sufficient information to proceed with the DNS RFP

Nexus should continue to use its own non-authoritative DDNS indefinitely, it offers real benefits Although this may seem like two independent DNS systems, they are tied together by IT staff recognizing the authority of the network group’s DNS registration system.

Also, some observations were made about fully qualified domain names (FQDN) causing problems and the future implications of removing CNAMEs – may limit future consolidation. These observations may be useful to the ongoing design of campus DNS.

Inventory of Accounts

In order to do a successful migration of computer accounts from two domains into one and have it managed by WatIAM, we must have a few details:

(2)

o If someone is active in ADS but not Nexus, we should probably move him, preserving home directory, password, profile information, etc.

o If a person is active in Nexus too, it appeared we should merge his accounts. o Does the person have data on sharepoint, can it be brought forward? o Does the user have a home directory on one system – move that forward. o If the user has home directories on both systems – which takes precedence. Migrate the groups from ADS to nexus

Migrate non-login userids Migrate login-type userids Update the groups again

Migrate many file-type server resources (so one can log in with either nexus or ads) Migrate users+workstations for those who log in

Migrate remaining servers

First, some facts. Both ADS and Nexus have some accounts not registered in WatIAM, and accounts not in the other domain.

(3)

One may wonder why there are so many accounts in one domain and WatIAM but not the other domain.

Nexus and ADS both have all current students

ADS has all faculty and staff, whereas Nexus does not have all of them

ADS and Nexus each have some guests, instruction accounts, etc. which are not created in the other

Nexus has some accounts who are no longer active from a WatIAM perspective and no longer have ADS accounts. These would include graduates from the last few years who might not have been purged.

Comments:

We are working on the assumption that all user accounts are assigned to their WatIAM owner. So if there is an s3james, we assume it is used by the right person.

This becomes less reliable when we consider accounts created outside WatIAM.

Of the 7310 accounts not in WatIAM, only 515 were active between Jan 1,2011 and now (April 7) (many others were camp accounts Arts and Engineering camps). That was 270 in nexus and 252 in ADS. 224 of them are bang accounts. 291 are not bang accounts.

Action Items for userid being valid watiam:

Identify 196 current nexus accounts outside WatIAM, add them to WatIAM or delete them(incomplete)

Identify 95 current ADS accounts outside of WatIAM, …. (task not assigned to anyone)

Understanding Account Migration

In a Windows environment, every computer account, every computer, and every group has a Secure Identifier or SID. The SID is a 128 bit number which is statistically unique in the world, it also contains a portion which identifies the domain in which it resides.

SIDs are used to identify the user or computer, and also to grant permissions in Access Control Lists or ACLs, which are present on files, printers, databases, etc.

Due to the way SIDs must be created, we cannot copy the ADS SIDs into Nexus accounts, and anyways, most active users already have Nexus SIDs too.

erick@nexus.uwaterloo.ca has the SID: S-1-5-21-1417001333-651377827-839522115-2355 and

erick@ads.uwaterloo.ca has the SID: S-1-5-21-1417001333-1580436667-682003330-10595

If erick@ads can successfully move to nexus, we need to change all the references to point to a nexus SID. However, to make a transition possible, we will actually change the resources to point to both SIDs

(4)

for the transition, and then later remove the ADS SID when it is no longer needed as the domain is eventually decommissioned.

In Active Directory, the SID of an account is usually stored in the objectSID field. However, there is also an optional sidHistory field which can hold a legacy SID from a prior domain.

So, after we assign Erick@nexus the sidHistory entry : S-1-5-21-1417001333-1580436667-682003330-10595, and disable SID filtering, and take a few other steps, we can grant erick@nexus access to the older resources.

When we update the reources to use the new SIDs, they will claim to be owned by the @nexus account. For example, SharePoint displays the creator of files. First we migrate users, then we migrate resources to point to the new users. After that, SharePoint will point to the Nexus user even though the ADS user had originally created the file.

A Few Comments SID Migration

The easiest way to move ADS users to Nexus is not the best way. It would involve just creating new accounts with new SIDs, then abandoning user profiles but also going through migrating file servers and adjusting the resources to point to the new SIDs.

Users would be displeased. The profile contains many somewhat useful settings, including the user bookmarks for Internet Explorer.

There are three categories of people we will need to migrate: A. Staff who work primarily in ADS today – 1,548 people

o 1,221 have roaming profiles (65 are already in nexus) o 327 don’t have roaming profiles (75 are already in nexus) B. People who casually use ADS with SIDs (eg. sharepoint only) – 11,970 C. Co-ops employed by UW who use ADS – 287 on April 8th

Group A follows standard migration rules. The process is well documented using standard Microsoft tools (Active Directory Migration Tool or ADMT), such as would be done after two companies merge or after an acquisition. The two subgroups with and without roaming profiles require slightly different strategies.

From Group A, the 65 and 75 people already in nexus are a problem. We have to do extra work to keep their data in both domains.

Group B is a little bit more complicated. Many in this group already have existing Nexus accounts and we do not want to disturb them. ADMT can be used with a merge option, but this is probably not necessary and Microsoft advised caution with this strategy. Instead, it might be easier to simply update the sharepoint server’s file associations – that would probably take a day.

(5)

Group C are the most complicated at first glance. Most have home directories and profiles in both domains, so the question arises as to how we merge, which should have priority? They cannot be easily automated without causing disruption either for academic purposes (their nexus homedirs may be needed for WatPD courses during co-op term), or their ADS drive (they might need those files every day they work).

Since group C has less than 300 users, and they work only four months, we might do them on a term boundary. Other suggestions are welcomed!!!

Plan for Migration of Accounts

I really want to try migrating groups and users in the test domains. Manfred has been trying to set that up. He has made arrangements with Hon and also the IST security team, but it’s not quite ready for testing yet.

Our next steps are:

Create necessary trusts between ADS and nexus

Disable SID filtering between the domains (temporarily reduces security somewhat, but is a necessary step of migration)

Install the ADMT tool on a nexus domain controller (necessary for SID retention) Set up the required migration accounts.

Migrate ADS groups Migrate group A

Migrate group B who don’t already have Nexus accounts Deal with group C.

Redo the groups to include all members

Once those steps are complete, hopefully by early May, we can begin transitioning resources like some servers and then workstations.

References

Related documents

We were examining how the aqueous extracts of Terminalia arjuna bark can protect the heart from doxorubicin-induced oxidative stress, which would cause heart problems or heart

ABSTRACT - Three barley ( Hordeum vulgare L.) cultivars were grown with a preplanting irrigation plus rainfall at the University of Arizona Marana Agricultural Center to study

In reaching its holding in Babcock v. Butler County, the Third Circuit mischaracterized the status of the law on whether the U.S. Courts of Ap- peals uniformly apply the

Stan Australia online streaming service is positioned as individualised affordable instant TV shows and movies entertainment offering a large collection to the targeted mass market.

Further, when a cash value policy is bought by a transferee, upon a later sale to a third party, any gain up to the policy’s cash surrender value will be taxed as ordinary income..

In order to build upon the successes of the prior year, the revised curriculum for spring 2013 assessed ACRL’s Standards for Proficiencies for Instruction Librarians and

The use of social media is not only important but also strategic means of political communication in the Regional Leader Election (Pilkada) of DKI Jakarta and

The most capable of agentless products not only use mechanisms such as these to collect and aggregate data from links in the chain of service delivery, but also correlate the