Quest Domain Migration Wizard. User Guide Version 6.1

(1)

Version 6.1

User Guide

Quest Domain Migration

Wizard

(2)

© Copyright Quest® Software, Inc. 2005. All rights reserved.

This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest

Software, Inc.

WARRANTY

The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information.

TRADEMARKS

Quest Domain Migration Wizard is a trademark of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: [email protected]

U.S. and Canada: 949.754.8000

(3)

C

ONTENTS

ABOUT THIS GUIDE... 7

O

VERVIEW

... 8

C

ONVENTIONS

... 8

A

BOUT

Q

UEST

I

NFRASTRUCTURE

M

ANAGEMENT

... 9

A

BOUT

Q

UEST

S

OFTWARE

,

Q

UEST

D

OMAIN

M

IGRATION

W

IZARD

...13

T

ERMINOLOGY

U

SED

...14

CHAPTER 2 SYSTEM REQUIREMENTS

... 15

S

OFTWARE

R

EQUIREMENTS

...16

D

OMAIN

M

IGRATION

W

IZARD

C

OMPONENTS

...16

S

OURCE AND

T

ARGET

D

OMAIN

C

ONTROLLERS AND

M

EMBER

S

ERVERS

17 N

ETWORK

C

ONFIGURATION

...17

D

OMAIN

M

IGRATION

W

IZARD

C

ONSOLE

P

LACEMENT

...17

R

EQUIRED

P

ERMISSIONS

...17

CHAPTER 3 DOMAIN MIGRATION WIZARD COMPONENTS

... 19

CHAPTER 4 DOMAIN MIGRATION STAGES

... 21

O

VERVIEW

...22

C

ENTRALIZED

A

CCOUNT

M

IGRATION

...25

M

IGRATION

S

ESSION

...25

A

CTIVE

D

IRECTORY

P

OPULATION

...27

(4)

B

ACK

O

FFICE

S

ERVERS

U

PDATING

...30

P

OST

-M

IGRATION

T

ASKS

,

C

LEANUP AND

M

AINTENANCE

...31

CHAPTER 5 PROJECT MANAGER

... 33

W

HAT

Y

OU

C

AN

D

TART

...37

R

ESUME

...37

U

NDO

...38

S

ESSION

C

OMMENTS

...38

S

ESSION

D

EFAULTS

...39

L

AUNCHING

O

THER

M

IGRATION

T

OOLS

...39

A

CCOUNT

M

ANAGEMENT

...40

S

ETTING

D

EFAULT

D

OMAIN

C

ONTROLLERS

...40

M

ANAGING

U

SER

A

CCOUNTS

...41

M

ANAGING

G

LOBAL

G

ROUPS

...42

M

ANAGING

L

OCAL

G

ROUPS

ILES FOR

V

MOVER

...48

C

REATING

INI

F

ILES FOR

E

XCHANGE

5.5 P

ROCESSING

W

IZARD

...48

C

REATING

INI

F

ILES FOR

E

XCHANGE

2000

P

ROCESSING

W

IZARD

.49

P

M

S

...49

(5)

H

ANDLE

D

UPLICATE

G

ROUP

N

AMES

W

INDOW

...64

U

SER

P

ROPERTIES

...66

A

CTIVE

D

IRECTORY

O

PTIONS

...68

P

ROCESSING

O

PTIONS

...71

ADC

O

PTIONS

...72

S

TEP

III:

M

IGRATE

U

SERS AND

G

ROUPS

...74

S

TEP

IV:

D

OCUMENT

M

IGRATION

...77

D

OMAIN

M

IGRATION

R

EPORTS

W

INDOW

...77

CHAPTER 7 SERVER CONSOLIDATION... 79

CHAPTER 8 RESOURCE UPDATING

... 83

A

GENT

M

ANAGER

A

GENTS

...86

M

ANAGING

C

OMPUTER

L

IST

...87

S

CHEDULING

R

ESOURCE

U

PDATE

...89

R

F

ILES AND

D

ATABASE

OW

U

SER

P

ROFILES

W

ORK

... 100

(6)

M

OVING

C

OMPUTERS TO A

T

ARGET

D

OMAIN

... 103

P

OST

-M

IGRATION

O

PERATIONS

... 105

R

ESOURCE AND

D

IRECTORY

C

LEANUP

... 105

A

CCOUNTS

M

ANAGEMENT WITH

P

ROJECT

M

ANAGER

... 106

B

ATCH

P

ROCESSING

... 107

D

ELEGATING THE

R

ESOURCE

U

PDATING

T

ASKS

OU ... 116

A

DDING

SIDH

ISTORY

... 117

C

LEANING UP

SIDH

ISTORY

... 118

CHAPTER 10 EXCHANGE 5.5 PROCESSING WIZARD

... 119

S

TARTING

E

XCHANGE

U

PDATE

... 120

P

ROJECT

M

ANAGER

... 120

E

XPORT

INI

O

BJECTS TO

P

ROCESS

... 123

S

ETTING

S

ITE

P

ROCESSING

O

PTIONS

... 125

(7)

E

XPORT

INI

F

ILE

... 131

C

OMMAND

P

ROMPT

... 132

S

ETTING

R

P

ROCESS

... 136

S

ETTING

S

ERVER

P

ROCESSING

O

PTIONS

... 136

S

ELECTING

O

BJECTS TO

P

ROCESS

... 138

P

ROCESSING

... 139

I

NTERRUPTING THE

S

ELECTING

SQL

S

ERVERS

... 146

S

ELECTING

P

ROCESSING

O

PTIONS

... 146

P

ROCESSING

... 147

C

OMPLETING THE

W

IZARD

... 148

CHAPTER 13 SMS PROCESSING WIZARD

... 149

S

ELECTING

SMS

S

ERVER

... 150

S

ETTING

R

E

-P

ERMISSIONING

O

PTIONS

... 151

P

ROCESSING

... 152

C

OMPLETING THE

W

IZARD

... 152

CHAPTER 14 TRUST MIGRATION WIZARD... 153

CHAPTER 15 CLUSTER SERVER MIGRATION... 157

(8)

APPENDIX A: TROUBLESHOOTING... 161

E

XCHANGE

5.5 P

ROCESSING

W

IZARD

... 161

S

ERVER

C

OMPUTER

I

S

N

OT

R

ESPONDING

... 161

C

ANNOT

A

DD

E

XCHANGE

O

RGANIZATION

... 162

T

RUST

M

IGRATION

W

IZARD

... 163

A

N

ORMAL

T

RUST

I

S

D

ISPLAYED AS

U

NKNOWN

... 163

APPENDIX B: ALTERNATIVE NETWORK CONFIGURATIONS

... 164

APPENDIX C: COMMAND LINE RESOURCE UPDATING

... 165

C

OMMAND

-L

INE

P

ARAMETERS

... 165

C

REATING

INI

F

ILES

... 167

U

PDATING

R

OAMING

P

ROFILES

... 168

R

EMOTE

U

PDATE

... 169

SIDH

ISTORY

M

APPING

... 170

APPENDIX D: POST MIGRATION MAINTENANCE

... 172

B

ACKUP

U

SER

P

ROFILES ON

A

LL

C

OMPUTERS

... 172

O

THER

T

ASKS

... 173

APPENDIX E: SUPPORT INFORMATION... 174

B

EFORE

Y

OU

C

ALL

S

UPPORT

... 174

(9)

About This Guide

• Overview

• Conventions

• About Quest Windows Management

• About Quest Software

• Contacting Quest Software

• Contacting Customer Support

(10)

Overview

This document has been prepared to assist you in becoming familiar with Quest Domain Migration Wizard. The Domain Migration Wizard – User’s Guide contains the information required to install and use Quest Domain Migration Wizard. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting

various interface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest products, such as menus and commands.

Italic text Used for comments.

Bold Italic text Introduces a series of procedures.

Blue text Indicates a cross-reference. When viewed in Adobe®_Acrobat®_,

this format can be used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

(11)

About Quest Infrastructure Management

Quest Software, Microsoft’s 2004 Global Independent Software Vendor Partner of the Year, provides solutions that simplify, automate, and secure Active Directory, Exchange, and Windows, as well as integrate Linux and Unix into the managed environment. Quest’s Infrastructure Management products deliver comprehensive capabilities for secure management, migration, and integration of the heterogeneous enterprise.

About Quest Software, Inc.

Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest Software can be found in offices around the globe and at www.quest.com.

Contacting Quest Software

Phone: 949.754.8000 (United States and Canada) Email: [email protected]

Mail: Quest Software, Inc.

World Headquarters 5 Polaris Way

Aliso Viejo, CA 92656 USA Web site: www.quest.com

(12)

Contacting Customer Support

Quest Software’s world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions.

SupportLink www.quest.com/support

Email at [email protected]. You can use SupportLink to do the following:

• Create, update, or view support requests • Search the knowledge base

• Access FAQs • Download patches

(13)

1

Introduction

• About Quest Domain Migration Wizard

• Terminology Used

(14)

This document covers the main aspects of a migration to a Windows 2000 Active Directory environment; challenges that you might face in the way of executing this complex and multifaceted process and the best solutions for addressing these challenges. This document will guide you through all the logical phases of a network transformation. You will become familiar with the most effective applications developed by an industry leader—Quest Software— intended to perform all migration related tasks for any network, regardless of its size and complexity.

Although multiple domains are justified in certain situations, the cost and complexity involved in administering the continuing expansion of a

Windows NT network often require the reconfiguration of the current domain structure.

The appearance of Windows® 2000 with Active Directory service, which differs from its predecessor—Windows® NT—in fundamental approaches to managing users and resources, also impels many organizations to rethink their network designs. Active Directory, the directory service within Windows 2000,

organizes users and resources into new logical structures allowing significantly more flexible and efficient system administration than Windows NT and Novell Netware. The benefits of Active Directory are quite evident, so if you

administer a Windows NT environment, sooner or later you’ll consider moving your infrastructure to Windows 2000.

Enterprises now have two methods for performing the transition to Windows 2000:

• In-place upgrade—the existing domain structure and domain

naming are preserved

• Migration—the existing domains are migrated to a newly created

Active Directory.

The in-place upgrade method may be appropriate for small companies with a single-domain network. For such an environment, an in-place upgrade is simple to perform and, in most cases, does not require any additional

(15)

The migration method has the following benefits:

• Creation of a new technical infrastructure—maximizes the benefits of Active Directory.

• Establishment of an organizational structure that reflects the business structure of the enterprise.

• Gradual operation over a longer period of time—this ensures minimal influence on business processes and minimal risks due to human errors.

• The interim presence of the old domains—this grants rollback opportunities.

• Consolidation of servers, which decreases the Total Cost of Ownership (TCO).

Although Microsoft includes the Active Directory™ Migration Tool (ADMT) in the Windows 2000 distribution, an enterprise-scale migration of highly

complicated networks that are distributed worldwide requires third-party tools, such as Quest Domain Migration Wizard.

About Quest Domain Migration Wizard

Quest Domain Migration Wizard is designed specifically to cope with

complex, large-scale migration projects in distributed networks. The wizard is often used on a continuous basis to reduce the costs associated with managing a decentralized, multi-platform network and to assist corporate

IT environments in meeting their ever-changing organizational and business demands.

Domain Migration Wizard has been successfully deployed in a variety of environments and has earned its reputation as the best-in-the-industry enterprise-class solution because it accomplishes all domain migration related tasks:

• With the highest level of effectiveness in the industry • Without a heavy workload

• Without any impact on users, help-desk involvement, or system downtime

(16)

Terminology Used

Source domain – The domain from which the user accounts and groups are

migrated.

Target domain – The domain to which the user accounts and groups are

migrated.

Console – The computer on which Domain Migration Wizard is installed. This

(17)

2

System Requirements

• Software Requirements

• Network Configuration

(18)

Software Requirements

Domain Migration Wizard Components

Domain Migration Wizard components does not have to be installed on a server or domain controller. They can be installed on an Intel-based administrator’s computer as long as it complies with the following system requirements:

• Microsoft Windows XP with Service Pack 1 (SP1) or higher, or • Microsoft Windows Server 2003 or higher.

Microsoft has confirmed that a problem in Microsoft products may prevent third-party programs from synchronizing user passwords. A supported fix is now available to address this problem. Please, contact Microsoft Support and request the hotfix described in internal Microsoft Knowledge Base article Q909737. Install this hotfix on the computer running Domain Migration Wizard Project Manager.

Additional Software

Domain Migration Wizard and Agent Manager require Microsoft Access 2000 or later or Microsoft Access Runtime.

If you are using Microsoft Access 2003, the security level must be set to

Low or Medium. To set the security level, in Microsoft Access go to the Tools | Macro | Security level.

Migration customization tasks require Scripting Runtime.

SQL Processing Wizard does not require any SQL Server administrative tools to be installed on the computer on which it is run.

(19)

Source and Target Domain Controllers and Member

Servers

Domain controllers for the source, resource and target domains and the domain members to be reconfigured can be Intel-based computers running:

• Microsoft Windows NT 3.51 (except target)/4.0 Workstation or Server, or

• Microsoft Windows 2000 Professional or Server, or • Microsoft Windows XP, or

• Microsoft Windows Server 2003.

The computers on which resources are processed can be Intel-based

computers running Windows NT 3.51 or later (IIS processing requires Windows NT 4.0 with SP3 and Option Pack and Internet Explorer 4.01 with SP1).

Network Configuration

Domain Migration Wizard Console Placement

The Domain Migration Wizard console is the computer running Domain Migration Wizard. We recommend that the Domain Migration Wizard console be a member of either source or target domain. This can be a workstation, server, or domain controller.

Required Permissions

Before starting the accounts migration, an administrator must log on under an account with administrative rights over the source, resource, and target domains, and all the servers and workstations involved in the migration. However, it is not necessary for this account to be granted any level of access whatsoever to resources, such as NTFS objects, registry hives, and printers. The best practice is to create a separate user account in the source domain for the migration activities and grant this account all necessary rights instead of using an existing account. For more information about a single administrative account and required permissions refer to the Best Practices for NT to Active

(20)

For a successful Exchange 5.5 directory update, you must have the Modify

Admin Attributes and Modify Permissions privileges assigned to you

(Permissions Admin and Service Account Admin roles possess these privileges) for the Organizations, Sites, and Site Configurations involved in the migration process.

For a successful Exchange 2000 directory update, you must use the account with Full Exchange Administrator role for the Exchange 2000 organization. No additional trust relationships are required for successful processing if the Exchange 2000 Server resides in the same forest as the target domain.

How to Get the Administrative Rights

To ensure administrative rights on every server or workstation, an

administrator can map a hidden administrative share (C$ or Admin$) to all computers in all domains involved in the migration. Agent Manager can create a command file for the mapping of the administrative shares on multiple computers in batch mode. This file will fully automate the procedure of obtaining the administrative rights necessary for migration.

However, these methods are effective only in the case of the NT domain migration. In the case of the Active Directory source domain you do need to login under an administrative account to the domain.

To add SIDHistory, it is not sufficient to just map a hidden administrative share (C$ or Admin$) of the domain controller. You do need to login under an administrative account to the domain.

For more information about an administrative account and required

permissions to perform migration tasks, refer to the Best Practices for NT to

Active Directory Migration document.

Domain Migration Wizard also supports many other network layouts, described in Appendix B: Alternative Network Configurations. Some of these

(21)

3

Domain Migration Wizard

Components

(22)

Quest Domain Migration Wizard is a migration and directory management

solution that facilitates various domain migration procedures: it migrates users, groups, and computer accounts from one domain to another and updates resource settings in accordance with the new configuration.

In parallel you can execute such tasks as a domain consolidation, domain split, transition from the Multiple Master to the Master domain model, and migration from an NT-based or Novell NetWare-based network to an Active Directory domain structure.

Quest Domain Migration Wizard makes the domain migration process

virtually unnoticeable for domain users, and at the same time delivers the ultimate in reporting, control, and manageability. It also provides extensive functionality that corporate infrastructure planners and network

administrators’ demands. All aspects of a migration with Domain Migration Wizard are reflected in reports and can be undone with a click of the mouse at any time, even well after the completion of a particular step. The unified and logical interface allows you to approach all stages of a complex migration project with confidence.

Quest Domain Migration Wizard is shipped with the following components: • Project Manager – The central migration project and account

management interface.

• Domain Migration Wizard – A separate directory migration tool,

and an integral part of the Quest Domain Migration Wizard – suite of applications.

• Agent Manager – The management interface for distributed

resource updating and reconfiguration tasks.

• Directory Processing Wizard – The Active Directory processing

and SIDHistory management tool.

• Exchange 5.5 Processing Wizard – The Exchange 5.5

permissions updating tool.

(23)

4

Domain Migration Stages

• Overview

• Centralized Account Migration

• Distributed Resource Updating

• BackOffice Servers Updating

• Post-Migration Tasks, Cleanup and

Maintenance

(24)

Overview

Quest Domain Migration Wizard transfers (migrates) users, and local and

global groups from one domain to another. These domains will be referred to as the source domain and the target domain.

A domain migration in an enterprise network consists of four major stages: 1. Centralized account and directory migration: domain accounts

databases are reconfigured on the source and target domain controllers (DCs).

In the case of migrating to a Windows 2000 domain, the next step is Organizational Unit (OU) population and SIDHistory management, performed to ensure the manageability and coexistence of the source and target network structures.

2. Resource processing: access to files, shares, printers and other securable objects is updated, resulting in, among other things, a consistent desktop user experience for all migrated accounts. 3. Switching to the new domain: account passwords are

synchronized between the source and target domains; the source accounts are disabled, and the target accounts are enabled.

Optionally, demoted Windows NT domain controllers are migrated to the new domain.

4. Post-migration cleanup and maintenance: the removal of privileges for the source accounts, the removal of SIDHistory for all accounts, and the deletion of migrated source accounts are

facilitated to enable comprehensive migration validation, as well as maximum security, integrity, and performance of the target environment.

(25)

The table below illustrates the migration process and the Quest Domain Migration Wizard applications that are used during each stage.

STAGE STEP SUMMARY APPLICATION

Trust Migration Setting trusts for the target

domain Trust Migration Wizard

User and Group Migration (Migration Session)

Migration of user and group accounts to the target domain. Resolving name conflicts Domain Migration Wizard Centralized Account and Directory Migration AD Population

(optional) Placing target users and groups in the target AD OU Domain Migration Wizard, Directory Processing Wizard

Distributed Resource Updating

For all workstations in the domain:

Updating permissions, ownership information and auditing on registries, shares, folders and printers Updating local group memberships Updating user rights and privileges

Agent Manager

Windows 9x Computer Updating

Making the corresponding changes to local Windows 9x registries

Resource Kit (RegWalker) Workstation

Moving Moving NT workstations to the target domain Agent Manager, Resource Kit (ChangeDomain) Workstation

Renaming (optional)

Renaming some of the

workstations Resource Kit (RenComp)

Exchange Directory Updating

Updating privileges and ownership information for Exchange Directory objects

Exchange 5.5 Processing Wizard, Exchange 2000 Processing Wizard Resource Processing

(26)

STAGE STEP SUMMARY APPLICATION Microsoft Systems Management Servers Updating Updating Systems Management Servers to correspond to the domain migration changes that were made

SMS Processing Wizard

Profile

Updating Modifying privileges for profile files and setting profile paths for the target accounts Agent Manager, Resource Kit (ExportProfile, ChangeProfile) Password

Synchronization Password synchronization for source and target accounts Project Manager, Resource Kit (Spwd) Switching to

New Accounts Disabling the source accounts and enabling the target accounts Project Manager Switching to the New Domain Windows NT 4.0 domain controller migration Demoting Windows NT 4.0 domain controllers and moving them to the new domain

DC Demote Wizard (Resource Kit)

Resource

Clean-Up Removing privileges for the source accounts Agent Manager

Exchange Directory Clean-Up

Removing privileges for the

source accounts Exchange 5.5 Processing Wizard,

Exchange 2000 Processing Wizard

SMS Clean-Up Removing privileges for the

source accounts SMS Processing Wizard

SQL Clean-Up Removing privileges for the

source accounts SQL Processing Wizard

Post-Migration Clean-Up

(27)

Centralized Account Migration

The directory migration phase is centralized. This means that it is performed locally on an Administrator’s computer—the computer where Quest Domain Migration Wizard is installed. This is because the network components reconfigured during this phase are the domain controllers of the source and target domains. By using Trust Migration Wizard, Domain Migration Wizard and Directory Processing Wizard during this first phase, you migrate:

• Trust relationships • Users

• User rights • Groups

• Group memberships

Domain Migration Wizard does not delete or rename any users or groups in the source domain. The user and group properties in the source domain remain the same after a migration, unless you later choose to disable the source accounts. The words ‘transfer’ and ‘migrate’ simply mean that Domain Migration Wizard creates new users and groups in the target domain with the same properties and levels of resource access as the originals in the source domain.

Novell Account Management Support

Domain Migration Wizard supports migration from domains running Novell solutions such as Novell Account Management and the former product – NDS for NT. The source domain controllers running these products can be used for accounts migration and passwords synchronization without any limits. To migrate accounts from Novell Directory Services (NDS) to Active Directory and data from Novell Netware servers to Windows servers use Quest NDS

Migrator product. For more information about Quest NDS Migrator follow the

link: http://wm.quest.com/products/NDSMigrator/

Migration Session

A migration session consists of three phases: • Populating the migration database.

(28)

Populating the Migration Database

The Migration | Migrate Directory | New Account Migration Session command in the Project Manager menu starts the migration process by collecting network information into the database. The information that is collected during this step includes:

• Global and local groups from the source and target domains. • Domain users from the source and target domains, including user

rights for users from the source domain.

This step takes only a few minutes, even for a domain with 20,000 users.

In-Database Reconfiguration

The migration engine uses SQL queries with user-specified parameters for the virtual reconfiguration of the network in the database. The modifications include:

• Handling duplicate user accounts in the source and target domains. • Handling duplicate group names in the source and target domains. • Checking Primary Group assignments.

In addition, you can specify some other migration parameters, like password handling and account expiration options. The migration database will at this time contain an exact snapshot of the changes that will be made to the future target domain configuration. Again, superior performance in large networks is achieved through specially optimized processing techniques.

Modifying the Target Domain

The migration engine applies the modified network information from Domain Migration Wizard’s migration database to the target accounts’ database. The information that is applied at this step includes:

(29)

The figure below illustrates this process.

Step 1

Step 2

Step 3

• Centralized processing • Works via database driver • Import/export database connectivity Apply In-Database Reconfiguration Save

Source DC Database Target DC

Characteristics

Domain migration session

Active Directory Population

Many domain-restructuring projects are initiated as part of a broader Windows 2000 migration and deployment task. Quest Domain Migration

Wizard supports domain reconfiguration scenarios whereby down-level NT

domain security principals, along with all their properties, are moved to Organizational Units of Windows 2000 Active Directory domains. Directory Processing Wizard—a special companion of Quest Domain

Migration Wizard—contains options for directory processing. Directory

Processing Wizard uses account-mapping information generated during the directory migration stage to move the migrated security principals to Active Directory Organizational Units, as well as preserve the current resource access, ownership, and auditing parameters.

Documenting the Migration Session

Domain Migration Wizard provides comprehensive reporting for each step and aspect of a migration. The reports reflect the migration’s progress and

procedures and let you keep track of the changes made to your network settings during the migration. The reports can be printed, saved, or directly emailed in a variety of formats, including RTF, Microsoft Access report snapshot, Microsoft Word document, Microsoft Excel spreadsheet, HTML, or plain text.

(30)

Roll-Back Options

Domain Migration Wizard allows you to stop any accounts migration session at any time and resume or undo it later from exactly where you left off.

All operations performed during a migration session are completely reversible. If an operation is performed inside the database, simply click the Back button to return to the previous window and correct the changes. The wizard does not clear your changes when you click the Back button. If an operation involves modifying the actual network, you can click the Undo button to roll back all the changes made during that step.

The wizard can undo the changes applied to the actual network.

When you click Exit in the middle of a migration session, the wizard saves the current migration state in the project folder. Later, through Project Manager you can open Domain Migration Wizard at the step where you quit the session,

(31)

Distributed Resource Updating

During this phase you migrate network resources, or, to be more precise, ensure that the newly created users and groups in the target domain retain their levels of access to the resources. These resources are, essentially, file system objects, network shares, and shared printers. Additionally, registries on the remote computers, user profiles, and service account credentials need to be processed to ensure a consistent desktop user experience, network security, and uninterrupted business operations. Domain Migration Wizard processes all properties of these resources, in particular:

• NTFS, share, registry, and printer ACLs, ownership, and auditing • User profiles

• Local group memberships

• Service and scheduled task account credentials • User rights

Another noteworthy feature of Domain Migration Wizard is its ability to process and update all objects. Specifically, Domain Migration Wizard overrides

permissions that would normally make an object inaccessible with

conventional means (e.g. Windows NT Explorer), while never modifying the original entries in the object security descriptors.

The fact that resources are scattered across the network presents a challenge during a migration. In a large network environment, the centralized processing of resources on the Domain Reconfiguration Console (DRC) —the computer running Domain Migration Wizard—will no longer satisfy scalability requirements.

To address the challenges of the distributed stage, Domain Migration Wizard uses agents and simultaneous processing to make the migration performance independent of the network size.

An important element of the resource updating phase is the so-called mapping data created during the directory migration. The mapping data establishes the concordance between the source and target accounts. It is used to process the corresponding resources with efficient and optimized agents. To decrease overhead traffic, Domain Migration Wizard compresses the mapping data sent over the network.

While being unnoticeable to users, a domain migration with Domain Migration Wizard is designed to be fully visible, trackable and customizable for

(32)

Directory resource updating is accomplished by Domain Migration Wizard

Agent Manager, a companion to Domain Migration Wizard.

Domain Reconfiguration Console Agents Distribution Log Consolidation Reporting

Parallel Distributed Processing

• Distributed parallel processing

• Can be delegated to local admins and run granularly for specific types of objects • Can be run only once to

reflect all migration sessions in project

• Scalable and independent of network size

Characteristics

Resource Updating with Domain Migration Wizard Agent Manager.

BackOffice Servers Updating

(33)

Post-Migration Tasks, Cleanup and

Maintenance

Given the infinite variety of real-world network configurations, no tool would handle a domain migration without providing the administrator with

customization options.

As a database-driven tool, Domain Migration Wizard takes full advantage of SQL queries to perform such functions as verifying the migration results and automating certain post-migration tasks.

Additional options for directory processing are available in a special companion Domain Migration Wizard application—Directory Processing Wizard. The wizard can be run at any time after the migration and perform all the AD-related operations available in Domain Migration Wizard.

Additionally, as a long-term solution to ensure the better performance, security, and integrity of your AD environment, the wizard can perform a cleanup of SIDHistory entries after the resources are updated and the additional, security-sensitive mechanism for user impersonation is no longer necessary. See the Directory Processing Wizard chapter in this Guide for more information.

In addition to various account management options (such as enabling, disabling, deleting, and syncing/mirroring group memberships), Domain Migration Wizard Project Manager also provides a framework for the execution of user-defined scripts for the selected accounts.

This capability enables you to perform a wide variety of custom migration tasks. Such tasks include Active Directory population from an external database and the bulk-modifying of account attributes.

Administrators familiar with ADSI and scripting languages like VBScript can complement Domain Migration Wizard directory processing features with scripts that address their specific needs.

(34)

(35)

5

Project Manager

• What You Can Do in Project Manager

• Starting Your Migration Project

• Migration Sessions

• Launching Other Migration Tools

• Account Management

• Password Management

• Exporting INI Files for Resource Updating

• Project Manager Scripting

(36)

Domain Migration Wizard Project Manager is a centralized migration project management application that gives you access to all other migration tools and provides some important functionality of its own.

For your convenience, Project Manager organizes all the migration information in an explorer-like interface. Project Manager displays a management tree for Sessions, Users, Global and Local Groups and Computers in the left pane and the information on specific objects in the right pane. The main Project Manager window is shown in the following figure.

The Tools menu allows you to manage accounts and perform different migration tasks.

What You Can Do in Project Manager

Using Domain Migration Wizard Project Manager, you can: • Launch other migration tools:

TOOL SEE FOR DETAILS

(37)

Agent Manager, Exchange 5.5 Processing Wizard, Exchange 2000 Processing Wizard, Directory Processing Wizard, SMS Processing Wizard, and SQL Processing Wizard will perform their tasks using the objects (users, local and global groups, and computers) that are currently selected in Project Manager. The shortcut menu lets you select/deselect all objects in a session. You can select objects from multiple sessions, and the migration tools will then update resources and directories using the mapping data from all the selected accounts.

• View and track all directory migration sessions within a project, including the following session properties:

• Session date and time

• Session manager (i.e. the account under which a session is run) and console (i.e. the computer from which Domain Migration Wizard is run—also called the Domain Reconfiguration Console—DRC) • Multiple session comments added by migration project managers

at various levels

• Source and target domains

• Number of users and global and local groups migrated in a session, as well as account names and their status (i.e. enabled, disabled, or deleted)

• Perform various account management operations in the source and target domains:

• Users—enable/disable/delete, synchronize passwords, and reset passwords to a fixed or random expression

• Local groups—synchronize membership and delete • Global groups—mirror membership and delete

(38)

Starting Your Migration Project

A migration project consists of session databases, corresponding migration session files, and a project database. A set of migration project files is stored in a project folder. The default project folder location is <Domain Migration

Wizard Installation Path>\Project. You can modify the active project

location by selecting File | Select Project, as shown below:

You can select any existing project folder or use an empty folder to start a new project.

When you start Project Manager for the first time, there are no objects shown in the right pane. They appear automatically after you migrate accounts using Domain Migration Wizard. Therefore, to actually initialize and ‘populate’ a project in Project Manager, you need to run at least one migration session in Domain Migration Wizard and migrate some accounts from the source to the target domain.

(39)

Migration Sessions

Domain Migration Wizard organizes migrations into sessions. A session consists of the main account migration activity. Migration sessions are executed by Domain Migration Wizard itself. The session data is displayed by Project Manager and is used by other Domain Migration Wizard components for various migration activities.

Start

To start a new session, go to Tools | Migration | Migrate Directory | New

Account Migration Session, as shown in the following figure.

As you run migration sessions, Project Manager will display these sessions. Once a session is completed, all the migrated accounts are displayed in the corresponding branches of the project tree.

Only one session at a time can be opened in Domain Migration Wizard. Domain Migration Wizard can be run in automated mode. This may be useful when performing delegated migration or continuous synchronization tasks. In this mode, Domain Migration Wizard runs from the command line, reading all migration options from the Project.ini file. See the Domain

Migration Wizard Scripting Reference for details.

Resume

If you stop the migration session, you may want to resume it later. Double-click on the session name in the Project Manager window and the session will resume from the place where you have left off.

(40)

Undo

Once you have completed the session, you may want to undo changes you made to the network. Double-click on the session name in the Project Manager window and click the Undo button at the Domain Migration Is Now

Complete step to restore the original domain state.

Completed sessions have the ‘Completed’ status.

Session Comments

Each migration session can be annotated with one or more comments. The first session comment is usually added in Domain Migration Wizard when the session is started. Subsequent comments by project coordinators are added in Project Manager.

Each comment is marked by a date/time stamp and the account information. You cannot delete comments added previously.

(41)

Session Defaults

You can set up the migration options’ defaults, which will be already selected in the Domain Migration Wizard steps each time you run a new migration session. To set up the defaults, click Tools\Session Defaults and the

Session Defaults window will appear. In this window you can specify most of

the options you have to select when Domain Migration Wizard runs. Each folder in this window corresponds to a step of the wizard and contains the same options. Select the options you want to be default and click OK to save them. You can reset the defaults you specified at any time by clicking the

Default button. The original defaults will be restored in this case.

Session defaults should always be set up when migrating in automated mode. Otherwise, the original predefined Domain Migration Wizard session defaults will be used for the migration session.

Launching Other Migration Tools

Double-click a session name or start a new session to start Domain Migration Wizard. If you open an incomplete session, Domain Migration Wizard will let you proceed with the account migration. Finished sessions can be rolled back. Domain Migration Wizard also allows you to view reports on the open sessions. The Migration button on the toolbar or the Tools | Migration menu lets you start the following Domain Migration Wizard components:

• Directory Processing Wizard (Post-Migration Tasks | Directory

Processing Wizard)

• Agent Manager (Update Resource | Distributed Resource

Updating)

• Exchange 5.5 Processing Wizard (Update Resource | Exchange 5.5

Updating)

• Exchange 2000 Processing Wizard (Update Resource |

Exchange 2000 Updating)

• Trust Migration Wizard (Migrate Directory | Trust Migration) • SMS Processing Wizard (Update Resource | SMS Updating) • SQL Processing Wizard (Update Resource | SQL Server Updating)

(42)

If some of the tools are unavailable, they were probably not installed and you will not be able to run them.

Select the objects to process and run the tool. To select the objects involved in the particular session, right-click the session name and click the Select

Involved Objects item on the shortcut menu. You can opt to select/clear all

objects involved in this session or only users, global or local groups, or computers. You can also combine the selections. For example, to select all (global and local) groups, select all global groups first, and then all local groups. The tools will perform resource reconfiguration, directory reconfiguration, and other reconfiguration for the selected objects. Refer to the corresponding chapters of this guide for details.

Account Management

Project Manager allows you to perform some important user and group account management functions directly, without starting other tools. The available options and commands are described below.

Setting Default Domain Controllers

By selecting the closest and fastest domain controllers for account management operations, you can significantly increase the operations’ performance.

(43)

To select the domain controllers to be used within a particular domain, on the

Tools menu, click Default Domain Controller.

When selecting a domain controller other than the PDC as the domain controller for read operations, make sure it is in sync with the primary account database before performing account management operations.

Managing User Accounts

Select the Users branch in the Project Tree. Use the Manage Accounts button on the toolbar or the Tools menu to enable/disable/delete the selected

accounts in the source and/or target domains.

You can select/clear multiple accounts by Shift-clicking the check boxes to select/clear a range of items. Click a column header to sort items in a column in ascending or descending order. You can also jump to an account by typing the first few letters of its name.

In addition to manually selecting several accounts, you can use account lists stored in a text file with one account name per line to select and perform operations on multiple accounts, as shown in the following Project Manager screenshot.

(44)

Users: Manage Accounts | Source Accounts

• Enable Selected Accounts. The currently selected migrated

accounts will be enabled in the source domain.

• Disable Selected Accounts. The currently selected migrated

accounts will be disabled in the source domain. This option does not affect the Administrator account.

• Delete Selected Accounts. The currently selected migrated

accounts will be deleted in the source domain.

Users: Manage Accounts | Target Accounts

• Enable Selected Accounts. The currently selected migrated

accounts will be enabled in the target domain.

• Disable Selected Accounts. The currently selected migrated

accounts will be disabled in the target domain.

• Delete Selected Accounts. The currently selected migrated

accounts will be deleted in the target domain.

Managing Global Groups

Select the Global Groups branch in the Project Tree. Use the Manage Accounts button on the toolbar or the Tools menu to delete the selected global groups and synchronize membership between the source and target domains.

Global Groups: Manage Accounts | Source Accounts

• Delete Selected Accounts. The currently selected migrated global

group accounts will be deleted in the source domain. • Mirror Global Group Membership with Target Domain.

Memberships of the currently selected global groups will be synchronized with those of the corresponding global groups in the target domain.

(45)

Global Groups: Manage Accounts | Target Accounts

• Delete Selected Accounts. The currently selected migrated global

group accounts will be deleted in the target domain.

• Mirror Global Group Membership with Source Domain.

Memberships of the currently selected global groups will be synchronized with those of the corresponding global groups in the source domain. For example, SOURCE\Joe, a member of

SOURCE\MyGlobalGroup, has been migrated and become TARGET\Joe. The group SOURCE\MyGlobalGroup has also been migrated and renamed to TARGET\NewGlobalGroup to avoid duplicates. However, its members have not been selected for migration. By choosing the Mirror Global Group Membership

with Source Domain command, you will ensure that TARGET\Joe

becomes a member of TARGET\NewGlobalGroup.

Let the groups SOURCE\MyGlobalGroupA and SOURCE\MyGlobalGroupB be merged into the group TARGET\NewGlobalGroup during the migration process. If the SOURCE\Joe from the SOURCE\MyGlobalGroupA was then deleted on the source it will be deleted from the target in the following case: if the SOURCE\Joe was migrated and if the SOURCE\Joe is not also a member of the SOURCE\MyGlobalGroupB.

Managing Local Groups

Select the Local Groups branch in the Project Tree. Use the Manage

Accounts button on the toolbar or the Tools menu to delete the selected local

groups and synchronize membership between the source and target domains.

Local Groups: Manage Accounts | Source Accounts

• Delete Selected Accounts. The currently selected migrated local

group accounts will be deleted in the source domain. • Copy Local Group Membership from Target Domain.

Memberships of the currently selected local groups will be synchronized with those of the corresponding local groups in the target domain. Members of the selected local groups in the target domain will become members of the corresponding source local groups.

(46)

Local Groups: Manage Accounts | Target Accounts

• Delete Selected Accounts. The currently selected migrated local

group accounts will be deleted in the target domain. • Copy Local Group Membership from Source Domain.

Memberships of the currently selected local groups will be synchronized with those of the corresponding local groups in the source domain. Members of the selected local groups in the source domain will become members of the corresponding target local groups.

The ability to synchronize local groups deleted from the source or target domains is not provided.

Password Management

Project Manager also allows you to perform some important user password management functions. The available options and are described in this section. Select the Users branch in the Project Tree. Use the Manage Accounts button on the toolbar or the Tools menu to reset/synchronize the selected users' passwords in the source and/or target domains.

You can select/deselect multiple accounts by Shift-clicking the check boxes to select/deselect a range of items. Click a column header to sort items in a column in ascending or descending order. You can also jump to an account by typing the first few letters of its name.

In addition to manually selecting several accounts, you can use account lists stored in a text file with one account name per line to select and perform operations on multiple accounts.

(47)

Users: Manage Accounts | Source Accounts

• Reset Selected Users’ Passwords. The currently selected migrated

accounts in the source domain will be assigned new passwords, depending on the options you specify in the following dialog box:

You can assign the same User defined password for all currently selected users. When selecting this option, as well as the random password generation option, be sure to comply with the corresponding domain password policy. If you select the Random password option, users will be assigned random passwords based on the criteria you specify in the Tools | Options | Random

passwords dialog box. The generated passwords are stored in the password

(48)

Selecting Strong password will make the generated passwords comply with the password requirements from Microsoft knowledge base article Q161990. The requirements are:

1. Passwords must be at least six (6) characters long.

2. Passwords must contain characters from at least three (3) of the following four (4) classes:

• English upper case letters (A, B, C, ... Z) • English lower case letters (a, b, c, ... z) • Westernized Arabic numerals (0, 1, 2, ... 9)

• Non-alphanumeric (‘special characters’) such as punctuation symbols

3. Passwords may not contain your user name or any part of your full name.

The User must change password at next logon check box, if selected, will force users to change their passwords at next logon. If this check box is unavailable, the current setting defined in User Manager for Domains or Active Directory Users and Computers MMC snap-in will remain intact. If the check box is cleared, the requirement will be turned off.

Copy passwords from Target domain. The selected users’ passwords will

be copied from the target domain, overwriting the current passwords in the source. In effect, the currently selected migrated accounts in the source domain will be assigned the passwords of the corresponding target users. This option is useful when you want to revert to using the original source domain accounts, but the target users’ passwords have already been changed.

Users: Manage Accounts | Target Accounts

• Reset Selected Users' Passwords. The currently selected

migrated accounts in the target domain will be assigned new passwords, depending on the options you specify in the Reset

(49)

Exporting INI Files for Resource Updating

Project Manager can create settings (INI) files that can later be used for automatic resource processing by Domain Migration Wizard Agent Manager, the

Vmover utility, Exchange 5.5 Processing Wizard, or Exchange 2000 Processing Wizard. An INI file contains all the settings needed for the migration

and mapping information for all the objects (users, local and global groups) that were selected in Project Manager when the file was created.

To create an INI file:

1. Select one or more migrated objects (users and groups) that you want to be affected.

2. On the File menu, click Export INI File.

3. Depending on the purpose of the file, select the processing options.

See the corresponding options description in the Resource Updating,

Exchange 5.5 Processing Wizard, and Exchange 2000 Processing Wizard sections of this guide.

(50)

Creating INI Files for Agent Manager

INI files for Agent Manager should be named ‘Vmover.in_’. They can be either compressed or uncompressed. INI files for Agent Manager should be placed in the installation folder of Agent Manager, and the tool should be run for the intended resource updating.

It is recommended that you use the compressed format because INI files are sent across the network during distributed resource updating.

Creating INI Files for Vmover

By default, the Vmover utility searches its folder for the ‘Vmover.in_’ (compressed) file, and then if the file is not found, for the ‘Vmover.ini’ (uncompressed) file.

You can use Vmover’s /ini parameter to specify an alternative ini file name and location. In this case Vmover will again first search for the file’s

compressed version. For example, if you specify ‘File.txt’, Vmover will first attempt to locate ‘File.tx_’, and then ‘File.txt’.

Thus, if you specify the uncompressed INI file to be created, but there is a compressed file with the same name in Vmover's folder, Vmover will use the compressed file instead of the specified one.

For more information on using an exported INI file for processing resources with the Vmover.exe utility, refer to Appendix C: Command Line Resource

Updating of this Guide.

Creating INI Files for Exchange 5.5 Processing

Wizard

(51)

Creating INI Files for Exchange 2000 Processing

Wizard

INI files for Exchange 2000 Processing Wizard (E2KPW) should be named 'Exchange2k.ini' and should not be compressed. INI files should be placed in the Program Files\Common Files\Aelita Shared\Migration Tools folder, and the tool should be run for the intended Exchange updating.

E2KPW takes into account only Processing options. Account management, Permissions management, and Error handling options do not affect an Exchange migration.

Project Manager Scripting

Besides standard account management options (enable, disable, delete, copy/mirror group memberships, etc.), Project Manager lets you execute user-defined scripts for selected accounts.

This capability enables you to perform a wide variety of custom migration tasks. Such tasks include Active Directory population from an external database, bulk-modifying account attributes, and many others.

A Domain Migration Wizard Project Manager script is a user-written script program (written in VBScript or Jscript® provided by Microsoft, or any other Active Scripting engine from another vendor), that:

• Can be run from the Project Manager interface. All scripts are shown as Project Manager menu commands.

• Has access to the properties of the objects currently selected in Project Manager, as well as access to such Domain Migration Wizard components as Domain Migration Wizard sessions and the Project Manager log file.

(52)

(53)

6

Centralized Account

Migration

• Step I: Select Domains

• Step II: Preprocess Users and Groups

• Step III: Migrate Users and Groups

• Step IV: Document Migration

(54)

The account migration is the basis of the whole migration process. This step is performed by the key component of the suite—Domain Migration Wizard. There are two ways to start Domain Migration Wizard:

• For previously started sessions, double-click the session name in the

Sessions branch of the Project Manager window. Domain Migration

Wizard will resume from the step where the current session was interrupted.

• To start a new session, click Tools | Migration | Migrate

Directory | New Account Migration Session. Domain Migration

Wizard will start from the first step.

Domain Migration Wizard can be run in automated mode. This may be useful when performing delegated migration or continuous synchronization tasks. In this mode, Domain Migration Wizard runs from the command line, reading all migration options from the Project.ini file. See the Domain

Migration Wizard Scripting Reference for details.

Step I: Select Domains

At the first window you are then given the option of adding comments to the migration session you are about to begin. Additional follow-up session comments can later be added in Domain Migration Wizard Project Manager.

(55)

Select Source and Target Domains Window

Domain Migration Wizard displays a list of all the domains in your network. From this list you can select the source and target domains.

By default, both the source and target domain lists are empty, because for large networks domain enumeration may take significant time. You can type the source and target domain names, or click the Refresh button and select the domains from the lists when enumeration is over.

You can also type a domain name directly in the space provided. If the source PDC is located over a low-speed link but you have good connectivity to a Backup Domain Controller, you can specify a BDC as the location of the domain Security Account Management database (SAM) by typing \\BDC_NAME in the space provided. Before using this method, make sure you have forced accounts database synchronization with the PDC immediately before the migration. When migrating to a Windows 2000 domain, you can specify a target Active Directory domain controller with which connectivity is faster and more reliable.

(56)

Domain Migration Wizard does not require a trust relationship between the source and target domains to perform a migration. However, if a trust

relationship is required, for example, for preserving Local Group Membership. You can establish the necessary trust relationships with the Trust Migration

Wizard. Refer to the Trust Migration Wizard section for more details.

For a successful domain migration, domain controllers should be reachable on the network and you must have administrative rights over the domains involved in the migration process. You can use the ‘ping’ command to test connectivity to a domain controller. For example:

ping pdc-target2000.

To verify if you have administrative rights, try to enter the administrative share (c$) of the domain controller. To get the rights, make an account a member of the domain local Administrators group or run the ‘net use

\\DC_NAME\c$ /u:D_NAME\administrator "password"’ command.

For example:

net use \\bdc-source\c$ /u:source\administrator "".

Also, you should be a member of the local Administrators group on the computer on which Domain Migration Wizard is installed.

However, these methods are effective only in the case of the NT domain migration. For Active Directory domains, you need to log in to the target domain under an administrative account.

If you manage the migration from a computer which is not in the target Active Directory domain you can still run the migration tools under the appropriate administrative account by using the runas command. In this case, you can use the following scenario:

1. Start Windows command prompt (cmd).

2. Use the runas command to start another command prompt under the account which has the required administrative privileges:

runas /netonly /u:TargetDomain\AdminAccount cmd

3. Type the account’s password.

(57)

If you are not in the local Administrators group of the source domain, not all account properties will be available for you: Domain Migration Wizard will not be able to get the passwords and privileges of the source users. The Add

SIDHistory operation may not work either. However, the rest of the

properties should be migrated properly.

As for the target domain controller, it is enough to have Full Control rights of only the target OU to migrate accounts. However, you need to be an

administrator of the target domain (member of the local Administrators group of the target domain) to add SIDHistory.

Click the Reports button to see Domain Migration Wizard reports during this or any other step.

Click Refresh to update the list of domains.

Click Next to go to the Preprocess Users and Groups step. Click Back to return to the previous step.

You also have the ability to set up the migration session defaults in Project Manager. In this case all migration options you specified earlier in Project Manager will be pre-selected in each session you perform. See the Session

Defaults section of this User’s Guide for details.

When you click Next, the wizard starts collecting information on the users and groups in the source and target domains, displaying the progress of this operation. Thanks to specially optimized directory data parsing algorithms, this operation should take less than five minutes, even on very large NT domains.

(58)

Step II: Preprocess Users and Groups

During this step, Domain Migration Wizard allows you to choose which users, and groups you want to migrate, analyzes the names of the groups and user accounts, informs you about any name duplications, and provides you with various methods for handling duplicate names.

All operations during this step are performed within the Domain Migration Wizard session database. In this step, Domain Migration Wizard does not require access to the real network. By clicking the Back button, you can undo all changes made previously.

Select Users and Groups in Source Domain Window

This window prompts you to choose which users and groups in the source domain will be transferred to the target domain.