Quest Domain Migration Wizard. User Guide Version 6.1

Transcription

1 Quest Domain Migration Wizard User Guide Version 6.1

2 Copyright Quest Software, Inc All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS Quest Domain Migration Wizard is a trademark of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA info@quest.com U.S. and Canada: Please refer to our Web site for regional and international office information. Quest Domain Migration Wizard Updated November 22, 2005 Software version 6.1

3 CONTENTS ABOUT THIS GUIDE... 7 OVERVIEW... 8 CONVENTIONS... 8 ABOUT QUEST INFRASTRUCTURE MANAGEMENT... 9 ABOUT QUEST SOFTWARE, INC... 9 CONTACTING QUEST SOFTWARE... 9 CONTACTING CUSTOMER SUPPORT...10 CHAPTER 1 INTRODUCTION ABOUT QUEST DOMAIN MIGRATION WIZARD...13 TERMINOLOGY USED...14 CHAPTER 2 SYSTEM REQUIREMENTS SOFTWARE REQUIREMENTS...16 DOMAIN MIGRATION WIZARD COMPONENTS...16 CHAPTER 3 SOURCE AND TARGET DOMAIN CONTROLLERS AND MEMBER SERVERS17 NETWORK CONFIGURATION...17 DOMAIN MIGRATION WIZARD CONSOLE PLACEMENT...17 REQUIRED PERMISSIONS...17 DOMAIN MIGRATION WIZARD COMPONENTS CHAPTER 4 DOMAIN MIGRATION STAGES OVERVIEW...22 CENTRALIZED ACCOUNT MIGRATION...25 MIGRATION SESSION...25 ACTIVE DIRECTORY POPULATION...27 DOCUMENTING THE MIGRATION SESSION...27 ROLL-BACK OPTIONS...28 DISTRIBUTED RESOURCE UPDATING...29 i

4 BACKOFFICE SERVERS UPDATING...30 POST-MIGRATION TASKS, CLEANUP AND MAINTENANCE...31 CHAPTER 5 PROJECT MANAGER WHAT YOU CAN DO IN PROJECT MANAGER...34 STARTING YOUR MIGRATION PROJECT...36 MIGRATION SESSIONS...37 START...37 RESUME...37 UNDO...38 SESSION COMMENTS...38 SESSION DEFAULTS...39 LAUNCHING OTHER MIGRATION TOOLS...39 ACCOUNT MANAGEMENT...40 SETTING DEFAULT DOMAIN CONTROLLERS...40 MANAGING USER ACCOUNTS...41 MANAGING GLOBAL GROUPS...42 MANAGING LOCAL GROUPS...43 PASSWORD MANAGEMENT...44 EXPORTING INI FILES FOR RESOURCE UPDATING...47 CREATING INI FILES FOR AGENT MANAGER...48 CREATING INI FILES FOR VMOVER...48 CREATING INI FILES FOR EXCHANGE 5.5 PROCESSING WIZARD...48 CREATING INI FILES FOR EXCHANGE 2000 PROCESSING WIZARD.49 PROJECT MANAGER SCRIPTING...49 CHAPTER 6 CENTRALIZED ACCOUNT MIGRATION STEP I: SELECT DOMAINS...52 SELECT SOURCE AND TARGET DOMAINS WINDOW...53 STEP II: PREPROCESS USERS AND GROUPS...56 SELECT USERS AND GROUPS IN SOURCE DOMAIN WINDOW...56 HANDLE DUPLICATE USER NAMES WINDOW...61 ii

5 CHAPTER 7 HANDLE DUPLICATE GROUP NAMES WINDOW...64 USER PROPERTIES...66 ACTIVE DIRECTORY OPTIONS...68 PROCESSING OPTIONS...71 ADC OPTIONS...72 STEP III: MIGRATE USERS AND GROUPS...74 STEP IV: DOCUMENT MIGRATION...77 DOMAIN MIGRATION REPORTS WINDOW...77 SERVER CONSOLIDATION CHAPTER 8 RESOURCE UPDATING AGENT MANAGER...84 BEFORE YOU UPDATE RESOURCES...86 OBTAINING ADMINISTRATIVE RIGHTS...86 PREINSTALLING AND REMOVING DOMAIN MIGRATION WIZARD AGENTS...86 MANAGING COMPUTER LIST...87 SCHEDULING RESOURCE UPDATE...89 RESOURCE UPDATING STEPS...90 START PROCESSING...90 ACTIONS TO PERFORM...93 OBJECTS TO UPDATE...94 VIEWING STATISTICS...96 VIEWING LOG FILES AND DATABASE...97 PROCESSING ALGORITHM...98 UPDATING USER PROFILES...99 USER PROFILES BASICS...99 HOW USER PROFILES WORK LOCAL PROFILE UPDATE ROAMING PROFILE UPDATE PREVENTING PROFILE DUPLICATION iii

6 CHAPTER 9 iv MOVING COMPUTERS TO A TARGET DOMAIN POST-MIGRATION OPERATIONS RESOURCE AND DIRECTORY CLEANUP ACCOUNTS MANAGEMENT WITH PROJECT MANAGER BATCH PROCESSING DELEGATING THE RESOURCE UPDATING TASKS DIRECTORY PROCESSING WIZARD DIRECTORY PROCESSING OPTIONS DIRECTORY PROCESSING AND MIGRATION DIRECTORY PROCESSING TASKS DIRECTORY PROCESSING STEPS MOVING ACCOUNTS TO AN OU ADDING SIDHISTORY CLEANING UP SIDHISTORY CHAPTER 10 EXCHANGE 5.5 PROCESSING WIZARD STARTING EXCHANGE UPDATE PROJECT MANAGER EXPORT INI FILE COMMAND PROMPT ADDING SERVERS SELECTING OBJECTS TO PROCESS SETTING SITE PROCESSING OPTIONS SETTING RE-PERMISSIONING OPTIONS PROCESSING COMPLETING THE WIZARD CHAPTER 11 EXCHANGE 2000 PROCESSING WIZARD PREREQUISITES STARTING EXCHANGE UPDATE PROJECT MANAGER

7 EXPORT INI FILE COMMAND PROMPT SETTING RE-PERMISSIONING OPTIONS ADDING SERVERS SELECTING SERVERS TO PROCESS SETTING SERVER PROCESSING OPTIONS SELECTING OBJECTS TO PROCESS PROCESSING INTERRUPTING THE PROCESS COMPLETING THE WIZARD CHAPTER 12 SQL PROCESSING WIZARD SQL OBJECTS PROCESSED PREREQUISITES STARTING THE WIZARD SELECTING SQL SERVERS SELECTING PROCESSING OPTIONS PROCESSING COMPLETING THE WIZARD CHAPTER 13 SMS PROCESSING WIZARD SELECTING SMS SERVER SETTING RE-PERMISSIONING OPTIONS PROCESSING COMPLETING THE WIZARD CHAPTER 14 TRUST MIGRATION WIZARD CHAPTER 15 CLUSTER SERVER MIGRATION v

8 APPENDIX A: TROUBLESHOOTING EXCHANGE 5.5 PROCESSING WIZARD SERVER COMPUTER IS NOT RESPONDING CANNOT ADD EXCHANGE ORGANIZATION TRUST MIGRATION WIZARD A NORMAL TRUST IS DISPLAYED AS UNKNOWN APPENDIX B: ALTERNATIVE NETWORK CONFIGURATIONS APPENDIX C: COMMAND LINE RESOURCE UPDATING COMMAND-LINE PARAMETERS CREATING INI FILES UPDATING ROAMING PROFILES REMOTE UPDATE SIDHISTORY MAPPING APPENDIX D: POST MIGRATION MAINTENANCE BACKUP USER PROFILES ON ALL COMPUTERS OTHER TASKS APPENDIX E: SUPPORT INFORMATION BEFORE YOU CALL SUPPORT INFORMATION REQUIRED FOR SUPPORT vi

9 About This Guide Overview Conventions About Quest Windows Management About Quest Software Contacting Quest Software Contacting Customer Support 7

10 Quest Domain Migration Wizard Overview This document has been prepared to assist you in becoming familiar with Quest Domain Migration Wizard. The Domain Migration Wizard User s Guide contains the information required to install and use Quest Domain Migration Wizard. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT CONVENTION Select Bolded text Italic text Bold Italic text This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Blue text Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. 8

11 About This Guide About Quest Infrastructure Management Quest Software, Microsoft s 2004 Global Independent Software Vendor Partner of the Year, provides solutions that simplify, automate, and secure Active Directory, Exchange, and Windows, as well as integrate Linux and Unix into the managed environment. Quest s Infrastructure Management products deliver comprehensive capabilities for secure management, migration, and integration of the heterogeneous enterprise. About Quest Software, Inc. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest Software can be found in offices around the globe and at Contacting Quest Software Phone: Mail: Web site: (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Please refer to our Web site for regional and international office information. 9

12 Quest Domain Migration Wizard Contacting Customer Support Quest Software s world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink at support@quest.com. You can use SupportLink to do the following: Create, update, or view support requests Search the knowledge base Access FAQs Download patches 10

13 1 Introduction About Quest Domain Migration Wizard Terminology Used 11

14 Quest Domain Migration Wizard This document covers the main aspects of a migration to a Windows 2000 Active Directory environment; challenges that you might face in the way of executing this complex and multifaceted process and the best solutions for addressing these challenges. This document will guide you through all the logical phases of a network transformation. You will become familiar with the most effective applications developed by an industry leader Quest Software intended to perform all migration related tasks for any network, regardless of its size and complexity. Although multiple domains are justified in certain situations, the cost and complexity involved in administering the continuing expansion of a Windows NT network often require the reconfiguration of the current domain structure. The appearance of Windows 2000 with Active Directory service, which differs from its predecessor Windows NT in fundamental approaches to managing users and resources, also impels many organizations to rethink their network designs. Active Directory, the directory service within Windows 2000, organizes users and resources into new logical structures allowing significantly more flexible and efficient system administration than Windows NT and Novell Netware. The benefits of Active Directory are quite evident, so if you administer a Windows NT environment, sooner or later you ll consider moving your infrastructure to Windows Enterprises now have two methods for performing the transition to Windows 2000: In-place upgrade the existing domain structure and domain naming are preserved Migration the existing domains are migrated to a newly created Active Directory. The in-place upgrade method may be appropriate for small companies with a single-domain network. For such an environment, an in-place upgrade is simple to perform and, in most cases, does not require any additional hardware or third-party tools. Most medium and large enterprises view the transition to Windows 2000 as a migration, rather than a quick in-place upgrade. Such organizations will benefit most from a well thought-out transition scenario. 12

15 Introduction The migration method has the following benefits: Creation of a new technical infrastructure maximizes the benefits of Active Directory. Establishment of an organizational structure that reflects the business structure of the enterprise. Gradual operation over a longer period of time this ensures minimal influence on business processes and minimal risks due to human errors. The interim presence of the old domains this grants rollback opportunities. Consolidation of servers, which decreases the Total Cost of Ownership (TCO). Although Microsoft includes the Active Directory Migration Tool (ADMT) in the Windows 2000 distribution, an enterprise-scale migration of highly complicated networks that are distributed worldwide requires third-party tools, such as Quest Domain Migration Wizard. About Quest Domain Migration Wizard Quest Domain Migration Wizard is designed specifically to cope with complex, large-scale migration projects in distributed networks. The wizard is often used on a continuous basis to reduce the costs associated with managing a decentralized, multi-platform network and to assist corporate IT environments in meeting their ever-changing organizational and business demands. Domain Migration Wizard has been successfully deployed in a variety of environments and has earned its reputation as the best-in-the-industry enterprise-class solution because it accomplishes all domain migration related tasks: With the highest level of effectiveness in the industry Without a heavy workload Without any impact on users, help-desk involvement, or system downtime The main purpose of this document is to describe the functionality of the Domain Migration Wizard components. Please see the Domain Migration Wizard Product Overview for information on the component interaction and migration scenario considerations. 13

16 Quest Domain Migration Wizard Terminology Used Source domain The domain from which the user accounts and groups are migrated. Target domain The domain to which the user accounts and groups are migrated. Console The computer on which Domain Migration Wizard is installed. This computer is also referred to as the Domain Reconfiguration Console (DRC). 14

17 2 System Requirements Software Requirements Network Configuration 15

18 Quest Domain Migration Wizard Software Requirements Domain Migration Wizard Components Domain Migration Wizard components does not have to be installed on a server or domain controller. They can be installed on an Intel-based administrator s computer as long as it complies with the following system requirements: Microsoft Windows XP with Service Pack 1 (SP1) or higher, or Microsoft Windows Server 2003 or higher. Microsoft has confirmed that a problem in Microsoft products may prevent third-party programs from synchronizing user passwords. A supported fix is now available to address this problem. Please, contact Microsoft Support and request the hotfix described in internal Microsoft Knowledge Base article Q Install this hotfix on the computer running Domain Migration Wizard Project Manager. Additional Software Domain Migration Wizard and Agent Manager require Microsoft Access 2000 or later or Microsoft Access Runtime. If you are using Microsoft Access 2003, the security level must be set to Low or Medium. To set the security level, in Microsoft Access go to the Tools Macro Security level. Migration customization tasks require Scripting Runtime. SQL Processing Wizard does not require any SQL Server administrative tools to be installed on the computer on which it is run. For Domain Migration Wizard Resource Kit system requirements, see the Domain Migration Wizard Resource Kit - User s Guide. 16

19 System Requirements Source and Target Domain Controllers and Member Servers Domain controllers for the source, resource and target domains and the domain members to be reconfigured can be Intel-based computers running: Microsoft Windows NT 3.51 (except target)/4.0 Workstation or Server, or Microsoft Windows 2000 Professional or Server, or Microsoft Windows XP, or Microsoft Windows Server The computers on which resources are processed can be Intel-based computers running Windows NT 3.51 or later (IIS processing requires Windows NT 4.0 with SP3 and Option Pack and Internet Explorer 4.01 with SP1). Network Configuration Domain Migration Wizard Console Placement The Domain Migration Wizard console is the computer running Domain Migration Wizard. We recommend that the Domain Migration Wizard console be a member of either source or target domain. This can be a workstation, server, or domain controller. Required Permissions Before starting the accounts migration, an administrator must log on under an account with administrative rights over the source, resource, and target domains, and all the servers and workstations involved in the migration. However, it is not necessary for this account to be granted any level of access whatsoever to resources, such as NTFS objects, registry hives, and printers. The best practice is to create a separate user account in the source domain for the migration activities and grant this account all necessary rights instead of using an existing account. For more information about a single administrative account and required permissions refer to the Best Practices for NT to Active Directory Migration document. 17

20 Quest Domain Migration Wizard For a successful Exchange 5.5 directory update, you must have the Modify Admin Attributes and Modify Permissions privileges assigned to you (Permissions Admin and Service Account Admin roles possess these privileges) for the Organizations, Sites, and Site Configurations involved in the migration process. For a successful Exchange 2000 directory update, you must use the account with Full Exchange Administrator role for the Exchange 2000 organization. No additional trust relationships are required for successful processing if the Exchange 2000 Server resides in the same forest as the target domain. How to Get the Administrative Rights To ensure administrative rights on every server or workstation, an administrator can map a hidden administrative share (C$ or Admin$) to all computers in all domains involved in the migration. Agent Manager can create a command file for the mapping of the administrative shares on multiple computers in batch mode. This file will fully automate the procedure of obtaining the administrative rights necessary for migration. However, these methods are effective only in the case of the NT domain migration. In the case of the Active Directory source domain you do need to login under an administrative account to the domain. To add SIDHistory, it is not sufficient to just map a hidden administrative share (C$ or Admin$) of the domain controller. You do need to login under an administrative account to the domain. For more information about an administrative account and required permissions to perform migration tasks, refer to the Best Practices for NT to Active Directory Migration document. Domain Migration Wizard also supports many other network layouts, described in Appendix B: Alternative Network Configurations. Some of these configurations may be the best options for consulting companies performing domain migrations on client networks. 18

21 3 Domain Migration Wizard Components 19

22 Quest Domain Migration Wizard Quest Domain Migration Wizard is a migration and directory management solution that facilitates various domain migration procedures: it migrates users, groups, and computer accounts from one domain to another and updates resource settings in accordance with the new configuration. In parallel you can execute such tasks as a domain consolidation, domain split, transition from the Multiple Master to the Master domain model, and migration from an NT-based or Novell NetWare-based network to an Active Directory domain structure. Quest Domain Migration Wizard makes the domain migration process virtually unnoticeable for domain users, and at the same time delivers the ultimate in reporting, control, and manageability. It also provides extensive functionality that corporate infrastructure planners and network administrators demands. All aspects of a migration with Domain Migration Wizard are reflected in reports and can be undone with a click of the mouse at any time, even well after the completion of a particular step. The unified and logical interface allows you to approach all stages of a complex migration project with confidence. Quest Domain Migration Wizard is shipped with the following components: Project Manager The central migration project and account management interface. Domain Migration Wizard A separate directory migration tool, and an integral part of the Quest Domain Migration Wizard suite of applications. Agent Manager The management interface for distributed resource updating and reconfiguration tasks. Directory Processing Wizard The Active Directory processing and SIDHistory management tool. Exchange 5.5 Processing Wizard The Exchange 5.5 permissions updating tool. Exchange 2000 Processing Wizard The Exchange 2000 permissions updating tool. Trust Migration Wizard The trust relationship verification and transfer tool. SQL Processing Wizard The Microsoft SQL Server updating tool. SMS Processing Wizard The Microsoft Systems Management Servers updating tool. Resource Kit A collection of useful utilities for miscellaneous migration-related tasks. 20

23 4 Domain Migration Stages Overview Centralized Account Migration Distributed Resource Updating BackOffice Servers Updating Post-Migration Tasks, Cleanup and Maintenance 21

24 Quest Domain Migration Wizard Overview Quest Domain Migration Wizard transfers (migrates) users, and local and global groups from one domain to another. These domains will be referred to as the source domain and the target domain. A domain migration in an enterprise network consists of four major stages: 1. Centralized account and directory migration: domain accounts databases are reconfigured on the source and target domain controllers (DCs). In the case of migrating to a Windows 2000 domain, the next step is Organizational Unit (OU) population and SIDHistory management, performed to ensure the manageability and coexistence of the source and target network structures. 2. Resource processing: access to files, shares, printers and other securable objects is updated, resulting in, among other things, a consistent desktop user experience for all migrated accounts. 3. Switching to the new domain: account passwords are synchronized between the source and target domains; the source accounts are disabled, and the target accounts are enabled. Optionally, demoted Windows NT domain controllers are migrated to the new domain. 4. Post-migration cleanup and maintenance: the removal of privileges for the source accounts, the removal of SIDHistory for all accounts, and the deletion of migrated source accounts are facilitated to enable comprehensive migration validation, as well as maximum security, integrity, and performance of the target environment. 22

25 Domain Migration Stages The table below illustrates the migration process and the Quest Domain Migration Wizard applications that are used during each stage. STAGE STEP SUMMARY APPLICATION Centralized Account and Directory Migration Trust Migration User and Group Migration (Migration Session) Setting trusts for the target domain Migration of user and group accounts to the target domain. Resolving name conflicts Trust Migration Wizard Domain Migration Wizard AD Population (optional) Placing target users and groups in the target AD OU Domain Migration Wizard, Directory Processing Wizard Resource Processing Distributed Resource Updating For all workstations in the domain: Updating permissions, ownership information and auditing on registries, shares, folders and printers Updating local group memberships Updating user rights and privileges Agent Manager Windows 9x Computer Updating Making the corresponding changes to local Windows 9x registries Resource Kit (RegWalker) Workstation Moving Moving NT workstations to the target domain Agent Manager, Resource Kit (ChangeDomain) Workstation Renaming (optional) Renaming some of the workstations Resource Kit (RenComp) Exchange Directory Updating Updating privileges and ownership information for Exchange Directory objects Exchange 5.5 Processing Wizard, Exchange 2000 Processing Wizard Microsoft SQL Server Updating Updating Microsoft SQL Servers to correspond to the domain migration changes that were made SQL Processing Wizard 23

26 Quest Domain Migration Wizard STAGE STEP SUMMARY APPLICATION Microsoft Systems Management Servers Updating Updating Systems Management Servers to correspond to the domain migration changes that were made SMS Processing Wizard Profile Updating Modifying privileges for profile files and setting profile paths for the target accounts Agent Manager, Resource Kit (ExportProfile, ChangeProfile) Switching to the New Domain Password Synchronization Switching to New Accounts Password synchronization for source and target accounts Disabling the source accounts and enabling the target accounts Project Manager, Resource Kit (Spwd) Project Manager Windows NT 4.0 domain controller migration Demoting Windows NT 4.0 domain controllers and moving them to the new domain DC Demote Wizard (Resource Kit) Post- Migration Clean-Up Resource Clean-Up Exchange Directory Clean-Up Removing privileges for the source accounts Removing privileges for the source accounts Agent Manager Exchange 5.5 Processing Wizard, Exchange 2000 Processing Wizard SMS Clean-Up Removing privileges for the source accounts SMS Processing Wizard SQL Clean-Up Removing privileges for the source accounts SQL Processing Wizard Post-Migration AD Processing (optional) Removing SIDHistory for all accounts Directory Processing Wizard Deleting Source Accounts Deleting migrated source accounts Project Manager 24

27 Centralized Account Migration Domain Migration Stages The directory migration phase is centralized. This means that it is performed locally on an Administrator s computer the computer where Quest Domain Migration Wizard is installed. This is because the network components reconfigured during this phase are the domain controllers of the source and target domains. By using Trust Migration Wizard, Domain Migration Wizard and Directory Processing Wizard during this first phase, you migrate: Trust relationships Users User rights Groups Group memberships Domain Migration Wizard does not delete or rename any users or groups in the source domain. The user and group properties in the source domain remain the same after a migration, unless you later choose to disable the source accounts. The words transfer and migrate simply mean that Domain Migration Wizard creates new users and groups in the target domain with the same properties and levels of resource access as the originals in the source domain. Novell Account Management Support Domain Migration Wizard supports migration from domains running Novell solutions such as Novell Account Management and the former product NDS for NT. The source domain controllers running these products can be used for accounts migration and passwords synchronization without any limits. To migrate accounts from Novell Directory Services (NDS) to Active Directory and data from Novell Netware servers to Windows servers use Quest NDS Migrator product. For more information about Quest NDS Migrator follow the link: Migration Session A migration session consists of three phases: Populating the migration database. In-database reconfiguration. Modifying the target domain. 25

28 Quest Domain Migration Wizard Populating the Migration Database The Migration Migrate Directory New Account Migration Session command in the Project Manager menu starts the migration process by collecting network information into the database. The information that is collected during this step includes: Global and local groups from the source and target domains. Domain users from the source and target domains, including user rights for users from the source domain. This step takes only a few minutes, even for a domain with 20,000 users. In-Database Reconfiguration The migration engine uses SQL queries with user-specified parameters for the virtual reconfiguration of the network in the database. The modifications include: Handling duplicate user accounts in the source and target domains. Handling duplicate group names in the source and target domains. Checking Primary Group assignments. In addition, you can specify some other migration parameters, like password handling and account expiration options. The migration database will at this time contain an exact snapshot of the changes that will be made to the future target domain configuration. Again, superior performance in large networks is achieved through specially optimized processing techniques. Modifying the Target Domain The migration engine applies the modified network information from Domain Migration Wizard s migration database to the target accounts database. The information that is applied at this step includes: Global and local groups in the target domain. User accounts in the target domain, including passwords. Organizational Unit memberships for the migrated users and groups. SIDHistory values. You can also optionally recollect passwords before the apply operation to ensure that they are up-to-date and disable the source accounts. In addition, you can force the use of specific source and target DCs to be used during this step. 26

29 Domain Migration Stages The figure below illustrates this process. Source DC Database Target DC Save Apply Step 1 In-Database Reconfiguration Step 2 Step 3 Characteristics Centralized processing Works via database driver Import/export database connectivity Domain migration session Active Directory Population Many domain-restructuring projects are initiated as part of a broader Windows 2000 migration and deployment task. Quest Domain Migration Wizard supports domain reconfiguration scenarios whereby down-level NT domain security principals, along with all their properties, are moved to Organizational Units of Windows 2000 Active Directory domains. Directory Processing Wizard a special companion of Quest Domain Migration Wizard contains options for directory processing. Directory Processing Wizard uses account-mapping information generated during the directory migration stage to move the migrated security principals to Active Directory Organizational Units, as well as preserve the current resource access, ownership, and auditing parameters. Documenting the Migration Session Domain Migration Wizard provides comprehensive reporting for each step and aspect of a migration. The reports reflect the migration s progress and procedures and let you keep track of the changes made to your network settings during the migration. The reports can be printed, saved, or directly ed in a variety of formats, including RTF, Microsoft Access report snapshot, Microsoft Word document, Microsoft Excel spreadsheet, HTML, or plain text. 27

30 Quest Domain Migration Wizard Roll-Back Options Domain Migration Wizard allows you to stop any accounts migration session at any time and resume or undo it later from exactly where you left off. All operations performed during a migration session are completely reversible. If an operation is performed inside the database, simply click the Back button to return to the previous window and correct the changes. The wizard does not clear your changes when you click the Back button. If an operation involves modifying the actual network, you can click the Undo button to roll back all the changes made during that step. The wizard can undo the changes applied to the actual network. When you click Exit in the middle of a migration session, the wizard saves the current migration state in the project folder. Later, through Project Manager you can open Domain Migration Wizard at the step where you quit the session, which allows you to resume the interrupted migration or undo the steps you have already performed. Even if a migration session was performed long ago and multiple, subsequent sessions were run thereafter, you can select the session in Project Manager, open it and revert to the original accounts configuration, provided, of course, that you have not decommissioned the session s source domain. 28

31 Distributed Resource Updating Domain Migration Stages During this phase you migrate network resources, or, to be more precise, ensure that the newly created users and groups in the target domain retain their levels of access to the resources. These resources are, essentially, file system objects, network shares, and shared printers. Additionally, registries on the remote computers, user profiles, and service account credentials need to be processed to ensure a consistent desktop user experience, network security, and uninterrupted business operations. Domain Migration Wizard processes all properties of these resources, in particular: NTFS, share, registry, and printer ACLs, ownership, and auditing User profiles Local group memberships Service and scheduled task account credentials User rights Another noteworthy feature of Domain Migration Wizard is its ability to process and update all objects. Specifically, Domain Migration Wizard overrides permissions that would normally make an object inaccessible with conventional means (e.g. Windows NT Explorer), while never modifying the original entries in the object security descriptors. The fact that resources are scattered across the network presents a challenge during a migration. In a large network environment, the centralized processing of resources on the Domain Reconfiguration Console (DRC) the computer running Domain Migration Wizard will no longer satisfy scalability requirements. To address the challenges of the distributed stage, Domain Migration Wizard uses agents and simultaneous processing to make the migration performance independent of the network size. An important element of the resource updating phase is the so-called mapping data created during the directory migration. The mapping data establishes the concordance between the source and target accounts. It is used to process the corresponding resources with efficient and optimized agents. To decrease overhead traffic, Domain Migration Wizard compresses the mapping data sent over the network. While being unnoticeable to users, a domain migration with Domain Migration Wizard is designed to be fully visible, trackable and customizable for administrators. A comprehensive range of reports is a key feature of the wizard. In particular, during the resource updating phase, Domain Migration Wizard agents supply the log data from remote computers that forms the basis of resource updating reports. 29

32 Quest Domain Migration Wizard Directory resource updating is accomplished by Domain Migration Wizard Agent Manager, a companion to Domain Migration Wizard. Domain Reconfiguration Console Agents Distribution Parallel Distributed Processing Log Consolidation Reporting Characteristics Distributed parallel processing Can be delegated to local admins and run granularly for specific types of objects Can be run only once to reflect all migration sessions in project Scalable and independent of network size Resource Updating with Domain Migration Wizard Agent Manager. BackOffice Servers Updating Microsoft Exchange Servers, SQL Servers, and Microsoft Systems Management Servers need to be updated to reflect the domain migration changes that were made by using Domain Migration Wizard. Domain Migration Wizard contains easy-to-use wizards that retrieve the account migration information from the Domain Migration Wizard database and substitute the old accounts it locates on the processed SQL and SMS servers with the corresponding new accounts. To ensure uninterrupted messaging service for the migrated accounts, Domain Migration Wizard also updates the Primary Windows NT Account attribute of Microsoft Exchange Server mailboxes and permissions on the specified Exchange directory containers. 30

33 Post-Migration Tasks, Cleanup and Maintenance Domain Migration Stages Given the infinite variety of real-world network configurations, no tool would handle a domain migration without providing the administrator with customization options. As a database-driven tool, Domain Migration Wizard takes full advantage of SQL queries to perform such functions as verifying the migration results and automating certain post-migration tasks. Additional options for directory processing are available in a special companion Domain Migration Wizard application Directory Processing Wizard. The wizard can be run at any time after the migration and perform all the AD-related operations available in Domain Migration Wizard. Additionally, as a long-term solution to ensure the better performance, security, and integrity of your AD environment, the wizard can perform a cleanup of SIDHistory entries after the resources are updated and the additional, security-sensitive mechanism for user impersonation is no longer necessary. See the Directory Processing Wizard chapter in this Guide for more information. In addition to various account management options (such as enabling, disabling, deleting, and syncing/mirroring group memberships), Domain Migration Wizard Project Manager also provides a framework for the execution of user-defined scripts for the selected accounts. This capability enables you to perform a wide variety of custom migration tasks. Such tasks include Active Directory population from an external database and the bulk-modifying of account attributes. Administrators familiar with ADSI and scripting languages like VBScript can complement Domain Migration Wizard directory processing features with scripts that address their specific needs. 31

34

35 5 Project Manager What You Can Do in Project Manager Starting Your Migration Project Migration Sessions Launching Other Migration Tools Account Management Password Management Exporting INI Files for Resource Updating Project Manager Scripting 33

36 Quest Domain Migration Wizard Domain Migration Wizard Project Manager is a centralized migration project management application that gives you access to all other migration tools and provides some important functionality of its own. For your convenience, Project Manager organizes all the migration information in an explorer-like interface. Project Manager displays a management tree for Sessions, Users, Global and Local Groups and Computers in the left pane and the information on specific objects in the right pane. The main Project Manager window is shown in the following figure. The Tools menu allows you to manage accounts and perform different migration tasks. What You Can Do in Project Manager Using Domain Migration Wizard Project Manager, you can: Launch other migration tools: TOOL Domain Migration Wizard Directory Processing Wizard Agent Manager Exchange 5.5 Processing Wizard Exchange 2000 Processing Wizard Trust Migration Wizard SQL Processing Wizard SMS Processing Wizard SEE FOR DETAILS Centralized Account Migration section Directory Processing Wizard section Resource Updating section Exchange 5.5 Processing Wizard section Exchange 2000 Processing Wizard section Trust Migration Wizard section SQL Processing Wizard section SMS Processing Wizard section 34

37 Project Manager Agent Manager, Exchange 5.5 Processing Wizard, Exchange 2000 Processing Wizard, Directory Processing Wizard, SMS Processing Wizard, and SQL Processing Wizard will perform their tasks using the objects (users, local and global groups, and computers) that are currently selected in Project Manager. The shortcut menu lets you select/deselect all objects in a session. You can select objects from multiple sessions, and the migration tools will then update resources and directories using the mapping data from all the selected accounts. View and track all directory migration sessions within a project, including the following session properties: Session date and time Session manager (i.e. the account under which a session is run) and console (i.e. the computer from which Domain Migration Wizard is run also called the Domain Reconfiguration Console DRC) Multiple session comments added by migration project managers at various levels Source and target domains Number of users and global and local groups migrated in a session, as well as account names and their status (i.e. enabled, disabled, or deleted) Perform various account management operations in the source and target domains: Users enable/disable/delete, synchronize passwords, and reset passwords to a fixed or random expression Local groups synchronize membership and delete Global groups mirror membership and delete Run user-defined script programs 35

38 Quest Domain Migration Wizard Starting Your Migration Project A migration project consists of session databases, corresponding migration session files, and a project database. A set of migration project files is stored in a project folder. The default project folder location is <Domain Migration Wizard Installation Path>\Project. You can modify the active project location by selecting File Select Project, as shown below: You can select any existing project folder or use an empty folder to start a new project. When you start Project Manager for the first time, there are no objects shown in the right pane. They appear automatically after you migrate accounts using Domain Migration Wizard. Therefore, to actually initialize and populate a project in Project Manager, you need to run at least one migration session in Domain Migration Wizard and migrate some accounts from the source to the target domain. 36

39 Project Manager Migration Sessions Domain Migration Wizard organizes migrations into sessions. A session consists of the main account migration activity. Migration sessions are executed by Domain Migration Wizard itself. The session data is displayed by Project Manager and is used by other Domain Migration Wizard components for various migration activities. Start To start a new session, go to Tools Migration Migrate Directory New Account Migration Session, as shown in the following figure. As you run migration sessions, Project Manager will display these sessions. Once a session is completed, all the migrated accounts are displayed in the corresponding branches of the project tree. Only one session at a time can be opened in Domain Migration Wizard. Domain Migration Wizard can be run in automated mode. This may be useful when performing delegated migration or continuous synchronization tasks. In this mode, Domain Migration Wizard runs from the command line, reading all migration options from the Project.ini file. See the Domain Migration Wizard Scripting Reference for details. Resume If you stop the migration session, you may want to resume it later. Doubleclick on the session name in the Project Manager window and the session will resume from the place where you have left off. Interrupted sessions have the In progress status. 37

40 Quest Domain Migration Wizard Undo Once you have completed the session, you may want to undo changes you made to the network. Double-click on the session name in the Project Manager window and click the Undo button at the Domain Migration Is Now Complete step to restore the original domain state. Completed sessions have the Completed status. Session Comments Each migration session can be annotated with one or more comments. The first session comment is usually added in Domain Migration Wizard when the session is started. Subsequent comments by project coordinators are added in Project Manager. Each comment is marked by a date/time stamp and the account information. You cannot delete comments added previously. 38

41 Project Manager Session Defaults You can set up the migration options defaults, which will be already selected in the Domain Migration Wizard steps each time you run a new migration session. To set up the defaults, click Tools\Session Defaults and the Session Defaults window will appear. In this window you can specify most of the options you have to select when Domain Migration Wizard runs. Each folder in this window corresponds to a step of the wizard and contains the same options. Select the options you want to be default and click OK to save them. You can reset the defaults you specified at any time by clicking the Default button. The original defaults will be restored in this case. Session defaults should always be set up when migrating in automated mode. Otherwise, the original predefined Domain Migration Wizard session defaults will be used for the migration session. Launching Other Migration Tools Double-click a session name or start a new session to start Domain Migration Wizard. If you open an incomplete session, Domain Migration Wizard will let you proceed with the account migration. Finished sessions can be rolled back. Domain Migration Wizard also allows you to view reports on the open sessions. The Migration button on the toolbar or the Tools Migration menu lets you start the following Domain Migration Wizard components: Directory Processing Wizard (Post-Migration Tasks Directory Processing Wizard) Agent Manager (Update Resource Distributed Resource Updating) Exchange 5.5 Processing Wizard (Update Resource Exchange 5.5 Updating) Exchange 2000 Processing Wizard (Update Resource Exchange 2000 Updating) Trust Migration Wizard (Migrate Directory Trust Migration) SMS Processing Wizard (Update Resource SMS Updating) SQL Processing Wizard (Update Resource SQL Server Updating) 39

42 Quest Domain Migration Wizard If some of the tools are unavailable, they were probably not installed and you will not be able to run them. Select the objects to process and run the tool. To select the objects involved in the particular session, right-click the session name and click the Select Involved Objects item on the shortcut menu. You can opt to select/clear all objects involved in this session or only users, global or local groups, or computers. You can also combine the selections. For example, to select all (global and local) groups, select all global groups first, and then all local groups. The tools will perform resource reconfiguration, directory reconfiguration, and other reconfiguration for the selected objects. Refer to the corresponding chapters of this guide for details. Account Management Project Manager allows you to perform some important user and group account management functions directly, without starting other tools. The available options and commands are described below. Setting Default Domain Controllers By selecting the closest and fastest domain controllers for account management operations, you can significantly increase the operations performance. In Windows NT domains, any domain controller can be used to read information, but changes can be applied to only the Primary Domain Controller (PDC). In Windows 2000 domains, any domain controller can be used for read/write operations. 40

43 Project Manager To select the domain controllers to be used within a particular domain, on the Tools menu, click Default Domain Controller. When selecting a domain controller other than the PDC as the domain controller for read operations, make sure it is in sync with the primary account database before performing account management operations. Managing User Accounts Select the Users branch in the Project Tree. Use the Manage Accounts button on the toolbar or the Tools menu to enable/disable/delete the selected accounts in the source and/or target domains. You can select/clear multiple accounts by Shift-clicking the check boxes to select/clear a range of items. Click a column header to sort items in a column in ascending or descending order. You can also jump to an account by typing the first few letters of its name. In addition to manually selecting several accounts, you can use account lists stored in a text file with one account name per line to select and perform operations on multiple accounts, as shown in the following Project Manager screenshot. 41

44 Quest Domain Migration Wizard Users: Manage Accounts Source Accounts Enable Selected Accounts. The currently selected migrated accounts will be enabled in the source domain. Disable Selected Accounts. The currently selected migrated accounts will be disabled in the source domain. This option does not affect the Administrator account. Delete Selected Accounts. The currently selected migrated accounts will be deleted in the source domain. Users: Manage Accounts Target Accounts Enable Selected Accounts. The currently selected migrated accounts will be enabled in the target domain. Disable Selected Accounts. The currently selected migrated accounts will be disabled in the target domain. Delete Selected Accounts. The currently selected migrated accounts will be deleted in the target domain. Managing Global Groups Select the Global Groups branch in the Project Tree. Use the Manage Accounts button on the toolbar or the Tools menu to delete the selected global groups and synchronize membership between the source and target domains. Global Groups: Manage Accounts Source Accounts Delete Selected Accounts. The currently selected migrated global group accounts will be deleted in the source domain. Mirror Global Group Membership with Target Domain. Memberships of the currently selected global groups will be synchronized with those of the corresponding global groups in the target domain. 42

45 Project Manager Global Groups: Manage Accounts Target Accounts Delete Selected Accounts. The currently selected migrated global group accounts will be deleted in the target domain. Mirror Global Group Membership with Source Domain. Memberships of the currently selected global groups will be synchronized with those of the corresponding global groups in the source domain. For example, SOURCE\Joe, a member of SOURCE\MyGlobalGroup, has been migrated and become TARGET\Joe. The group SOURCE\MyGlobalGroup has also been migrated and renamed to TARGET\NewGlobalGroup to avoid duplicates. However, its members have not been selected for migration. By choosing the Mirror Global Group Membership with Source Domain command, you will ensure that TARGET\Joe becomes a member of TARGET\NewGlobalGroup. Let the groups SOURCE\MyGlobalGroupA and SOURCE\MyGlobalGroupB be merged into the group TARGET\NewGlobalGroup during the migration process. If the SOURCE\Joe from the SOURCE\MyGlobalGroupA was then deleted on the source it will be deleted from the target in the following case: if the SOURCE\Joe was migrated and if the SOURCE\Joe is not also a member of the SOURCE\MyGlobalGroupB. Managing Local Groups Select the Local Groups branch in the Project Tree. Use the Manage Accounts button on the toolbar or the Tools menu to delete the selected local groups and synchronize membership between the source and target domains. Local Groups: Manage Accounts Source Accounts Delete Selected Accounts. The currently selected migrated local group accounts will be deleted in the source domain. Copy Local Group Membership from Target Domain. Memberships of the currently selected local groups will be synchronized with those of the corresponding local groups in the target domain. Members of the selected local groups in the target domain will become members of the corresponding source local groups. 43

46 Quest Domain Migration Wizard Local Groups: Manage Accounts Target Accounts Delete Selected Accounts. The currently selected migrated local group accounts will be deleted in the target domain. Copy Local Group Membership from Source Domain. Memberships of the currently selected local groups will be synchronized with those of the corresponding local groups in the source domain. Members of the selected local groups in the source domain will become members of the corresponding target local groups. The ability to synchronize local groups deleted from the source or target domains is not provided. Password Management Project Manager also allows you to perform some important user password management functions. The available options and are described in this section. Select the Users branch in the Project Tree. Use the Manage Accounts button on the toolbar or the Tools menu to reset/synchronize the selected users' passwords in the source and/or target domains. You can select/deselect multiple accounts by Shift-clicking the check boxes to select/deselect a range of items. Click a column header to sort items in a column in ascending or descending order. You can also jump to an account by typing the first few letters of its name. In addition to manually selecting several accounts, you can use account lists stored in a text file with one account name per line to select and perform operations on multiple accounts. 44

47 Project Manager Users: Manage Accounts Source Accounts Reset Selected Users Passwords. The currently selected migrated accounts in the source domain will be assigned new passwords, depending on the options you specify in the following dialog box: You can assign the same User defined password for all currently selected users. When selecting this option, as well as the random password generation option, be sure to comply with the corresponding domain password policy. If you select the Random password option, users will be assigned random passwords based on the criteria you specify in the Tools Options Random passwords dialog box. The generated passwords are stored in the password log file, also specified in the Options dialog box. 45

48 Quest Domain Migration Wizard Selecting Strong password will make the generated passwords comply with the password requirements from Microsoft knowledge base article Q The requirements are: 1. Passwords must be at least six (6) characters long. 2. Passwords must contain characters from at least three (3) of the following four (4) classes: English upper case letters (A, B, C,... Z) English lower case letters (a, b, c,... z) Westernized Arabic numerals (0, 1, 2,... 9) Non-alphanumeric ( special characters ) such as punctuation symbols 3. Passwords may not contain your user name or any part of your full name. The User must change password at next logon check box, if selected, will force users to change their passwords at next logon. If this check box is unavailable, the current setting defined in User Manager for Domains or Active Directory Users and Computers MMC snap-in will remain intact. If the check box is cleared, the requirement will be turned off. Copy passwords from Target domain. The selected users passwords will be copied from the target domain, overwriting the current passwords in the source. In effect, the currently selected migrated accounts in the source domain will be assigned the passwords of the corresponding target users. This option is useful when you want to revert to using the original source domain accounts, but the target users passwords have already been changed. Users: Manage Accounts Target Accounts Reset Selected Users' Passwords. The currently selected migrated accounts in the target domain will be assigned new passwords, depending on the options you specify in the Reset Password dialog box. Copy passwords from Source domain. The currently selected migrated accounts in the target domain will be assigned the passwords of the corresponding source users. 46

49 Project Manager Exporting INI Files for Resource Updating Project Manager can create settings (INI) files that can later be used for automatic resource processing by Domain Migration Wizard Agent Manager, the Vmover utility, Exchange 5.5 Processing Wizard, or Exchange 2000 Processing Wizard. An INI file contains all the settings needed for the migration and mapping information for all the objects (users, local and global groups) that were selected in Project Manager when the file was created. To create an INI file: 1. Select one or more migrated objects (users and groups) that you want to be affected. 2. On the File menu, click Export INI File. 3. Depending on the purpose of the file, select the processing options. See the corresponding options description in the Resource Updating, Exchange 5.5 Processing Wizard, and Exchange 2000 Processing Wizard sections of this guide. 4. Type the file path and name. The options you should select depend on the purpose of the INI file. 47

50 Quest Domain Migration Wizard Creating INI Files for Agent Manager INI files for Agent Manager should be named Vmover.in_. They can be either compressed or uncompressed. INI files for Agent Manager should be placed in the installation folder of Agent Manager, and the tool should be run for the intended resource updating. It is recommended that you use the compressed format because INI files are sent across the network during distributed resource updating. Creating INI Files for Vmover By default, the Vmover utility searches its folder for the Vmover.in_ (compressed) file, and then if the file is not found, for the Vmover.ini (uncompressed) file. You can use Vmover s /ini parameter to specify an alternative ini file name and location. In this case Vmover will again first search for the file s compressed version. For example, if you specify File.txt, Vmover will first attempt to locate File.tx_, and then File.txt. Thus, if you specify the uncompressed INI file to be created, but there is a compressed file with the same name in Vmover's folder, Vmover will use the compressed file instead of the specified one. For more information on using an exported INI file for processing resources with the Vmover.exe utility, refer to Appendix C: Command Line Resource Updating of this Guide. Creating INI Files for Exchange 5.5 Processing Wizard INI files for Exchange 5.5 Processing Wizard (EPW) should be named Exchange.ini and should not be compressed. INI files for Exchange 5.5 Processing Wizard should be placed in the wizard s installation folder, and the tool should be run for the intended Exchange updating. Exchange 5.5 Processing Wizard takes into account only Processing options. Account management, Permissions management, and Error handling options do not affect an Exchange migration. 48

51 Project Manager Creating INI Files for Exchange 2000 Processing Wizard INI files for Exchange 2000 Processing Wizard (E2KPW) should be named 'Exchange2k.ini' and should not be compressed. INI files should be placed in the Program Files\Common Files\Aelita Shared\Migration Tools folder, and the tool should be run for the intended Exchange updating. E2KPW takes into account only Processing options. Account management, Permissions management, and Error handling options do not affect an Exchange migration. Project Manager Scripting Besides standard account management options (enable, disable, delete, copy/mirror group memberships, etc.), Project Manager lets you execute userdefined scripts for selected accounts. This capability enables you to perform a wide variety of custom migration tasks. Such tasks include Active Directory population from an external database, bulk-modifying account attributes, and many others. A Domain Migration Wizard Project Manager script is a user-written script program (written in VBScript or Jscript provided by Microsoft, or any other Active Scripting engine from another vendor), that: Can be run from the Project Manager interface. All scripts are shown as Project Manager menu commands. Has access to the properties of the objects currently selected in Project Manager, as well as access to such Domain Migration Wizard components as Domain Migration Wizard sessions and the Project Manager log file. See the Domain Migration Wizard Scripting Reference for details. 49

52

53 6 Centralized Account Migration Step I: Select Domains Step II: Preprocess Users and Groups Step III: Migrate Users and Groups Step IV: Document Migration 51

54 Quest Domain Migration Wizard The account migration is the basis of the whole migration process. This step is performed by the key component of the suite Domain Migration Wizard. There are two ways to start Domain Migration Wizard: For previously started sessions, double-click the session name in the Sessions branch of the Project Manager window. Domain Migration Wizard will resume from the step where the current session was interrupted. To start a new session, click Tools Migration Migrate Directory New Account Migration Session. Domain Migration Wizard will start from the first step. Domain Migration Wizard can be run in automated mode. This may be useful when performing delegated migration or continuous synchronization tasks. In this mode, Domain Migration Wizard runs from the command line, reading all migration options from the Project.ini file. See the Domain Migration Wizard Scripting Reference for details. Step I: Select Domains At the first window you are then given the option of adding comments to the migration session you are about to begin. Additional follow-up session comments can later be added in Domain Migration Wizard Project Manager. 52

55 Select Source and Target Domains Window Centralized Account Migration Domain Migration Wizard displays a list of all the domains in your network. From this list you can select the source and target domains. By default, both the source and target domain lists are empty, because for large networks domain enumeration may take significant time. You can type the source and target domain names, or click the Refresh button and select the domains from the lists when enumeration is over. You can also type a domain name directly in the space provided. If the source PDC is located over a low-speed link but you have good connectivity to a Backup Domain Controller, you can specify a BDC as the location of the domain Security Account Management database (SAM) by typing \\BDC_NAME in the space provided. Before using this method, make sure you have forced accounts database synchronization with the PDC immediately before the migration. When migrating to a Windows 2000 domain, you can specify a target Active Directory domain controller with which connectivity is faster and more reliable. 53

56 Quest Domain Migration Wizard Domain Migration Wizard does not require a trust relationship between the source and target domains to perform a migration. However, if a trust relationship is required, for example, for preserving Local Group Membership. You can establish the necessary trust relationships with the Trust Migration Wizard. Refer to the Trust Migration Wizard section for more details. For a successful domain migration, domain controllers should be reachable on the network and you must have administrative rights over the domains involved in the migration process. You can use the ping command to test connectivity to a domain controller. For example: ping pdc-target2000. To verify if you have administrative rights, try to enter the administrative share (c$) of the domain controller. To get the rights, make an account a member of the domain local Administrators group or run the net use \\DC_NAME\c$ /u:d_name\administrator "password" command. For example: net use \\bdc-source\c$ /u:source\administrator "". Also, you should be a member of the local Administrators group on the computer on which Domain Migration Wizard is installed. However, these methods are effective only in the case of the NT domain migration. For Active Directory domains, you need to log in to the target domain under an administrative account. If you manage the migration from a computer which is not in the target Active Directory domain you can still run the migration tools under the appropriate administrative account by using the runas command. In this case, you can use the following scenario: 1. Start Windows command prompt (cmd). 2. Use the runas command to start another command prompt under the account which has the required administrative privileges: runas /netonly /u:targetdomain\adminaccount cmd 3. Type the account s password. 4. In the new command prompt gain control over the source domain by mapping an administrative share: net use \\SourceDC\c$ /u:sourcedomain\adminaccount "password" 5. From the command prompt, start Project Manager (for example, by dragging the shortcut from the start menu). If you cannot get administrative rights over the domains, because of the enterprise security policy, for example, Domain Migration Wizard will let you perform the migration, but with some restrictions. 54

57 Centralized Account Migration If you are not in the local Administrators group of the source domain, not all account properties will be available for you: Domain Migration Wizard will not be able to get the passwords and privileges of the source users. The Add SIDHistory operation may not work either. However, the rest of the properties should be migrated properly. As for the target domain controller, it is enough to have Full Control rights of only the target OU to migrate accounts. However, you need to be an administrator of the target domain (member of the local Administrators group of the target domain) to add SIDHistory. Click the Reports button to see Domain Migration Wizard reports during this or any other step. Click Refresh to update the list of domains. Click Next to go to the Preprocess Users and Groups step. Click Back to return to the previous step. You also have the ability to set up the migration session defaults in Project Manager. In this case all migration options you specified earlier in Project Manager will be pre-selected in each session you perform. See the Session Defaults section of this User s Guide for details. When you click Next, the wizard starts collecting information on the users and groups in the source and target domains, displaying the progress of this operation. Thanks to specially optimized directory data parsing algorithms, this operation should take less than five minutes, even on very large NT domains. 55

58 Quest Domain Migration Wizard Step II: Preprocess Users and Groups During this step, Domain Migration Wizard allows you to choose which users, and groups you want to migrate, analyzes the names of the groups and user accounts, informs you about any name duplications, and provides you with various methods for handling duplicate names. All operations during this step are performed within the Domain Migration Wizard session database. In this step, Domain Migration Wizard does not require access to the real network. By clicking the Back button, you can undo all changes made previously. Select Users and Groups in Source Domain Window This window prompts you to choose which users and groups in the source domain will be transferred to the target domain. The transfer of users includes the migration of user accounts, privileges, encrypted passwords, and account policies. The transfer of groups includes the migration of groups and group memberships. Local groups will not appear in the list if the Migrate Global Groups only check box is selected. Domain Migration Wizard does not delete any users or groups in the source domain. The words transfer and migrate simply mean that Domain Migration Wizard creates new users and groups in the target domain with the same properties as the corresponding users and groups in the source domain. Later, you will be able to disable or delete these accounts using Domain Migration Wizard Project Manager. 56

59 Centralized Account Migration You can select particular users and groups to transfer from the source to the target domain. Select a user or group by selecting the check box next to the name of the user or group. Only the selected users and groups will be processed during the migration. All newly created users will become members of the Domain Users group in the target domain, whether or not they were members of this group in the source domain. The Skip Migrated Accounts check box, if selected, will exclude the accounts already migrated during previous migration project sessions from the available source users and groups lists. If you do not want to migrate disabled source user accounts, select the Skip Disabled Accounts check box. The Advanced button provides some extra capabilities for account migration. When migrating to the Windows Server 2003 domain, you can change the class of all user accounts to inetorgperson class by selecting the Convert All Users to InetOrgPersons option. This option is available only if the forest to which the target domain belongs has the functional level Windows Server Also, when migrating global security groups to Active Directory, you might want to change the scope of these groups to universal. This can be done with the help of the Convert All Global Groups to Universal Groups option and will allow you to use these groups for assigning common permissions to the users throughout your environment by making users from other domains into members of these groups. This option is available only if the target domain is in native mode. By right-clicking a user and selecting the appropriate shortcut menu command, you can select/deselect the local and global groups to which the user belongs. 57

60 Quest Domain Migration Wizard By right-clicking a group and selecting the appropriate shortcut menu command, you can select/deselect all users belonging to the group. By clicking the Select button and then selecting the appropriate command, you can select users and groups for the currently selected groups and users. In this step, you can also change a user or group name by clicking it and editing it directly in the dialog box. To change multiple user and/or group names at one time, select the users whose names you want to change, then select the Change names check box and specify a prefix or suffix to be added to the names of security principals. Click the Apply changes button to apply changes to the users and groups according to the selections made. Clicking the Apply previous button renames users and groups according to the settings that were made during the previous migration session. Clear the Skip migrated accounts check box, select the users that were migrated during the previous session and click Apply previous and the accounts will be renamed the way they were renamed during last migration session. The Restore original button rolls back to the original settings. This operation will only change the names under which users and/or groups migrate to the target and which are stored in the Domain Migration Wizard session database. It will not change the users original names in the source domain. The Select Users by Properties button opens a datasheet with user properties. The datasheet presents sorting and filtering options to facilitate user selection. 58

61 Centralized Account Migration The Import button lets you automate the process of selecting or deselecting users and groups. You can use an external list file to select the accounts to be migrated. This is useful if you have already prepared a list of accounts as an Excel spreadsheet or a plain text file. Clicking the Import button and selecting Groups or Users will open the import dialog box. You will be able to select an external text file with a list of names. The Import options dialog box will appear, letting you use the external list to select (the Select option button) or deselect (the Clear selection option button) users or groups. Note that if you select the Show Full Names check box on the previous screen, the names in the imported list must also contain full user names. 59

62 Quest Domain Migration Wizard The Preserve selections check box in the Import options dialog box affects the way your selections made prior to import will be dealt with. See the table below for more details. THE SELECT OPTION THE CLEAR SELECTION OPTION Selected Cleared Users and groups from the external table will be selected, in addition to those selected previously. Only users and groups from the external table will be selected. Users and groups from the external table will be deselected, while those deselected previously will remain intact. Users and groups from the external table will be deselected, while all others will be selected. Mass Account Renaming External files can also be used for mass account renaming. To rename a user or group, each line with an existing name should also contain a new name, separated by a tab character. For example, importing the following file: OldName1 OldName2 OldName3 NewName1 NewName3 will select (or, depending on your options, clear selection for) the accounts OldName1, OldName2, and OldName3, and then rename OldName1 and OldName3 to NewName1 and NewName3. 60

63 Handle Duplicate User Names Window Centralized Account Migration If there are any duplicate user names, Domain Migration Wizard will give you various options for modifying user names in the source and target domains within the Domain Migration Wizard database. However, even after applying the changes made within the Domain Migration Wizard database to the network, no changes are ever made to the source domain. If you migrate users and/or groups to a Windows 2000 Active Directory domain, you will not be able to change names in the target domain in this Domain Migration Wizard dialog box. If a user in the source domain has the same name as a user in the target domain, Domain Migration Wizard places the user names of both users in a special table. Domain Migration Wizard puts the user name from the source domain in the left column and the user name from the target domain in the right column. Here you can see and modify the contents of the table. For instance, you can apply a suffix or prefix to all duplicate user names in the source or target domain, or you can edit these user names individually. Domain Migration Wizard automatically resolves name conflicts by applying the Suggested schema to all duplicate names from the source domain (that is, adds the suffix _ (the underscore character) to the initial account names of the source users). You can accept the changes by clicking the Next button or use other options as explained below. 61

64 Quest Domain Migration Wizard The list in the left column contains the names of users being transferred from the source domain. The list in the right column contains the names of users in the target domain. The following options are available in this dialog box: Prefix add a prefix to all usernames displayed in the selected column. Suffix add a suffix to all usernames displayed in the selected column. Apply to names in Target domain option button apply the specified suffix and/or prefix to users from the target domain displayed in the right column. Apply to names in Source domain apply the specified suffix and/or prefix to users from the source domain displayed in the left column. The names from the source SAM database will not be affected. Instead, Domain Migration Wizard stores in its database the changed names under which the source users are migrated. Apply Changes clicking this button causes Domain Migration Wizard to update the user names in the table. The changes will be reflected in the window immediately. You can also change names by clicking a user name and typing the name you want. You can apply changes as many times as you want. Or you can roll back to the original user names or recommended user names at any time by clicking one of the following buttons: Suggested This is the default option. Clicking this button adds the suffix _ (the underscore character) to the initial account names of the source users. Original Clicking this button undoes any changes you have made. The result will be shown in the window immediately. You can also restore an original user name by clearing the check box next to the name. Changing names using prefix and/or suffix you should keep in mind that the resulting user or group name should not exceed maximum allowed length. 62

65 Centralized Account Migration You have the option of merging or replacing users with duplicate user names or not processing identical names at all: Replace If you have duplicate user names after this step, users in the target domain will be replaced by the corresponding users from the source domain. As a result, the target users are assigned new Security Identifiers (SIDs), while inheriting all the properties of the source users. You can modify these properties at a later stage of the migration. Merge If you have duplicate user names after this step, users in the target domain will retain their SIDs and be merged with the appropriate users from the source domain. This way, the target users will keep their group memberships, along with their access permissions. Skip duplicate accounts Skip processing identical names of users and groups. All identical accounts are recorded in a special Domain Migration Wizard report. Example: Merging or Replacing Users If SOURCE\User00 is a member of LocalGroup0, and TARGET\User00 is a member of LocalGroup1, and these users are merged, after migration the resulting user TARGET\User00 will be a member of both groups. In sum, TARGET\User00 acquires all the properties of SOURCE\User00, while retaining access to all resources previously available to TARGET\User00. If the users are replaced, the initial TARGET\User00 will be deleted and the newly created TARGET\User00 will, as a clone of SOURCE\User00, only be a member of LocalGroup0. If SOURCE\User00 is merged with TARGET\User00, the resulting user will have the profile and password of SOURCE\User00. Domain Migration Wizard will generate a report on all name changes. When you click Next, Domain Migration Wizard lets you know if you still have any duplicate user names and displays the list of duplicate accounts. Domain Migration Wizard will not let you proceed if you make any changes prohibited by Windows NT/2000. For example, if you try to create two users with the same names in the same domain, Domain Migration Wizard will tell you that this operation is illegal under Windows NT/2000 and cannot be performed. 63

66 Quest Domain Migration Wizard It should be noted that Windows NT User Manager does not allow you to create users and groups with names longer than 20 characters. However, limitations such as this one can be overcome via an API, and Domain Migration Wizard will correctly process and let you edit such forbidden names. The changes displayed in this window will be applied to the users stored in the session database. Note that built-in accounts, such as Administrator and Guest, cannot be replaced. You cannot replace built-in accounts because the operating system will not allow you to delete these accounts from the target domain. Users in the source domain are not renamed or altered in any way, unless you choose to disable or delete them later with Domain Migration Wizard Project Manager. The user and group structures in the source domain remain exactly the same as they were before the migration. Domain Migration Wizard is a nondestructive tool. Renaming users in the source domain simply means that users newly created in the target domain will have user names different from the names of the corresponding users in the source domain. During this step, all operations are performed in the Domain Migration Wizard session database and none are performed on the source or target domain. Simply click Back to correct your changes. Handle Duplicate Group Names Window In the Handle Duplicate Group Names window, you can modify the duplicate group names in the source and target domains. Domain Migration Wizard automatically resolves name conflicts by applying the Suggested schema (that is, it merges the groups with the same names). If the groups took part in previous migrations, Domain Migration Wizard applies the options that were selected for them last time (that is, it renames a group if it was renamed, merges a group if it was merged, and so on). 64

67 Centralized Account Migration You can accept the changes by clicking the Next button or use other options as explained below. If you migrate users and/or groups to a Windows 2000 Active Directory domain, you will not be able to change names in the target domain in this Domain Migration Wizard dialog box. Also, you will not be able to replace the target groups with source ones as this can cause security threats. Therefore, the Replace option is unavailable in this step. The controls in this window work the same way as the controls in the Handle Duplicate User Names window, with one exception: the default Suggested renaming rule is empty, so groups with the same names will be merged. If some group accounts have already been migrated and renamed during a previous migration, their last assigned name will be the suggested value. For example, if you want administrators from the source domain to become administrators in the target domain, you can choose to leave the source Domain Admins group name as is and merge it with its counterpart in the target domain. We strongly recommend merging the Domain Users global groups. 65

68 Quest Domain Migration Wizard User Properties This window prompts you to specify parameters for the users affected by the current migration session. For example, you can force the migrated users to change their passwords at next login to eliminate weak passwords that may have been the result of using other options in this dialog box. An unavailable check box will leave the current settings intact. In most cases, we recommend leaving the settings as they are. This ensures that the original settings will be copied to the target domain unchanged. Change these settings only if you know exactly what you are doing. Generally, by copying users passwords you can make a migration virtually unnoticeable to the user community. However, you can also choose to assign new passwords formed from a username and a prefix or suffix. In this case, to avoid uncertainty, you are given the option of specifying whether usernames are set to lowercase letters, uppercase letters, or left unchanged. If you decide to set a common password for the migrated users, make sure the password complies with the target domain's Account policy regarding password length. Select the Set logon script to check box to specify the logon script for the target user. If you leave this check box cleared, the source user logon script will be copied to the target user. 66

69 Centralized Account Migration Validation Scripts The Run Script button lets you run your custom scripts before the migration data is actually applied to the target domain. The scripts have access to the Domain Migration Wizard database, so you can validate the data, see if it complies with your human resources database or other criteria, and then make the corresponding changes to the data before it is applied. See the Domain Migration Wizard Scripting Reference for details. Advanced Click Advanced Advanced Edit to set options for individual user accounts. A table is displayed letting you set options for each user individually. Most of the properties can be edited directly in the table cells. Complex properties, marked with <Edit>, require that you double-click them to open a special dialog box in which you can edit the properties. If options set for individual users in the Advanced Edit dialog box contradict those set for all users in User Properties, the latter are used. That is, individual settings are overwritten by general settings. When you merge accounts, the options you set are applied to the target account. However some of the options do not affect the target domain Administrator. No matter which options you set, the Administrator's account and password never expire, and his account cannot be disabled. 67

70 Quest Domain Migration Wizard Domain Migration Wizard also lets you select which properties of the source accounts are applied to the target accounts. This gives you additional flexibility during the account migration and lets you selectively merge the account properties. Clicking Advanced Properties to Migrate opens a dialog box with a list of properties letting you define user properties you want to be migrated. By default, all the properties are selected. You can clear the ones you do not want to be migrated. This feature is available for merged and replaced users only. The Password check box is effective only if the Copy password option is selected. Active Directory Options If you are migrating accounts to a Windows 2000 domain, Domain Migration Wizard lets you specify Active Directory migration options for all the objects migrated. You can select the target Organizational Units for user accounts and global and local groups (you can also opt to move merged objects into the specified Organizational Units by selecting the Move merged objects check box). 68

71 Centralized Account Migration You can also specify the CN for the created user accounts. The Default option, if selected, sets up a default common name. It can be the user s Full Name, if present, or otherwise the user s Username. The Evaluate expression check box lets you specify a Visual Basic expression, according to which the CN name will be set up. You can use the following variables: NAME OLDNAME PRIV HOMEDIR COMMENT FLAGS SCRIPTPATH FULLNAME WORKSTATIONS ACCTEXPIRES MAXSTORAGE COUNTRYCODE CODEPAGE USERID PRIMARYGROUP PROFILE Specifies the name of the target user account. Specifies the name of the source user account. Specifies a value that indicates the level of privilege assigned to the %NAME% member. This member can be one of the following values: Guest, User and Administrator. Specifies the path of the home directory of the user specified by the %NAME% member. Contains a comment associated with the user account. Specifies a value that determines several features describing the account type and others. Specifies the path for the user's logon script file. The script file can be a.cmd file, an.exe file, or a.bat file. Contains the full name of the user. Contains the names of workstations from which the user can log on. Specifies a value that indicates when the account expires. This value is stored as the number of seconds elapsed since 00:00:00, January 1, 1970, GMT. Specifies a value that indicates the maximum amount of disk space the user can use. Specifies a value that contains the country/region code for the user's language of choice. Specifies a value that contains the code page for the user's language of choice. Specifies a value that contains the relative ID (RID) of the user. The RID is determined by the Security Account Manager (SAM) when the user is created. Specifies a value that contains the RID of the Primary Global Group for the user. Specifies a path to the user's profile. 69

72 Quest Domain Migration Wizard HOMEDIRDRIVE PASSWORDEXPIRED Specifies the drive letter assigned to the user's home directory for logon purposes. Specifies a value that contains password expiration information. Each variable in this expression must be surrounded by the % character. For example: IIf(Len(%FULLNAME%) = 0, %NAME%, IIf(InStr(%FULLNAME%, ",") <> 0, %FULLNAME%, IIf(InStr(%FULLNAME%, " ") = 0, %FULLNAME%, Trim$(Mid$(%FULLNAME%, InStr(%FULLNAME%, " ") + 1))) & IIf(InStr(%FULLNAME%, " ") = 0, "", ", ") & Trim$(Left$(%FULLNAME%, IIf(InStr(%FULLNAME%, " ") = 0, 0, InStr(%FULLNAME%, " ") - 1))))) The result of this expression: NAME FULLNAME CN John John John JohnSmith JohnSmith John Smith, John Smith, John John John Smith Smith, John This expression requires Microsoft Office SR1a. By selecting the Change CN for merged users check box, you can also opt to change the CN for merged users the same way you specified the CN for created users. To select whether to add SIDHistory to preserve access to resources for the source accounts during the transition period, use the Add SIDHistory check box. The Add SIDHistory option requires administrator privileges in the source and destination domains. Specifically, you must be a member of the Domain Administrators group in the destination domain. A hard-coded check for this membership is performed. Also, you must be a member of either the Administrators or Domain Administrators group in the source domain. 70

73 Centralized Account Migration Processing Options If a significant period of time has passed since the time the migration started, you can force Domain Migration Wizard to Recollect passwords before apply so that you can be sure the tool has valid passwords for all user accounts. Selecting Skip deleted accounts will make Domain Migration Wizard check each account when migrating the accounts and skip those no longer present in the source domain. The Skip expired accounts option functions in a similar way but only for those accounts that have expired before the Collect Source and Target Directory Data step. If the migration session was started, stopped, and then resumed, the user accounts that have expired after this step was configured are not skipped. You should return to this step to collect the new data. In addition, you can make Domain Migration Wizard Disable source accounts (this will not affect the Administrator account). Note that you can choose to either disable the accounts in the source domain in this dialog box or perform this task as a part of post-migration maintenance activities with Domain Migration Wizard Project Manager. The Copy Local Group Membership check box, if selected, allows you to copy the local group memberships of the migrated groups on the source PDC to the target PDC. In this case, all members regardless of their locations or participation in the migration will be copied to the corresponding local groups on the target domain computers. 71

74 Quest Domain Migration Wizard The Copy User Rights check box, if selected, allows you to copy the user rights of the migrated users on the source domain computers to the target domain computers. You can also specify the domain controllers to be used in the source and target domains. By default, Domain Migration Wizard will work with the domains Primary Domain Controllers (PDC). In Windows 2000 domains, any domain controller can be used for domain reconfiguration, while in Windows NT domains, only the PDC can be used. This means that only the PDC can be used for Windows NT target domains. The same applies to source domains if you choose to Disable source accounts. ADC Options ADC Integration The Domain Migration Wizard integrates with the Microsoft Active Directory Connector (ADC). The following scenarios can be used to integrate with the ADC: 72 Domain Migration Wizard is used after ACD ADC is used after Domain Migration Wizard These scenarios are described below. Domain Migration Wizard Used After ADC Domain Migration Wizard can now recognize accounts created by ADC. When you perform a domain migration after ADC was used to migrate Exchange 5.5 mailboxes, Domain Migration Wizard can identify and merge the twin accounts. See the Import ADC Mapping Wizard section in the Domain Migration Wizard Resource Kit User s Guide. ADC Used After Domain Migration Wizard During the domain migration, Domain Migration Wizard marks the migrated accounts in a way that allows ADC to automatically recognize them. This lets you enjoy the migration capabilities offered by Domain Migration Wizard to migrate the accounts, and then set up their continuous synchronization with ADC, without running the risk that an account is migrated twice. See the ADC Options step of the Centralized Account Migration section for details.

75 Centralized Account Migration Setting ADC Options This step lets you specify the Exchange servers to which Domain Migration Wizard will connect to set ADC mapping attributes to all target accounts whose source accounts have a mailbox on these servers. If you want the target accounts to be recognized by ADC, select the Set ADC mapping for the new accounts check box and specify the Exchange servers on which the source accounts have their mailboxes. To add an Exchange server to the list, click Add and the Add Exchange Server dialog box will appear. Specify the server name, the number of the port that will process requests to the server, and the credentials. You can remove the Exchange servers from the list and arrange them in arbitrary order by moving them up (Move up) and down (Move down). 73

76 Quest Domain Migration Wizard Step III: Migrate Users and Groups Before the changes are applied to the network, you are offered the opportunity to back up the session database. This will require additional disk space, but will keep the account selection information and the options you have specified. (The session database will be copied to a file with the same name as the session database and a BAK extension will be used). When you undo a migration session that has a session backup, you can restart the session and modify the account selections and options you had initially specified, instead of starting the session from scratch. In this step, all user and group information stored in the session database user accounts, passwords, privileges, account policies, groups, and group memberships is transferred to the target domain. All operations during this step change the data on the target domain. After this step, you can undo all changes by clicking the Undo button. Changes made during the migration session can be reverted at any time later on by opening the completed session from Project Manager and clicking the Return and then Undo buttons in Domain Migration Wizard. If the primary group is migrated for the first time and its members are merged or replaced during migration or if the group is manually set as a Primary after migration, it cannot be deleted from target during rollback operation. After you click Next, a confirmation window will appear and Domain Migration Wizard will launch its engine to transfer all user and group information from the Domain Migration Wizard session database to the target domain. 74

77 Centralized Account Migration With the exception of the changes made during Step II, Domain Migration Wizard adds the same user and group structure that was in the source domain to the target domain. All the activity takes place in the target domain. Domain Migration Wizard itself does not delete or modify users in the source or Resource domains. If account management operations in your target domain are audited, you can disable auditing for the short period of reconfiguration to improve the target domain controller s performance. This will in no way compromise the security and integrity of the target domain because Domain Migration Wizard offers complete, detailed, and easily accessible reports on every migration operation, including several reports on the accounts added to the target domain. Upon completion of this step you will be able to view reports on new users and groups in the target domain, renamed, merged, and replaced users, and merged groups. You can also view these reports later at any time. 75

78 Quest Domain Migration Wizard After the migration session Domain Migration Wizard generates an event into the Windows Application Log. The status of the event is equal to the status of the session (success, warning, or error). The event description contains session summary: Source: Category: Domain Migration Wizard none Type: Information / Error / Warning (depending on session results) EventID: 01 / 02 / 03 Description: DMW session has finished successfully (/with warnings / failed) Project Path: %1 Session ID: %2 Retry path: %3 (if the session was scheduled, see above. Otherwise empty) Session statistics: Successes: %4 from %5 Warnings: %6 from %5 (for warnings and errors only) Failures: %7 from %5 (for errors only) Total Session Time: %8 76

79 Step IV: Document Migration Centralized Account Migration The migration session is now complete. During this final step, you will be given the opportunity to view the reports generated by Domain Migration Wizard during the migration. You can view the reports during any step by clicking the Reports button. This way you will be able to check for any errors that might have occurred during the migration. Domain Migration Reports Window During the final step you can view and print all the reports generated by Domain Migration Wizard during the migration. Click Preview to see the selected report and save it to disk, if desired. In addition, the Domain Migration Wizard log documents the migration, including any errors or warnings. The Domain Migration Wizard log includes information about the changes made to users and groups during the migration. The log file is stored in the project folder. Click DMW Log to see the log file. 77

80

81 7 Server Consolidation 79

82 Quest Domain Migration Wizard Consolidation of legacy resource domains and file servers is a viable option for organizations that have recently invested in new, more powerful server hardware. Such consolidation provides a way to significantly reduce management costs, because resources that used to be scattered and managed across several systems can be housed and managed centrally on a single, more powerful system. The accounts database consolidations are performed in a manner similar to the domain reconfiguration process covered earlier in this guide. The key is that local not necessarily domain accounts databases can be used as source or target domains, and a domain name is specified as \\SERVERNAME. Therefore, all instructions, procedures, and limitations hold true for server consolidation projects as well. The source and/or target server can be any Windows NT computer. Technically, Windows NT Workstation or Windows 2000 Professional computers also qualify to be source or target domains. In the server consolidation scenario, the following tasks are performed: Specifying the source domain/server and the target domain/server Selecting the users and local groups from the source domain/server to migrate to the target domain/server Pre-processing directory data (such as resolving duplicate names and handling user passwords) Migrating accounts from the source domain/server to the target computer (domain local groups and users are migrated from domains; machine local groups and local users are migrated from servers) Moving files, folders and shares to target servers. Updating file system access permissions, ownership, and auditing. 80

83 Server Consolidation Specifying a source domain and target server for consolidation. If you select a domain not a stand-alone server or workstation as a source domain for migration, only accounts from domain controllers of that domain will migrate to the target server s accounts database. To accounts from all domain computers into the target server s accounts database, run several consolidation sessions, choosing a different source computer each time. To actually move files, folders, and shares, Quest Consolidator should be used. Quest Consolidator can also perform an on-the-fly updating of file, folder, and share security descriptors to reflect the accounts migration sessions. Refer to the Quest Consolidator documentation for details. 81

84

85 8 Resource Updating Agent Manager Before You Update Resources Resource Updating Steps Updating User Profiles Moving Computers to a Target Domain Post-Migration Operations Batch Processing Delegating the Resource Updating Tasks 83

86 Quest Domain Migration Wizard Resource processing is among the most challenging tasks of a migration. While directory data is usually centralized, the resources (servers and end-user workstations) may be spread over domains, sites, buildings, offices and countries. Agent Manager, a Domain Migration Wizard companion application, lets you automate the updating of various resources in your network. In highly distributed networks, resource updating can be delegated to designated site administrators to minimize migration risks and ensure no interruption of the usual business operations. Agent Manager Agent Manager facilitates resource updating by automating the following tasks: Processing of all the computers involved in parallel Updating permissions, ownership information and auditing on registries, shares, folders, and printers. Updating local group memberships Updating user rights and privileges Updating local and roaming user profiles Updating services and scheduled tasks Updating IIS, COM+ and DCOM objects Restoring to a previous state with advanced undo and clean up Moving computer accounts to the target domain without rebooting them Expanding processing with your own custom tasks using any extra commands or executables for example, you can rename computers with the Netdom utility on the fly. To handle large, geographically dispersed networks, Domain Migration Wizard Agent Manager can optionally distribute agents to all computers involved as a pre-migration step. This results in less network overhead during the resource migration, because only compressed mapping files travel over the network during the updating of resources. One of the main features of Domain Migration Wizard Agent Manager is parallel processing during resource migration. All the selected computers are updated simultaneously. The time required to update 1000 resource servers is the same as the time required to update 10 servers. This is achieved by performing the actual resource updating locally on the migrated computers. 84

87 Resource Updating Domain Migration Wizard Agent Manager greatly facilitates gradual migration scenarios the preferred way to consolidate domains comprised of thousands of computers. To ensure reliable and robust performance on such configurations, Domain Migration Wizard Agent Manager capitalizes on the following strengths and features: Excellent speed: the processing of distributed resources is performed in parallel at a rate of over 100 objects per second. Processing all objects: there are no inaccessible files and, hence, no Access Denied errors, irrespective of an object s permissions or ownership. Completeness of processing: nothing is missed, from NTFS, share, registry, and printer permissions to group memberships, user rights, scheduled tasks and local profiles. Detailed live statistics: you can select the computer(s) where agents are performing resource updates and track the progress of operations, broken down by such factors the type of object and the action performed. 85

88 Quest Domain Migration Wizard Before You Update Resources Before you start resource update, you may need to complete the tasks described below. Obtaining Administrative Rights To update resources, you need to have administrative rights on all computers involved. Agent Manager can create a command file that will automate the process of obtaining administrative rights on the computers. To create the command file, on the Tools menu, click Create Connect.CMD. The Apply to selected items only check box, if selected, allows you to only apply settings to the items you select. If you leave it cleared, the credentials will be set to all computers in the list. After you click OK, the CMD file that is generated will be saved to your desktop. Preinstalling and Removing Domain Migration Wizard Agents To speed up the processing of resources and decrease the overhead traffic during the actual migration, you can preinstall Domain Migration Wizard Agents on the computers involved in the migration. With the agents already in place, only the compressed.ini files will consume network bandwidth. To preinstall agents: Select the computers where you want Domain Migration Wizard agents installed. 2. Click Install Agents on the Actions menu.

89 Resource Updating To uninstall Domain Migration Wizard agents from the remote computers after completing resource updating, select the Remove agents after update check box in the Processing options area. To remove agents immediately, click Uninstall Agents on the Actions menu. Preinstalling Domain Migration Wizard Agents is optional. You can perform resource updating without preinstalling Agents, but in this case it will take more time and network bandwidth. Managing Computer List To start resource updating, select the computers to update from the list in the main window. You can add computers to the list manually or refresh the entire network by clicking the Refresh Computer List button on the taskbar (Refresh Unknown Computers to refresh unknown computers). To add a computer to the list manually, click Add on the Edit menu and specify the computer name. Click Add to add a computer. Click Close after all computers are added. To delete a computer from the list, click Delete on the same menu. To sort computers in the Agent Manager window, click the appropriate column s title. Before selecting the computers, you can reduce the number of computers in the list by choosing the domains and types of computers to display in the View Filters dialog box. 87

90 Quest Domain Migration Wizard You can import a computer list from a text list file with one computer name per line by clicking the Import selection item on the File menu. All computers from this file will be automatically selected. You can also export a selection to a text list file by clicking the Export selection item on the File menu. To invert the selection, use the Invert selection command on the shortcut menu in the Agent Manager window. You can also specify other network options on the Options Network tab. In particular, you can opt to Automatically refresh unknown computer information after refreshing network and after importing computer list or adding new computers manually by selecting the appropriate check boxes. 88

91 Resource Updating In addition, you can use the option to Let user select domains to be refreshed if the number of domains exceeds the specified limit. If the number of domains exceeds this limit, the Too many domains window will be displayed after clicking the Refresh Computer List button and you will be able to select the domains to be refreshed. Scheduling Resource Update There are situations when immediate resource updating is undesirable or cannot be performed. For example, some of the computers to be processed might be off line or you don't want to perform this operation during normal work hours when constant access to most of the resources is required. In these cases you can schedule Agent Manager to run at a specified time, such as at night. Or you can set Agent Manager to retry the process at specified periods of time. Thus, the update will be performed at a time when no one needs access to resources or when the desired computer will be running, if it was shut down. After you click the Start button on the tab, the Confirm Run Action window will be displayed. You can opt to start the resource updating immediately or specify the starting date and time. To specify the period (in hours) after which Agent Manager will retry to process the turned off computers, select the Retry for turned off computers every.. hours check box. Click OK to start processing. 89

92 Quest Domain Migration Wizard You can schedule the batch processing and moving computers to another domain as well. Resource Updating Steps Domain consolidation in a large multi-domain network is often performed gradually: directory data and resources are migrated in stages with a pilot number of accounts. After migrating the Windows NT/2000 directory data of the selected users, you must update resources in Agent Manager for the new users to have the same permissions as the corresponding users have in the source domain. For successful resource updating you must have administrative rights over the computers involved in the process. See the Obtaining Administrative Rights section for details. Start Processing Follow these steps to process the resources in Agent Manager: 1. Perform a directory migration of a group of users by using Domain Migration Wizard. You can select the required accounts by importing a text list file in the Select Users and Groups in Source domain dialog box. 2. In Project Manager, select the objects to be involved. Go to Tools Migration Update Resource Distributed Resource Updating to start Domain Migration Wizard Agent Manager, which will focus on the selected objects. 90

93 Resource Updating Agent Manager is also accessible from the Windows Start menu. In this case, however, its functionality is locked (that is, options are grayed out), and only Process as specified in the exported INI settings file option is available. It is explained by the fact that all other operations are performed on the migrated objects which must be selected in Project Manager to make Agent Manager focus on them. The Process as specified in the exported INI settings file option can also be used by local administrators to perform delegated processing tasks, therefore it is available in stand-alone mode. The corresponding message is displayed when running Agent Manager from the Start menu. See the Delegating the Resource Processing Tasks section of this chapter for details on delegated resource update. When updating resources on the source server which is not moved to the target domain yet and is still a member of the source domain, before starting Agent Manager, make sure that all local groups if any were migrated are cleared in Project Manager. Otherwise ACLs of the objects that contain source domain local group SIDs will be replaced with the target domain local group SIDs and members of the source domain local groups will lose access to resources. 3. Select the computers on which you want the resources to be processed. 4. Open the Resources tab on the Tasks panel. 5. Choose the action to be performed and the desired types of objects to process. Possible actions and options are explained in the following sections. 6. Click the Start button to start the updating of resources. The Confirm Run Action window will be displayed. Specify the scheduling options and click OK to start processing. Scheduling options are explained in the Scheduling Resource Update section. 91

94 Quest Domain Migration Wizard While the resource updating is underway, you can safely quit Agent Manager, because the tasks are performed on the remote, distributed computers. As soon as all the agents have finished performing the specified tasks, Agent Manager will collect the logs from the computers. Clicking Start causes Agent Manager to execute the tasks specified on the currently selected tab (Resources, Computers, or Batch) but not all tasks on all other tabs. To execute other tasks, change tabs and click Start there. Starting resource updating make sure that if you have ever created the Vmover.in_ file in the Domain Migration Wizard installation folder using Project Manager, you do not want to back up or rename it. The Vmover.in_ file from the Domain Migration Wizard installation folder will be overwritten once starting the task in Agent Manager (except using Process as specified in the exported INI settings file option). 92

95 Resource Updating Actions to Perform Reassign local group membership, user rights, and object permissions to Target users. This option, if selected, will update resources to conform to the domain reconfiguration. Leave Source accounts permissions. This check box allows you to add newly created users and groups from the target domain to object ACLs and SACLs, rather than replace the entries with the current source account SIDs. Clean up legacy local group membership, user rights, and object permissions of migrated users. You can remove references to the original source accounts after migration by selecting this option. See Resource and Directory Cleanup section for details. Revert to the original local group membership, user rights, and object permissions. Should you for some reason decide to undo the updating, select the Revert to the original local group membership, user rights, and object permissions option button, select the types of objects for which you want to undo the updating, and click Start. Process as specified in the exported INI settings file. This option will cause Agent Manager to perform all the actions predefined in the VMover.in_ file (whether the file is compressed or not) located in the Domain Migration Wizard and Agent Manager installation folder. This settings file can be created in Project Manager (File Export INI File). The updating will occur on the objects selected in Project Manager at the moment of the creation of the.ini file. If the Process as specified in the exported INI settings file option is selected, you will not have an opportunity to specify any of the Account management options or Permissions management options. Settings stored in the.ini file will be used for resource updating. This option can be used by local admins to perform delegated processing tasks. See the Delegating The Resource Processing Tasks section of this chapter for details. 93

96 Quest Domain Migration Wizard Objects to Update You can select what permissions and rights to update and the objects whose permissions to update. Use the Accounts management options and Permissions management options on the Resources tab. Accounts management options. These options control the account related parameters to be updated. Local Group Membership. Adds target accounts to the local groups that contained the corresponding source accounts. If the Leave source accounts' permissions check box is not selected, the source accounts will be removed from the groups. User Rights. Grants target accounts the user rights which belonged to the corresponding source accounts. If the Leave source accounts' permissions check box is not selected, the source accounts will be denied the rights they had. Services and Scheduled Tasks. The Services and Scheduled Tasks check boxes allow you to update service and scheduled task accounts and permissions affected by the migration. For example, if a service or a task runs as SOURCE\User1 and User1 is moved to the target domain, the service (task) account credentials will be changed to those of TARGET\User1. Service and scheduled task accounts are replaced whether the Leave source accounts' permissions option was selected or not. If the processing service or scheduled task is running under a source account while a user logs in under a new corresponding target account, duplicate profiles can be created. To prevent this problem, select the Fix profile check box in the Processing options area. See the Fix profile check box description below for details. Agent Manager cannot process services and scheduled tasks if the account under which you are logged in is specified in the UPN format. Permissions management options. These options let you define how Agent Manager handles specific resources. To specify permissions of objects that should be re-assigned to target users, select the corresponding check boxes. If you select the IIS check box, Agent Manager will update the permissions of the Internet Information Services (IIS) if it is installed on the selected computers. The following IIS properties are processed by default: 94 Microsoft Windows discretionary access control list (DACL) (AdminACL property) Name of the registered local user that is used for anonymous users (AnonymousUserName property).

97 Resource Updating To process any other IIS property, include its name in the [IIS Identifiers] section of the Vmover.ini file as follows: [IIS Identifiers] UNCUserName=yes,1 The number at the end of the string specifies the property type: 0 Security Descriptor, 1 username, 2 domain name. If the property type is not specified, the property will be skipped during processing. Fix profile. The target user accounts must use the same profiles as the corresponding source accounts. This check box in the Processing options area lets you prevent the duplication of profiles after processing. Duplication can happen if any service or scheduled task is running under the source account while the user is logging in under the new corresponding target account. The profile is already processed, but the computer is not restarted. The service or task maintains access to the source user profile, and after a user logs off and logs back in under the new target account, the source user profile is still loaded by the source user account, instead of by the target account. A duplicate profile will be created in this case. To avoid restoring profiles manually, select this check box and Agent Manager will start a service that will automatically restore them after reboot on all the computers on which profiles were processed. The profile can be restored only if the source profile was saved, that is only in the case of running Agent Manager with the Reassign local group membership, user rights, and object permissions to Target users option and the Leave Source accounts permissions check box selected. In any other cases the profile cannot be restored and the new duplicate profile will be used. 95

98 Quest Domain Migration Wizard Viewing Statistics You have the opportunity to view the current statistics of the resource updating process. To view the live statistics, right-click the selected computer and click the View progress command on the shortcut menu. 96

99 Resource Updating The Processing progress window will appear. To select the refresh rate of the window, which can be from one second to one minute, use the Refresh every box. Viewing Log Files and Database Agent Manager stores all information about its functions in its log file and database. The log file is called Vmtotal.log and is stored in the Domain Migration Wizard project folder. If Agent Manager is not started for a particular project, then the file is placed in the Agent Manager install folder. To view the log file, click the View Consolidated Log command on the File menu. As soon as all the agents have finished performing the specified tasks, Agent Manager will collect the logs from the computers. To collect the logs manually, click the Collect Log Files item on the Actions menu. To set logging options, select the Logging tab of the Tools Options dialog box. Here you can opt to Log errors to NT event log and enable Extended logging. In the latter case, Agent Manager will log each operation it performs. 97

100 Quest Domain Migration Wizard You can also set the errors logging limit by selecting the Limit log errors to check box in the Processing options area of the Resources tab. The Agent Manager database is called Amlog.mdb and is stored in the Agent Manager installation folder. Use Microsoft Access to view the database. You can use the database for migration analysis and to produce your own custom reports. Processing Algorithm Objects are processed according to the following algorithm: 98 If a source account is the current owner, ownership is transferred to the target account If there is no reference to the source account in the Access Control List, then permissions and auditing are left unchanged. If Source\User1 or Source\Group1 is found in the corresponding ACL, then: a) All entries of Target\User1 are removed and b) The ACE is cloned and assigned to Target\User1 or Target\Group1. If you choose to process local profiles, user profiles will be shared between source and target user. No copying of profiles ever occurs. The processing of Access Control Lists is comprehensive: not only permissions, but also ownership and auditing are processed, which ensures the completeness of updating. A relevant example would be Mac volumes that use ownership to control client access. These volumes are handled correctly by Agent Manager. Another Agent Manager feature also deserves mention here: Agent Manager will traverse and process all child directories and files, regardless of the ownership and permissions of the parent directory.

101 Resource Updating Updating User Profiles To ensure zero user impact and help desk involvement when user accounts are migrated, the target user accounts must have the same profiles as the corresponding source accounts. For this to occur, two tasks need to be accomplished: The target accounts must gain access to the source profiles (both to the corresponding files and registry keys). The target accounts settings must be pointed to the same profiles that the source accounts used. Domain Migration Wizard manages these tasks for both local and roaming profiles, and ensures that at any migration phase users have access to their personal profiles and settings. User Profiles Basics User profile consists of two parts: the key in system registry and the folder on a hard disk which contains user-specific data and desktop settings. A user profile can be either local or roaming: If user data is stored on a local hard disk, the user profile is local. If user data is stored centrally on a server, the user profile is roaming. When migrating accounts from one Active Directory domain to another, you can use the Add SIDHistory option to specify that the new accounts should automatically gain all privileges of the source accounts, so no resource updating is required for users to start using their new accounts. When the transition period is over, you can process all resources, granting the target accounts explicit access, and then clean up SIDHistory and remove the source accounts. However, adding SIDHistory does not cause the target accounts to use the source profiles. This task requires registry changes, which can be accomplished by Agent Manager or Resource Kit utilities. 99

102 Quest Domain Migration Wizard How User Profiles Work When a user logs on to a workstation the first time, a local profile is created on that workstation in Documents and Settings folder. When a user connects to a server with Terminal Services Client the first time, a local profile is created on that server in the Documents and Settings folder as well. If a user is configured to use a roaming profile (that is, the settings in either the Profile or Terminal Services Profile tab in the user account properties contain valid paths to centrally stored profiles), user data stored in the central profile folder are copied to the local profile folder on the workstation (if the user is logged on locally) or server (if the user is connected to the server with Terminal Services Client). All changes made to the profile during a session are saved in the local profile folder and uploaded into the central profile folder at the end of the session. When a user logs on to a workstation, the following logic determines which user profile is used: If there is a profile path specified on Profile tab, then that profile is loaded. If there is no profile path specified on Profile tab, then the local profile is loaded. When a user initiates a new terminal session to a server, the following logic determines which user profile is used: If there is a profile path specified on the Terminal Services Profile tab, then that profile is loaded, whether or not a profile is specified on Profile tab. If no profile path is specified on the Terminal Services Profile tab but a profile path is specified on Profile tab, then that profile is loaded. If no profile path is specified on either the Terminal Services Profile tab or the Profile tab, then the local profile is loaded. If a computer has both local and roaming profiles, you should perform all actions described in the Local Profiles Update section below first and then perform the additional actions described in the Roaming Profiles Update section. 100

103 Resource Updating Local Profile Update Local profiles are updated when you start processing from Resource Updating Manager with the Local Profiles and File System check boxes selected on the Process Resources pane. This will process profiles registry keys and profile folders permissions for local profiles. After the processing is complete, the same profile is shared for the source and target user. If you want users from the target domain to be able to use the profiles before the computers are updated by Agent Manager, you can use ExportProfile and ChangeProfile utilities to migrate the user profiles. Refer to the Domain Migration Wizard Resource Kit User s Guide for details. Roaming Profile Update Roaming profiles stored on a computer are updated when you start processing from Resource Updating Manager with the Roaming Profiles, and File System check boxes selected on the Process Resources pane. This will process profiles registry keys and profile folders permissions for roaming profiles. When Domain Migration Wizard creates target accounts, it copies the roaming profiles paths, so the new accounts will have the same profiles as the old accounts. If your migration procedure includes moving roaming profiles to another server, profile paths specified on Profile and Terminal Services Profile tabs in user account properties need to be updated as well. Enabling the Cross-Forest User Policy and Roaming User Profiles Policy If the server where roaming user profiles are stored is running Windows 2000 SP4 or higher, you should enable the Allow Cross-Forest User Policy and Roaming User Profiles policy to allow users from trusted domains to use roaming profiles on that server. You can configure this policy either locally on the server or by using a domain or organizational unit-based Group Policy object (GPO). To do this locally on a server: 1. Log on to the computer as a user with administrator rights. 2. Click Start, click Run, type gpedit.msc, and then click OK. 3. Double-click Computer Configuration, double-click Administrative Templates, double-click System, and then click Group Policy. 101

104 Quest Domain Migration Wizard 4. In the right pane, double-click Allow Cross-Forest User Policy and Roaming User Profiles. 5. Click Enabled, click Apply, and then click OK. 6. Quit the Group Policy tool. 7. Allow sufficient time for the computer policy to be automatically updated, or update it yourself by running the following command in the command line: secedit /refreshpolicy machine_policy In Windows 2003, use the gpupdate command. Refer to Microsoft Knowledge Base article for more details on user policies: Preventing Profile Duplication The target user accounts must use the same profiles as the corresponding source accounts. However, in some cases a duplicate profile can be created for the target user after processing. This section explains why duplicate profiles are created and describes how to prevent the duplication of profiles after processing. If there a service or scheduled task is running under the source account on a computer, this service or scheduled task maintains access to the source user profile. If the profile is already processed but the computer is not restarted, after a user logs off and logs again with the new target account, the source user profile is still loaded by the source user account, instead of by the target account. A new profile is created in this case for the target user. To avoid restoring profiles manually, select the Update profile on next restart if failed check box in the Error handling options area. Agent Manager will start a service that will automatically restore the profiles after reboot on all the computers on which profiles were processed. 102 A profile can be restored only if the source profile was saved (that is only in the case of running Agent Manager with the Reassign local group membership, user rights, and object permissions to target users option and the Leave source accounts permissions check box selected). In any other case (for example, if reverting changes back or if the Update profile on next restart if failed check box is left clear), the profile cannot be restored and the new duplicate profile will be used. To avoid this, reboot the computer immediately after resource updating.

105 Resource Updating The User Profile Hive Cleanup Service (UPHClean) by Microsoft is intended to help in troubleshooting the issues with profiles being locked by any service during processing. For more information about the UPHClean, refer to Microsoft Knowledge Base article Troubleshooting profile unload issues at: and UPHClean readme file at: To download the UPHClean, follow the link: Moving Computers to a Target Domain Having completed the migration of users and groups, you can choose to move the source computers to the target domain. To move computers to a target domain in Agent Manager: 1. Click the Computers tab on the Tasks panel. 2. Select the target domain from the drop-down list. In addition: To ensure that valid accounts are available for logon in case of problems, you can select the Preserve computer accounts in Source domain check box. Selecting the Restart computers after moving check box is not necessary, because Domain Migration Wizard Agent Manager automatically re-establishes a secure communication channel with the target PDC. If there are any printers installed on the Windows 2000 computer being moved to the Windows 2000 domain, you can publish them in the target Active Directory by selecting the List printers in target directory check box. To fine-tune administrative access, you can add specific users and groups to the Administrators group on migrated computers. Select the Add accounts to the Administrators group check box and type the accounts to be added. For later reference and management, select the Create session check box for a computer migration session, and then type comments for the session in the text box provided. 103

106 Quest Domain Migration Wizard Agent Manager also allows you to move a cluster server with all nodes being member servers of some domain to a different domain. See the Cluster Migration Server section of this User s Guide for details. Agent Manager cannot move domain controllers between the domains. 104

107 Resource Updating Post-Migration Operations After a successful resource processing you can remove any references to the source accounts and then disable or delete the source accounts. Resource and Directory Cleanup Now that your users have started to log on under their new accounts in the target domain and are not experiencing any problems with access to resources, you may want to remove unnecessary references to the original source accounts in groups, user rights, and object security descriptors. 1. With one or more sessions selected in Project Manager, start Agent Manager and click the Resources tab on the Tasks panel. 2. Select the Clean up legacy local group membership, user rights, and object permissions of the migrated users option button and select the required items and settings to process in the Accounts and Permissions management areas. Note that the Leave Source accounts permissions check box will have no effect on this operation. 3. Click the Start button. The Confirm Run Action window will be displayed. Specify the scheduling options and click OK to start processing. While the resource updating is underway, you can safely quit Agent Manager, because the tasks are performed on the remote, distributed computers. As soon as all the agents have finished performing the specified tasks, Agent Manager will collect the logs from the computers. To collect the logs manually, click Collect Log Files item on the Actions menu. Clicking Start causes Agent Manager to execute the tasks specified on the currently selected tab (Resources, Computers, or Batch) but not all tasks on all other tabs. To execute other tasks, change tabs and click Start there. 105

108 Quest Domain Migration Wizard Accounts Management with Project Manager Once you are sure that the migration was indeed carried out smoothly, the access to resources has been preserved, and your help desk is not experiencing a sharp increase in the number of calls, it may be time to disable the source accounts. This will prohibit user logons under the old accounts. 1. Open the Users branch in the Project Manager tree. 2. Select the user accounts to disable, either manually or by importing a text list file. 3. Select the Disable Selected Accounts command. Later, the old source accounts can be deleted altogether in a similar way by selecting Manage Accounts Source Accounts Delete Selected Accounts. Eventually, when all users are working comfortably under their new identities in the target domains, you will be able to decommission the source domains. See the Project Manager section of this User s Guide for details. 106

109 Resource Updating Batch Processing If you need to execute any program from the command line, select the Batch Processing tab on the Tasks panel. Type the command in the Command line provided, using the Computer Name (%COMPUTER%), Computer Type (%TYPE%) and Domain Name (%DOMAIN%) variables on the Expression shortcut menu. Each variable in the command line will be replaced by all the objects selected. This means that the specified command will be executed for all the selected computers. The specified command will be executed on the local computer using the specified variables as parameters. That is if you select several computers and type net send %COMPUTER% Hello, for example, Resource Updating Manager will execute the command for each computer selected and each computer will display a message Hello. Select the Check if the computer is accessible option if you want to check if you have access to the computer involved in the command execution. The Launch interactive check box lets you watch the command executing in the console window. This is useful if this command produces output to the console. If you want to leave the console window open after the command completion, select the Do not close console window after command execution check box. 107

110 Quest Domain Migration Wizard Delegating the Resource Updating Tasks In a distributed migration project management model, Domain Migration Wizard can greatly facilitate resource updating at a site or in resource domains where you cannot get administrative access to computers. Another good reason to decentralize resource updating is a situation where the computers to be updated are located across a slow WAN connection, so sending multiple agents, no matter how small, would consume too much of the available bandwidth. In these scenarios, you would delegate the resource updating tasks to the remote site or to other domain administrators who have the required level of access and are located within an area of good connectivity to the computers to be updated: 1. The reconfigured site takes part in the directory migration phase, a snapshot of which is documented in a migration session mapping.ssn file and stored in the Domain Migration Wizard project folder. The.SSN file is necessary and sufficient for the processing of resources. 2. Only the small session.ssn files from the project folder are replicated over slow WAN links to the Domain Migration Wizard project folders at the other network sites for subsequent resource updating by a local administrator who has only Project Manager and Agent Manager installed on his or her computer. The replication can easily be performed with any file replication tool, such as the Robust File Copy Utility ROBOCOPY included in the Windows NT 4.0 and Windows 2000 Resource Kits. 3. The.SSN session files, if necessary, are replicated back to the centralized project management console. This approach solves several problems that are bound to occur if you employ conventional solutions, in particular: 108 Excessive traffic over WAN links The managerial complexity involved in power escalation granting local administrator status solely for the resource updating tasks You can distribute Agent Manager to second-tier migration administrators and create a self-contained export INI file with the resource processing settings. The local admins will then have to select the computers that house the resources the computers to be updated and run Agent Manager with the Process as specified in the exported INI settings file option selected. In this case, the local administrators need not even full Domain Migration Wizard to be installed on their computers. Agent Manager can be installed in a stand-alone mode and only this option will be available. See the Exporting INI Files For Resource Updating section of this guide for details on creating INI settings file.

111 Resource Updating Domain Migration Wizard Agent Manager can easily handle resource processing on this type of network layout. In addition to the session files that only contain the information for resource updating, the Domain Migration Wizard project folder contains larger session database.sdb files that store the information required to undo a session and generate the comprehensive session reports. If you want this functionality to be available at remote sites, you can replicate these files as well. 109

112

113 9 Directory Processing Wizard Directory Processing Options Directory Processing and Migration Directory Processing Tasks 111

114 Quest Domain Migration Wizard Many domain restructuring projects are initiated as parts of a broader Windows 2000 migration and deployment strategy. In addition to Domain Migration Wizard, a companion application, called Directory Processing Wizard, provides advanced capabilities for Active Directory processing. Domain Migration Wizard supports domain reconfiguration scenarios whereby down-level NT domain security principals, along with all their properties, are moved to organizational units of Windows 2000 Active Directory domains. The current resource access, ownership, and auditing parameters are also preserved this is accomplished with Directory Processing Wizard. 112

115 Directory Processing Options Directory Processing Wizard If you specified a Windows 2000 domain as the target domain, Directory Processing Wizard will give you the following options for dealing with migrated security principals: Move accounts to an organizational unit of your choice; you can also create an OU directly from within the wizard Add SIDHistory entries to the migrated user and group accounts in the Active Directory database Clean up SIDHistory entries from the accounts' properties in the Active Directory database. This option is unique to Directory Processing Wizard it cannot be accomplished with Domain Migration Wizard. The first two tasks: moving accounts to an OU and adding SIDHistory are normally executed by Domain Migration Wizard during the account migration. Very rarely will you use Directory Processing Wizard to perform these tasks. Cleaning up SIDHistory is the main purpose of this wizard. How these AD processing options fit into the overall migration framework is explained in the following sections. Directory Processing and Migration The domain restructuring scenario, whereby down-level NT security principals are migrated to a Windows 2000 Active Directory domain, will often develop according to the following plan: Quest Domain Migration Wizard creates clones of a source NT domain s users and groups in a target AD domain. The source NT domain is usually a resource domain or one of multiple master domains. The target Win2K AD domain will either be a pristine structure or a former master domain that has previously been upgraded, holding the bulk of your user and group accounts. The directory migration phase will, as a rule, be performed in stages, starting with a pilot batch of accounts. Each migration session will be thoroughly documented with Domain Migration Wizard reports and saved as a session database in the project folder. 113

116 Quest Domain Migration Wizard Now that all the required portions of the source SAM database are transferred to the target Windows 2000 Active Directory domain, you must ensure that users and groups do not lose access to resources while you are transitioning to Windows The easiest way to accomplish this is to add the corresponding SIDHistory entries to the newly created target accounts. At this stage, you can start organizing your target AD domain by grouping the migrated security principals into an OU structure that you have designed. Again, there are two options: place the migrated accounts into OUs after each session of your incremental migration, or consolidate mapping data from all sessions and perform a one-time processing. To eliminate the dependence on the SIDHistory attributes of the migrated accounts for access authorizations, you will perform an updating of security descriptors on the distributed resources with Agent Manager, using the mapping file(s) from the corresponding migration sessions. First, new SIDs are appended to ACLs and SACLs. When and if the source accounts are no longer used, you can disable/delete them and remove their SIDs from object security descriptors. All Active Directory operations listed above can also be performed from Domain Migration Wizard, but Directory Processing Wizard allows much more flexibility. As a last but also important step, you will remove the remaining trails of the directory migration the added SIDHistory values. This will enable you to perform access auditing in an efficient manner and eliminate a potentially perilous state of network security with multiple means of user impersonation. In addition, Active Directory and network performance will improve, because there will be no need to constantly resolve source SIDs and carry access tokens with SIDHistory that can become quite unwieldy. 114

117 Directory Processing Wizard Directory Processing Tasks Directory Processing Steps Start Directory Processing Wizard from Project Manager with the desired objects selected. Select the sessions you want to be affected, right-click the selection, and click the appropriate shortcut menu command to select/clear all objects involved in the sessions. The Welcome window shows the available operations: You cannot select objects with different pairs of source and target domains for Active Directory processing. After you click Next, the Select the Operation Type window prompts you to specify one of the processing options. 115

118 Quest Domain Migration Wizard Moving Accounts to an OU The first option in the wizard allows you to move a particular type of security principal listed in the currently active sessions to a new Active Directory container. Now you can choose an Active Directory organizational unit to which you would like to move the accounts. Specify an existing OU or create a new OU in the following dialog box: When you click Next, a confirmation dialog box, followed by the processing progress indicator, will appear. After the processing is complete, the operation results log will be shown. You can print the log or save it as a text file. 116

119 Directory Processing Wizard Adding SIDHistory The Add SIDHistory operation is not performed for the built-in account SIDs (that is, local Administrators or Users) because this would violate network security. When you click Next, a processing progress indicator will appear, followed by the operation results log. You can print the log or save it as a text file. 117

120 Quest Domain Migration Wizard Cleaning up SIDHistory This operation actually removes SIDs from the SIDHistory attribute of the accounts' properties in the Active Directory database. Therefore, it should be performed only after resource updating in Domain Migration Wizard Agent Manager. The only system affected during the SIDHistory cleanup is the target Windows 2000 domain controller. The steps you go through during the Clean up SIDHistory operation are similar to those of the Add SIDHistory operation. 118

121 10 Exchange 5.5 Processing Wizard Starting Exchange Update Adding Servers Selecting Objects to Process Setting Site Processing Options Setting Re-permissioning Options Processing Completing the Wizard 119

122 Quest Domain Migration Wizard Exchange 5.5 Processing Wizard is a companion application to Domain Migration Wizard, letting you update your Microsoft Exchange 5.x permissions and owners for the selected Exchange objects (such as mailboxes and organizations) to reflect the domain migration changes. Microsoft Exchange 2000 permissions are updated using Exchange 2000 Processing Wizard described in the next chapter. For a successful Exchange 5.5 directory update, you must have the Modify Admin Attributes and Modify Permissions privileges assigned to you (Permissions Admin and Service Account Admin roles possess these privileges) for the Organizations, Sites, Site Configurations, and all Servers involved in the update process. A trust relationship between the domain in which the Exchange 5.5 Server resides and the target domain is required for successful processing. The Exchange 5.5 domain must trust the target domain to authenticate users. An Exchange 5.5 update also requires ADSI 2.5 or later. After migrating the Windows NT directory data of the selected users, you may opt to perform a Microsoft Exchange 5.5 Server update in Exchange 5.5 Processing Wizard. Follow these steps to process resources in Exchange 5.5 Processing Wizard: Starting Exchange Update There are three ways you can start Exchange 5.5 Processing Wizard. Select the one that best suits your situation. Project Manager This is the most straightforward way to start your Exchange 5.5 update. 1. In Domain Migration Wizard Project Manager select one or more migrated objects (users and groups) for which you want to change Exchange permissions. To select/deselect all objects from one or more migration sessions, select the sessions, right-click the selection and click the Select Involved Objects Select All/Clear All shortcut menu item. 2. On the Tools menu, point to Migration Update Resource, and then click Exchange 5.5 Updating to start Exchange 5.5 Processing Wizard. 120

123 Exchange 5.5 Processing Wizard Export INI File INI files let you perform an Exchange 5.5 update when only Exchange 5.5 Processing Wizard is installed on the remote administrator s computer who is responsible solely for updating one or more Exchange sites. 1. In Domain Migration Wizard Project Manager select one or more migrated objects (users and groups) for which you want to change Exchange permissions. To select/deselect all objects from one or more migration sessions, select the sessions, right-click the selection and click the Select Involved Objects->Select All/Clear All shortcut menu item. 2. On the File menu, click Export INI File. 3. If performing the Exchange 5.5 update from a different computer, transfer the Exchange.ini file to the computer's Domain Migration Wizard installation folder (for example, send the file by and save it to the Domain Migration Wizard installation folder). 4. Run Exchange 5.5 Processing Wizard from the Start menu. Command Prompt Using command-prompt parameters, you can start Exchange 5.5 Processing Wizard for all selected objects from a particular Domain Migration Wizard project. 1. On the taskbar, click the Start button, and then click Run. 2. Type C:\Program Files\Quest Software\Domain Migration Wizard\EPW.exe /project: C:\Program Files\Quest Software\Domain Migration Wizard\Project\ When running without command-line parameters, Exchange 5.5 Processing Wizard will use the INI file exported from Project Manager. See the Export INI File section above. Adding Servers The first thing you will need to do is add a server for each Exchange 5.5 Org. When you run Exchange 5.5 Processing Wizard for the first time, it automatically displays the Add Exchange Server dialog box before letting you select the Exchange objects to be processed. If you are not running 121

124 Quest Domain Migration Wizard Exchange 5.5 Processing Wizard for the first time, it displays the Exchange organizations added previously. To open the dialog box, click Add Server in the Select Migrated Objects step of the wizard. If you select the Add all servers of an organization check box, all servers of the organizations to which the servers you enter belong will be added. If you clear the check box, only the selected servers will be added. If the port used by an Exchange 5.5 server for the LDAP protocol is not 389, you can explicitly supply the port number, for example EXCHANGE:7775 To add several organizations, type the server names separated by semicolons -one server per organization. Exchange 5.5 Processing Wizard processes multiple sites by processing one server per site. The changes are replicated to all remaining site servers later by native Microsoft Exchange replication. It is recommended that Exchange 5.5 Processing Wizard process the site server closest to you. To specify the site server to be processed and the logon credentials for a particular server, use the Site Properties dialog box. See Set Site Processing Options section for details. The Exchange 5.5 Processing Wizard does not support Microsoft Exchange 2000, so you can add only servers running Microsoft Exchange 5.x. If you select to add all servers of the mixed-mode organization, you will get an error message when adding servers running Microsoft Exchange Microsoft Exchange 2000 permissions are updated using Exchange 2000 Processing Wizard described in the next chapter. 122

125 Selecting Objects to Process Exchange 5.5 Processing Wizard Once you add a server running an organization s site, the wizard displays all the sites in this organization. In the Select Objects step, Exchange 5.5 Processing Wizard shows the Exchange directory hierarchy. However, it is different from the view found in Microsoft Exchange Administrator. The major differences are: Exchange 5.5 Processing Wizard shows only the objects whose permissions and ownership can be changed. For example, it does not show the Schema objects. Mailboxes, Distribution Lists, and Custom Recipients nodes cannot be expanded. By selecting such nodes, all corresponding Exchange directory objects, such as mailboxes, are processed. Exchange 5.5 Processing Wizard displays one object tree per Exchange sites. The name of a tree consists of the organization name, followed by the site name and the processing server name in brackets. Each object in the hierarchy has two check boxes by its name. Select the left check box to process the object s properties. Select the right check box to process all of the object s subitems. 123

126 Quest Domain Migration Wizard The table below lists all possible states of the check boxes. The item and all of its subitems will be processed. The item will be processed, as well as some of its subitems. The item will be processed, but none of its subitems will be processed. The item will not be processed, but all of its subitems will be processed. The item will not be processed, though some of its subitems will be processed. Neither the item nor its subitems will be processed. Right-clicking an object in the hierarchy displays a shortcut menu with the following commands: Refresh reconnects to the server, updates the corresponding object hierarchy, and clears all check boxes for the branch. Delete removes the selected site from the list. The command is available for sites only Properties displays the Site Properties dialog box. See Set Site Processing Options section below for details. 124

127 Setting Site Processing Options Exchange 5.5 Processing Wizard For each site you want to process, the closest and fastest server should be selected as the processing server. All re-permissioning will be performed on this server, and then all other servers belonging to the site will be automatically updated by the Exchange replication mechanism. You can explicitly specify the credentials under which you will connect to these servers. If you leave the Connect to the server as check box cleared, the account under which you are logged in will be used. For a successful Exchange 5.5 directory update, you must have the Modify Admin Attributes and Modify Permissions privileges assigned to you (Permissions Admin and Service Account Admin roles possess these privileges) for the Organization, Site, Configuration, and all Servers involved in the update process. If the account you specify does not have enough privileges to modify some of the Exchange objects, they will remain unchanged. No error or warning messages will be displayed. 125

128 Quest Domain Migration Wizard Setting Re-permissioning Options The next step lets you select the way the selected Exchange 5.5 objects will be processed and set the logging options. To change the permissions and ownership of all the selected objects to the new (target) user accounts, choose the first option button. You may want to also select the Leave source accounts permissions check box to allow access for both the source and target user accounts. This way you will be able to make the update smoother, granting both accounts the same privileges for the transition period. If the target user (ACE) already exists (i.e. the Mailbox Security Descriptor contains the target user s SID) you can grant the source account s permissions to the existing target account by selecting the Replace existing target accounts permissions check box. In this case that ACE will be cancelled. Leaving this check box cleared will keep the target account s permissions. In this case the ACE will be left intact, but the target user will have permissions different from those of the source user. As soon as the transition period is over, you can run the Exchange 5.5 Processing Wizard again and select the Clean up legacy object permissions of migrated users option to disable the rights for the legacy accounts. The Revert to the original object ownership and permissions option button lets you undo re-permissioning, removing target users from the access lists and returning all rights to the migrated accounts. 126

129 Exchange 5.5 Processing Wizard Finally, you can select Process as specified in the exported INI settings file to get processing options from the INI file. This settings file can be created in Project Manager (File Export INI File). The Logging options let you select which messages will be written to the log file. The log s name is EPW.log, and it is stored in the project folder. You will be able to print out the log and save it to a different location in the last step of the Exchange 5.5 Processing Wizard. Click Process to start the update. Processing The wizard displays the progress of the Microsoft Exchange server update. Now Exchange 5.5 Processing Wizard starts processing the selected Exchange 5.5 objects and their attributes. All sites are processed in parallel, each on its processing server. The Exchange update process can be fully customized to fit your specific needs. See the Domain Migration Wizard Scripting Reference for details. For each selected Exchange server, the wizard displays the current progress. Scanned SDs Modified Owners Modified Warnings Errors Number of objects on the server processed so far. Number of security descriptors modified (permissions changed). Number of primary mailbox accounts changed. Number of warning messages. Number of error messages. As soon as the update is over, the Next button becomes active. 127

130 Quest Domain Migration Wizard Completing the Wizard The last step displays the update log. You can print out the information or save it to your hard disk (the log is stored in the EPW.log file in the project folder click Save As to save the data to a different location). Click Back to rerun the wizard with different options. 128

131 11 Exchange 2000 Processing Wizard Prerequisites Starting Exchange Update Setting Re-permissioning Options Adding Servers Processing Interrupting the Process Completing the Wizard 129

132 Quest Domain Migration Wizard Exchange is one of the most wide-spread enterprise messaging systems. When user accounts get migrated the messaging system needs to be updated to comply with these changes. Exchange 2000 Processing Wizard updates Exchange 2000 Server permissions to grant the migrated accounts in the target domain the permissions assigned to the source accounts. Exchange 2000 Processing Wizard updates client and administrative permissions on mailboxes, public folders and all other Exchange 2000 objects. Client permissions get automatically granted to the target users when they log into their old mailbox. Exchange 2000 Processing Wizard cannot update administrative permissions on some system folders. Exchange 2000 directory permissions are processed by Active Directory Processing Wizard (is shipped with Quest Domain Migration Wizard). See the Active Directory Processing Wizard section for more details. Note that for Exchange 2000, after the update the target accounts get all the source accounts' rights but the mailboxes still continue to belong to the source accounts. The mailboxes need to be reassigned to the target accounts before the source accounts get decommissioned. This task is performed by Mailbox Re-Homing Wizard (is shipped with EMM). See the EMM documentation for details. Prerequisites For a successful Exchange 2000 directory update, you must use the account with Full Exchange Administrator role for the Exchange 2000 organization. For a successful Exchange 2000 Server update, Integrated Windows authentication must be enabled on Exchange virtual servers and folders. No additional trust relationships are required for successful processing if the Exchange 2000 Server resides in the same forest as the target domain. An Exchange 2000 Server update requires Exchange 2000 Server Service Pack 1 or later. It is recommended to use the latest Exchange 2000 Server service pack (current service pack is Service Pack 3). 130

133 Starting Exchange Update Exchange 2000 Processing Wizard There are three ways you can start Exchange 2000 Processing Wizard. Select the one that best suits your situation. Project Manager This is the most straightforward way to start your Exchange update. 1. In Project Manager select one or more migrated objects (users, contacts, groups, and computers) for which you want to change Exchange 2000 permissions. To select/clear all objects from one or more migration sessions, select the sessions, right-click the selection, and click the Select/Clear Involved Objects Select All/Clear All shortcut menu item. 2. On the Tools menu, point to Migration Update Resource, and then click Exchange 2000 Updating to start Exchange 2000 Processing Wizard. Export INI File INI files let you perform an Exchange update when only E2KPW is installed on the computer of the remote administrator who is responsible solely for updating one or more Exchange sites. 1. In Project Manager select one or more migrated objects (users, contacts, groups, and computers) for which you want to change Exchange permissions. 2. On the File menu, click Export INI File. 3. If performing the Exchange update from a different computer, transfer the Exchange2k.ini file to the computer s Program Files\Common Files\Aelita Shared\Migration Tools folder (for example, send the file by and save it to this folder). 4. Run Exchange 2000 Processing Wizard from the Start menu. 131

134 Quest Domain Migration Wizard Command Prompt Using command-prompt parameters, you can start E2KPW for all selected objects from a particular DMW project. 1. On the taskbar, click the Start button, and then click Run. 2. Type: C:\Program Files\Common Files\Aelita Shared\Migration Tools\E2kPW.exe -product:dmw -project: C:\Program Files\Quest Software\Domain Migration Wizard\Project\ When running without command-line parameters, E2KPW will use the INI file exported from Project Manager. Setting Re-permissioning Options This step lets you select the way the selected Exchange objects will be processed. To change the permissions and ownership of all the selected objects to the new (target) user accounts, choose the first option. You may want to also select the Leave source accounts' permissions check box to allow access for both the source and target user accounts. This will make the update smoother, granting both accounts the same privileges for the transition period. 132

135 Exchange 2000 Processing Wizard If permissions for the target user are already set (that is, the object Security Descriptor contains the target user s SID), you can grant the source account s permissions to the existing target account by selecting the Replace existing target accounts permissions check box. In this case, the target account s permissions will be cancelled. Leaving this check box cleared will keep the target account s permissions. In this case they will be left intact, but the target user will have permissions different from those of the source user. If this option is left cleared, the target user s permissions are merged with the source user s permissions. As soon as the transition period is over, you can run the wizard again and select the Clean up legacy object ownership and permissions of migrated users option to disable the rights for the legacy accounts. The Revert to the original object ownership and permissions option lets you undo re-permissioning, removing target users from the access lists and returning all rights to the source accounts. If two source users were merged to the one target user during migration, and if only one of the source users had permissions on some objects, then, after Exchange update and reverting permissions back, both users would have permissions on these objects (that is, users would have common permissions). Finally, you can select Process as specified in the exported INI settings file to get processing options from the INI file. This settings file can be created in Project Manager (File Export INI File). Click Next. The wizard cannot update permissions on a mailbox that has never been used before. The Exchange store does not actually create the mailbox until the first time the user opens it, at which time Exchange creates the security descriptor in the store. Before processing a newly created mailbox activate it by logging into it. Otherwise, the wizard will not process the mailbox permissions. SIDs that are not resolved in the domain where Exchange 2000 Server is installed cannot be added to the client permissions security descriptor. To safeguard security, E2KPW does not process security descriptor if at least one SID cannot be resolved. If this occurs, correct the SID resolution problem and re-run the wizard for objects that were not processed the first time. 133

136 Quest Domain Migration Wizard Adding Servers You need to add a server for each Exchange organization. When you run the wizard for the first time, it automatically displays the Add Exchange Servers dialog box before letting you select the Exchange 2000 objects to be processed. If you are not running the wizard for the first time, it displays the Exchange organizations added previously. In this case, to open the dialog box, click Add Exchange server in the Select Exchange Servers step of the wizard. Specify the Exchange 2000 server name and the credentials to be used to connect to the server. To add several organizations, type the server names separated by semicolons, one server per organization. E2KPW also provides the ability to secure the connection to the Exchange server being added. Use the Use SSL check box in the Add Exchange Servers window if you want to connect to the server using the secured connection. 134 In this case, the Web server installed on the computer running Exchange server must be configured to support SSL. See the Web server and Exchange server documentation for details.

137 Exchange 2000 Processing Wizard At this stage, you also select the Global Catalog server (GC). The GC stores information about all mailboxes in the organization and is used for mailbox enumeration. If you select the Autodetect option, the nearest GC is used. To select a specific catalog server, select the Custom option and specify the server name. This is advisable if the organization contains a large number of mailboxes, because it allows you to specify a GC that serves fewer queries and is less likely to become overloaded. The wizard displays the object tree with all servers you have added. The name of a tree consists of the organization name, followed by the site name and the processing server name. After adding the specified servers, you may want to Add all servers from Exchange organization for the Exchange organization to which the added server belongs. Click the corresponding button on the toolbar and the Select servers dialog box will be displayed giving you the opportunity to select which servers from an organization you want to add and to specify the credentials for each of them. 135

138 Quest Domain Migration Wizard Selecting Servers to Process To select the server to be processed, select its check box. If you select the check box of a higher level, all the nodes of the lower levels will be selected. Thus, to select all servers in the Exchange organization, select the organization node. To exclude some servers of the organization from processing, clear the check boxes near the servers you don't want to process. You must select at least one check box of the lowest level. If there is no server selected, you cannot proceed. Setting Server Processing Options The wizard processes multiple sites by processing one server per site. The changes are replicated to all remaining site servers later by native Microsoft Exchange replication. To specify the logon credentials for a particular server, right-click the server and select Properties. Specify the logon credentials in the Server Properties dialog box. 136

139 Exchange 2000 Processing Wizard You can explicitly specify the credentials under which you will connect to the server, the Global Catalog server to be used and whether the connection to the server should be secured. If the account you specify does not have enough privileges to modify some of the Exchange objects, they will remain unchanged. No error or warning messages will be displayed all messages will be written to the log file. See the Prerequisites section above for details. 137

140 Quest Domain Migration Wizard Selecting Objects to Process The Select Objects step lets you specify the objects for processing. During Exchange 2000 update, you can opt either to update client and/or administrative permissions on all Exchange objects or to specify which objects should be processed granularly. If you select Process selected objects only and then click Select objects, the Select Objects to Process window will be displayed showing the Exchange directory hierarchy. The wizard shows the servers you have specified for processing. These objects are selected and unavailable because you have already selected them on the previous step. The lower levels present the organization hierarchy for each server in organization. You can select/clear only the objects of the lower levels. 138

141 Exchange 2000 Processing Wizard When you expand an object, objects in the next level down get the selection status of the parent object. For example, if you select an object and then expand it, the objects immediately below it will also be selected. Select the objects you want to process, close the window, and move to the next step. Processing Now the wizard starts processing the selected Exchange objects. All servers are processed in parallel. For each selected Exchange server, the wizard displays the current progress. Interrupting the Process If you interrupt the process by clicking Cancel or re-permissioning is stopped due to an error, the wizard act as follows: If you click Cancel during permissions update, further repermissioning will be stopped. Objects already processed by that moment will have new (target) permissions. Objects not yet processed will keep old permissions. If you want to completely restore the Exchange directory state, run the wizard with the Revert to the original object ownership and permissions option. If you click Cancel while reverting changes back, further repermissioning will be stopped. Objects already processed by that moment will have source permissions. Objects not yet processed will keep target permissions. If you want to restore the Exchange directory state, run the wizard with the Reassign object ownership and permissions to target users option. If you click Cancel during cleaning permissions up, further processing will be stopped. Permissions of the objects already processed by that moment will be cleaned up. Objects not yet processed will be left intact. 139

142 Quest Domain Migration Wizard Completing the Wizard The last step displays the update log. You can print out the information or save it to your hard disk. The E2KPW log is stored in the E2KPW.log file in the project folder except the case when the wizard runs with the Process as specified in the exported INI settings file option in that case the log is stored in the Program Files\Common Files\Aelita Shared\Migration Tools folder. Click Save As to save the data to a different location. When processing folders that are replicated on several servers, do not process another server until replication is finished (by default, replication occurs every 15 minutes). Otherwise, replication conflicts can arise. 140

143 12 SQL Processing Wizard SQL Objects Processed Prerequisites Starting the Wizard Selecting SQL Servers Selecting Processing Options Processing Completing the Wizard 141

144 Quest Domain Migration Wizard SQL Processing Wizard is a companion application to Domain Migration Wizard that allows you to update your Microsoft SQL Servers to reflect the domain migration changes that were made by using Domain Migration Wizard. The SQL update should be performed after Domain Migration Wizard has been used to migrate accounts to a new domain. SQL Processing Wizard retrieves the account migration information from the Domain Migration Wizard database and substitutes the old accounts it locates on the processed SQL Server with the corresponding new accounts (throughout this document these will be called the source logins and target logins). The wizard automatically detects the SQL Server version (versions 7.0, and 2000 are supported) and performs the updates in accordance with the server s structure. The wizard has the ability to merge logins. That is, if a target login name or security identifier (SID) is already used on the SQL Server, or several source logins have the same target login, the resulting target login will have its own privileges and the privileges of all the source logins as well. If you decide to roll back a migration, SQL Processing Wizard can also be used to revert the changes it has previously made to the SQL Server. If the accounts were merged during the update process, the wizard will not be able to separate them during the rollback. In this case, it is recommended that you restore the server from a backup if required. 142

145 SQL Processing Wizard SQL Objects Processed SQL Processing Wizard replaces all occurrences of the selected migrated accounts with the corresponding target accounts. The following objects are updated on Microsoft SQL Server 2000 servers: Security Logins Database Users Object Owners User Defined Data Types User Defined Functions Database Owners Replication Publications: Login Names in Publication Access Lists FTP Logins for Snapshot Locations Destination Owners Database Maintenance Plan Owners Job Owners for SQL Server Agents and Accounts Under which the Job is Started Data Transformation Services: Linked Servers: Local Package Owners Local Logins Remote Users Default Remote Logins Remote Servers: Aliases Remote Logins for login mapping 143

146 Quest Domain Migration Wizard SQL Processing Wizard updates the following objects on Microsoft SQL Server 7.0 servers: Security Logins Database Users Object Owners User Defined Data Types Database Owners Replication Publications: Login Names in Publication Access Lists FTP Logins for Snapshot Delivery Destination Owners Database Maintenance Plan Owners Job Owners for SQL Server Agents and Accounts Under which the Job is Started Data Transformation Services: Linked Servers: Local Package Owners Local Logins Remote Users Default Remote Logins Remote Servers: Aliases Remote Logins for login mapping The target account always has a preference over the source account during updating. For instance, SQL Server does not allow you to merge aliases, so if the logins are merged and the target login already has an alias, it is left intact, and the source login s alias is not used. If the accounts were merged during the update process and if at least one of these accounts had a deny attribute, the target account would also have a deny attribute. SQL Server Agent Proxy Account's password is not updated during processing. For proper SQL Server functioning you should set the password for Agent Proxy Account after processing. Also, the wizard changes ownership for database objects such as tables, views, stored procedures, extended stored procedures, rules, defaults, user data types and user defined functions and processes Statement permissions and Object permissions of the database user. If any of the source accounts were renamed after the account migration but before the SQL Server update, some SQL objects might have an old names, but they will preserve their privileges to certain actions. It is not recommended to rename the migrated accounts before processing the SQL Server. 144

147 SQL Processing Wizard Prerequisites The following requirements must be met for a successful SQL Server update: The names of all the databases to be processed must conform to the standard Microsoft SQL naming requirements. Please see the Microsoft SQL Server Books Online article Rules for Regular Identifiers for details. Processing errors will appear if the database to be processed is: In Single User mode and there is already a connection to the database In Read-only mode To preserve the consistency of the SQL Server, the wizard will not update the server if any of the databases on the server are in Suspend or Offline mode. The login used to process the SQL Server must be a member of the sysadmin Microsoft SQL Server role. In case of error, all changes applied to the SQL Server are rolled back to maintain the server s integrity. In case of Operation failed. Failed to migrate User1 to User2 error message, it is recommended to increase [HKEY_LOCAL_MACHINE\SOFTWARE\Aelita\Domain Migration Wizard\Current Version\SQL Processing Wizard]\LongCommandTimeout key value. Starting the Wizard SQL Processing Wizard updates SQL Servers to reflect a Domain Migration Wizard account migration. It is recommended that you run Domain Migration Wizard Agent Manager before using SQL Processing Wizard. Otherwise, the wizard will not be able to update rights granted via membership in local groups. It is also recommended that you create a backup of the SQL Server before starting SQL Processing Wizard. 1. Before starting the wizard, run Project Manager and select the accounts you want to be processed. Select both the groups and the user accounts that need to be updated. Selecting just the groups of which the users are members is not enough for the update. 2. On Project Manager s Tools menu, point to Migration Update Resource, and then click SQL Server Updating. Please see the Project Manager section of this guide for details. 145

148 Quest Domain Migration Wizard Selecting SQL Servers Please import a text file with the names of the SQL servers to be updated. The file should contain a list of SQL 7.0 and SQL 2000 servers to be processed. This should be a text file with one server name per line. The names can be specified in NetBIOS, FQDN, or IP-address format. You can also use instance names. The login used to process the SQL Server must be a member of the sysadmin Microsoft SQL Server role. Selecting Processing Options In this step the wizard prompts you to select whether to update the SQL Server to conform to the account migration. 146

149 SQL Processing Wizard Migrate source accounts Update the Microsoft SQL Servers to reflect the domain migration changes that were previously made by using Domain Migration Wizard.Please note that the wizard does not offer coexistence. All source accounts are going to loose their access, and target accounts are going to get the permissions. Revert changes - There following two situations are possible. If user A was migrated to user B, selecting this option will revert the changes made by SQL Processing Wizard. If user A and user B were merged to user C, the source users cannot be separated. In this case this option, if selected, will revert permissions to one of the source users. You can select one of the source users to which you want permissions to be reverted in Project Manager. If the accounts were merged during the update process, the wizard will not be able to separate them during the rollback. In this case, it is recommended that you restore the server from a backup, if required. Processing Now SQL Processing Wizard starts updating the servers from the supplied list. The Wizard displays the current progress. All error messages will be written to the log file. The log's name is SQLWis.log, and it is stored in the project folder. As soon as the processing is over, the log file will be displayed automatically. 147

150 Quest Domain Migration Wizard If the SQL Server Agent is not running while updating the SQL Server, a warning message will be displayed. If this message appears in the case of a running Agent, then some tasks may not work properly. It is recommended to restart the SQL Server Agent. In case of error, SQL Processing Wizard halts the processing of the server. All changes applied to the SQL Server are rolled back to maintain the server s integrity. Completing the Wizard When the processing is finished, SQL Processing Wizard displays the results. The log displayed in the last step of the wizard contains statistics and information on all errors and warnings encountered. To see the log file at a later time, open the SQLWis.log file in the project folder. Click Finish to quit. If you access SQL Server as a member of the local group, for example, BUILTIN\Administrators, you should process the local groups on the source domain controller with Agent Manager to make the newly created accounts a members of these groups. In that case the local groups must be deselected in Project Manager before processing them by SQL Processing Wizard. 148

151 13 SMS Processing Wizard Selecting SMS Server Setting Re-Permissioning Options Processing Completing the Wizard 149

152 Quest Domain Migration Wizard The Quest SMS Processing Wizard is a tool for updating Microsoft Systems Management Server 2.0 permissions for the selected objects to reflect the domain migration changes after a domain reconfiguration with the Quest Domain Migration Wizard. For a successful SMS update, it is recommended to have all the attributes for all SMS Server classes assigned to you for the server involved in the process. If the account you specify does not have enough privileges to modify the server, it will remain unchanged. No error or warning messages will be displayed. Therefore, if some objects were processed incorrectly, make sure that your account has sufficient rights. After migrating the Windows NT directory data of the selected users, you may opt to perform a Microsoft Systems Management Server 2.0 update in the SMS Processing Wizard. Selecting SMS Server The first thing you will need to do is select a server for updating. To select a server, type the server name into the text box. You may also use the Browse button to select the server from the list. To specify the credentials under which you will connect to the server, select the Connect to the server as check box. You may either type the username and the password in the text boxes or use the Browse button to select the username. If you leave this check box cleared, the account under which you are logged in will be used. 150

153 Setting Re-Permissioning Options SMS Processing Wizard This step lets you select the way the selected SMS server will be processed. Select the options you need and click the Process button to start updating. To change the permissions of the source accounts on the selected server to the new (target) user accounts, select the Reassign source accounts permissions to target users option. Only accounts, which were selected in Project Manager, will be updated. You may want to also select the Leave source accounts permissions check box to allow access for both the source and the target user accounts. This way you will be able to make the migration smoother, granting both accounts the same privileges for the transition period. If the User A and User B have been merged to User C during accounts migration session, the target user will get the permissions of one of the source users. If the target account already possesses SMS Server permissions, these permissions will be replaced by the source account's permissions. As soon as the transition period is over, you can run the SMS Processing Wizard again and select the Clean up legacy accounts permissions of migrated users option to revoke the rights for the legacy accounts. The last option lets you undo re-permissioning, removing target users from the access lists and returning all rights to the migrated accounts. 151

154 Quest Domain Migration Wizard Processing Now the SMS Processing Wizard starts processing the selected SMS server. The object permissions will be imported, analyzed and saved to the target user accounts. All error messages will be written to the log file. The log s name is SMSWizard.log, and it is stored in the project folder. Completing the Wizard After the wizard has completed re-permissioning, the last step displays the result of the processing (whether it was successful or not) and the log file. To see the log file at a later time, open the SMSWizard.log file in the project folder. Click Finish to quit the wizard. If some members of the local groups BUILTIN\Administrators and SMSAdmins on the source were processed by the SMS Processing Wizard, you should process these groups on the source domain controller with Agent Manager to make this accounts a members of the corresponding groups. 152

155 14 Trust Migration Wizard 153

156 Quest Domain Migration Wizard Trust Migration Wizard is a companion application to Domain Migration Wizard that allows you to transfer trust relationships from one domain to another. This ensures uninterrupted resource access for migrated users. The wizard is started from Project Manager s Migration Migrate Directory list. No matter what objects and sessions are selected when you start Trust Migration Wizard, it will allow you to copy trust relationships from/to all domains in the network. In this step you select the domains to be processed. The drop-down lists for specifying the source and target domains contain all domains that could be found in the network. Select the domain whose trust relationships you want to be copied as the Source domain. Select the domain to which you want to transfer trust relationships as the Target domain. 154

157 Trust Migration Wizard Select the Verify existing trusts check box to make the wizard test all existing trust relationships of the source domain to see if they are functioning. When the wizard finishes inspecting the source domain, it displays all trust relationships found, except for trusts between the source and target domains. An arrow from a domain in the list designates a trusting domain, while an arrow to the domain denotes a trusted domain. If in the previous step you have selected to verify trusts, the wizard also shows the trust status. A dash arrow indicates a broken (non-functional) trust, while an arrow with a question mark denotes a trust whose state could not be determined. 155

158 Quest Domain Migration Wizard Select the check boxes to the left of the trusts you want to copy. By default, all functional trusts (except for those already functioning on the target) are selected. Click Process to instruct the wizard to establish the selected trusts for the target domain. 156

159 15 Cluster Server Migration 157

160 Quest Domain Migration Wizard Domain Migration Wizard is capable of re-permissioning a Microsoft Cluster. However, it requires a more involved procedure than what is required by nonclustered servers. This section describes the detailed steps for a successful cluster migration. The procedure involves the three major steps: 1. Processing physical nodes with Agent Manager 2. Processing virtual servers with Vmover.exe (remotely) 3. Joining physical nodes to target domain There are two variations on the steps that can be taken. See below for the two available options: Option 1 1. Select all nodes in Agent Manager. Make sure you select only the actual nodes and not the virtual servers. 2. Specify the processing settings and process the nodes as typical computers. 3. In Project Manager, from the File menu, select Export INI File The Export INI File dialog box will appear. 4. In the Export INI File dialog box, specify the required options for processing and click OK. 5. Run the following command remotely from the console machine against each virtual server, and run it run from the location where the vmover.exe file and the vmover.ini files reside: Vmover.exe /c /system=<virtual_server_name> /ini=vmover.ini 6. Move the nodes using the Agent Manager to the target domain (without rebooting). After a couple of minutes all nodes and the virtual server will appear in the target domain. Always move all cluster nodes to the new domain simultaneously. Do not move a virtual server to the new domain. The Cluster Service account is not changed when moving a cluster server to another domain. 7. Reboot the passive node. Verify that the Cluster Service account on this node is changed to the target account. 158

161 Cluster Server Migration 8. Restart the Cluster Service on the active node. Verify that the Cluster Service account on this node is changed to the target account. During the restart of the service the resources will not be available. Option 2 9. After a successful start of the Cluster Service on the active node, start the cluster service on the passive node. 10. Move the resources to the passive node and reboot the active node. 11. After the node restarts move the resources back. Follow steps 1 6 above and instead of taking the last 7-11 steps, reboot both nodes at the same time. In either case the resources will be unavailable at a certain time, because the cluster service cannot run using two accounts (source/target). Both of the nodes should be running using the same account (either source or target) as Microsoft documentation states: "The Cluster service on all nodes must be stopped and restarted during this procedure (changing the account under which the Cluster service runs). The Cluster service must use the same account and password at all times on all nodes within the cluster." Refer to the following articles for more details: For Windows 2000: windows2000/en/advanced/help/cluad_pr_58.htm For Windows 2003: rverhelp/ec513ba0-08a6-493b-889f-6403f974657f.mspx Vmover will not process the computer if it cannot verify if it is a cluster server or a virtual cluster server. If the cluster node alias is specified as a computer name, Vmover cannot verify if it is a cluster. In all other cases the cluster will be uniquely verified. 159

162

163 Appendix A: Troubleshooting This section contains a list of possible difficulties you may encounter while using Quest Domain Migration Wizard and its component applications. In most cases, the difficulties one experiences in using the tools are related to insufficient privileges granted to the account under which the tools are being used. Please check the Domain Migration Wizard User's Guide for the System Requirements of the components you are running, and make sure you have the required permissions. Exchange 5.5 Processing Wizard Server Computer Is Not Responding Symptoms When adding sites to the Exchange directory tree, the following error message appears: A connection could not be made to the Microsoft Exchange Server server name. The Microsoft Exchange Server computer is not responding. At the same time, the server is functioning and can be accessed via Microsoft Exchange Administrator. Cause Another service is using the same LDAP port as the Exchange server. 161

164 Quest Domain Migration Wizard Resolution Check the following: 1. Port number: a) Run Microsoft Exchange Administrator. b) Check the port settings for Site/Configuration/Protocols/LDAP and Site/Servers/Server/Protocols/LDAP. c) If the port is not 389, it should be explicitly specified in Exchange 5.5 Processing Wizard. When adding a server in the Add Server dialog box, type server:port_number (e.g. Exchange:1000). 2. Detect port conflict: a) Using the command prompt, type netstat a n. The command will display all connections and listening ports, so you can locate the conflict. Cannot Add Exchange Organization Symptoms An Exchange Organization is not shown by the wizard after the organization s server is added in the Add Server dialog box. Exchange 5.5 Processing Wizard log contains the following errors: Error An invalid Active Directory pathname was passed. Cannot bind to object LDAP://SERVER:389. (ADsGetObject, query interface IDirectorySearch) Error The requested authentication method is not supported by the server. Cannot bind to object LDAP://SERVER:389, user domain\username. (ADsOpenObject, query interface IDirectorySearch) Cause The Windows NT Challenge/Response LDAP authentication method is not allowed for the server. 162

165 Cluster Server Migration Resolution 1. Start the Microsoft Exchange Administrator. 2. Select LDAP protocol settings (Organization\Site\Configuration\Protocols\LDAP or Organization\Site\Servers\Server\Protocols\LDAP) 3. On the Authentication tab, select the Windows NT Challenge/Response check box. 4. Restart the Microsoft Exchange System Attendant service. Trust Migration Wizard A Normal Trust Is Displayed as Unknown Symptoms When verifying trusts, Trust Migration Wizard marks a trust you know is functioning as unknown. Cause To successfully verify a trust, Trust Migration Wizard should have access to the domain controllers of the domains involved (both trusted and trusting). If the connection fails, the trust is considered unknown. Resolution Make sure the computer running Trust Migration Wizard has access to the domain controllers of both domains involved in the trust relationship. 163

166 Quest Domain Migration Wizard Appendix B: Alternative Network Configurations You can use Domain Migration Wizard in virtually any domain configuration. The possible solutions can be divided into three groups: 1. Domain migration is conducted under an account that is a member of the local Administrators group on all computers involved in the migration ALL-POWERFUL ACCOUNT SOLUTION. Clearly, this configuration will ensure the smoothest migration possible. However, the managerial effort required to achieve this configuration will often be beyond all practicality. 2. The Domain Reconfiguration Console (DRC) is not a member of any domain on the network NO TRUST SOLUTION. The DRC is a member of a workgroup not authenticated by any of the network domain controllers: Step 1. Directory Migration Map hidden administrative shares (e.g. C$ or Admin$) to acquire administrative rights in the source and target domains. 164 In the case of NT4 to Windows 2000 directory migration, drive mapping is not sufficient. To get the administrative rights, you need to log in under the administrative account in the target domain. Perform the Directory Migration phase. Step 2. Resource Migration Create and run a Connect batch file. Perform the Resource Updating phase. Step 3. Complete the migration 3. Any combination of Solutions I and II. This configuration would comprise some of the settings of the previous solutions. A specific situation would involve, for example, unrestricted administrative access to the source domain, while at the same time, accessing the target domain by mapping administrative shares via a Connect batch file. Solutions II and III can be very convenient for a consulting company performing domain reconfiguration on a client's network. In this case, consultants can simply install Quest Domain Migration Wizard on a notebook, bring the notebook to the client's company, and use this notebook as the DRC. It is also possible for the consultant to reconfigure the client's network remotely.

167 Appendix C: Command Line Resource Updating Cluster Server Migration The command-line tool VMover.exe, located in the Domain Migration Wizard installation folder, can be used to update resources without installing an agent. The updating can be performed directly from the command-line interface or via a logon script. Among the main applications of VMover are the following tasks: Updating remote resources Processing roaming profiles Processing file system permissions on NT-compatible non-nt systems To perform the updates, VMover retrieves the source-target account pairs from the INI file or target accounts SIDHistory. The INI file also contains the required parameters. Some parameters can be set from the command line. Command-Line Parameters VMover should be run using the following command-line syntax: VMOVER.EXE /c [/ini=inifile] [/roaming=userdatpath] [/volume=path] [/system=computer] Explanation: /c Mandatory parameter for command-line usage. /ini Optional parameter. Name of the INI file that contains the parameters for the update. By default, the Vmover utility searches its folder for the Vmover.in_ (compressed) file, and then if the file is not found, for the Vmover.ini (uncompressed) file. You can use Vmover s /ini parameter to specify an alternative ini file name and location. In this case Vmover will also first search for the file s compressed version. For example, if you specify File.txt, Vmover will first attempt to locate File.tx_, and then File.txt. For more information on creating INI files for processing resources, refer to the Project Manager section of this Guide. 165

168 Quest Domain Migration Wizard /roaming Processes roaming profiles. If you specify the /volume or /roaming parameters, vmover won't process any other options in the ini-file (such as group membership or user rights). This was made to simplify the updating of roaming profiles with these keys. For information on using Vmover to update profiles, refer to the Updating Profiles section of this document. /volume Processes file system permissions in the specified location. If you specify the /volume or /roaming parameters, vmover won't process any other options in the ini-file (such as group membership or user rights). This was made to simplify the updating of roaming profiles with these keys. /system Specifies the computer name. By default, the local computer is updated. 166

169 Cluster Server Migration Creating INI Files When the /roaming and /volume parameters are not specified, VMover uses an INI file to retrieve its parameters. This file can be created by clicking Export INI File on the File menu of Domain Migration Wizard Project Manager. The file will contain all the options you select in the Export INI File dialog box and a list of the accounts which were selected in Project Manager when the file was created. When using the INI file, VMover will perform the updates for the selected accounts. For more information on creating INI files for processing resources, refer to the Project Manager section of this guide. 167

170 Quest Domain Migration Wizard Updating Roaming Profiles One of the main VMover tasks is the updating of remote profiles. To use a profile an account must gain access to both the corresponding files and registry keys. VMover deals with both of these tasks by providing the /roaming and /volume keys. To process both file system permissions for profile files and registry permissions, run: vmover /c /roaming=roamingprofilepath /volume=roamingprofilepath This should be run for each profile. If several profiles are located in subfolders of one folder, you can facilitate the task by processing file system permissions for several profiles at one time: vmover /c /roaming=roamingprofile1_path vmover /c /roaming=roamingprofile2_path vmover /c /roaming=roamingprofile3_path vmover /c /volume=allprofiles_path RoamingProfilePath and AllProfiles_Path can be both UNC and local paths to the profile. In this case you can also use the following batch file (note that the FOR command in the example below searches only for ntuser.dat in the first-level subfolders of the ALLProfiles_Path /d %%i IN ("AllProfiles_Path\*") DO vmover.exe /c /roaming="%%~fi" vmover /c /volume=allprofiles_path Updating permissions on remote profiles is just one subtask of the profile migration process. For more information, please see the Updating User Profiles section of this guide. 168

171 Cluster Server Migration Remote Update By default, VMover applies the changes specified in the INI file on the local computer. You can use the /system command-line parameter or add the System=TargetComputerName key to the INI file to make VMover update a remote computer. For example: vmover /c /system=mars When VMover is updating a remote computer, it locates all the system shares of the computer (such as c$, d$) and updates all the files and folders located in the shares. Alternatively, you can use the /volume command-line parameter to update a specific share of the computer. In this case No other shares will be affected. For example: vmover /c /volume=\\mars\demos If you use the /volume parameter, vmover won't process any other options in the ini-file (such as group membership or user rights). Only file system permissions of the specified share will be processed. For a successful remote update, the account under which VMover is started must have the following privileges on the remote computer (granted explicitly or by establishing a net use connection): Restore Backup Take Ownership Security Change/Notify For a successful IIS permissions processing on the remote computer, IIS must also be installed on the computer on which VMover is running and the account under which VMover is started should be a local administrator on the computer being processed. 169

172 Quest Domain Migration Wizard SIDHistory Mapping By default, Vmover s ini file contains source-target account pairs which were selected in Project Manager when the file was generated. Alternatively, VMover can automatically locate the pairs by analyzing the SIDHistory of the accounts in the target domain. This lets you use the tool even if the account migration was performed not by Domain Migration Wizard, but by another tool capable of adding SIDHistory. To use the SIDHistory mapping, the following parameters need to be added to the [options] section: sidhistory=yes/no hostname=host_name:port_ Number ldapuser=username ldapdomain=userdomain ldappsw=password Set this parameter to Yes to enable the SIDHistory matching. Specify the target Domain Controller and the port number to be used for LDAP queries. The username to be used for LDAPrequests. The name of the target domain. The password for the ldapuser user account. The source domains are specified in a separate section [SourceDomains]. Each line of the section should contain a source domain name and its SID, separated by a semicolon character (;). Below is an example of an ini-file with SIDHistory mapping: [dmw4] [Options] FileSystem=No Shares=Yes LocalGroups=No UserPrivileges=No Printers=No Registry=No Profiles=No InstallProfilesAgent=Yes Services=No ScheduledTasks=No Clone=Yes 170

173 Cluster Server Migration CleanUp=No Undo=No AutoRemove=No MaxErrors=10 LogMask=-1 LogFile=VMover.log StateFile=VMover.txt Version=400 MaxCriticalErrors=10 MaxRegUsage=95 ProcessRegGroupOwner=No UpdateStateSec=1 SetArchiveBit=No sidhistory=yes hostname=pdc-target2000:389 ldapuser=administrator ldapdomain=target2000 ldappsw='adminpswd' [SourceDomains] TRUST;S If SIDHistory mapping is used but the source-target pairs are also listed, both SIDHistory pairs and the explicitly set pairs are used. 171

174 Quest Domain Migration Wizard Appendix D: Post Migration Maintenance The key advantage of Domain Migration Wizard is its database-centric approach to migration. Many post-migration tasks can be performed using the data collected in the database during migration. Backup User Profiles on All Computers During the Resource Updating step of a migration, right-click the network tree. Select Export computer list on the shortcut menu. Export all the selected computers to a file called computers.txt. Create two batch files:.cmd rem file.cmd if (%1) == () goto help rem ***************************************************** rem backup all user profiles rem ***************************************************** echo \\%1 echo \\%1>>details.log md Profiles\%1 rem you can use scopy utility from the NT Resource Kit rem to also save permissions xcopy "\\%1\Admin$\Profiles\*.*" "Profiles\%1\*.*" /s>>details.log goto exit :help echo Usage: %0 COMPUTERNAME :exit off rem SrvcCng.cmd echo. time>details.log echo.>>details.log FOR /F %%I IN (computers.txt) DO call.cmd %%I echo.>>details.log echo. time>>details.log echo.>>details.log Now run the file Profiles.cmd and check the details.log output log file for any errors. 172

175 Cluster Server Migration Other Tasks Other tasks that can be performed in a similar way include: The fine-tuning and updating of resources by using the Domain Migration Wizard agent VMover.exe The mass copying of such items as users profiles and logon scripts The mass backup of selected directories from all computers (e.g. the backup of user profiles before the migration). 173

176 Quest Domain Migration Wizard Appendix E: Support Information This section of document is intended to help customers who experience issues with Quest Domain Migration Wizard. The document describes how to solve the most common issues and what information should be sent to Quest Technical Support to determine the cause of the issue. For more information about Quest Technical Support, please see the About Quest Software section below or refer to Before You Call Support You can solve most of the common problems without calling Quest Technical Support. When you run into a problem with any of the Domain Migration Wizard components, you should first do the following: Check if the affected servers are available. Check if the affected servers meet the system requirements. Check if the account used has appropriate permissions. Each of these steps is described below. Check if the Affected Servers Are Available In many cases the Domain Migration Wizard components cannot connect to a server because either it is inaccessible or some of the services are not started on the server. Make sure that there are no network problems and the services are running on the affected servers. Check if the Affected Servers Meet the System Requirements Please see the System Requirements section. Make sure that the source, target, and console servers meet all the requirements listed in this document. Check if the Account Used Has Appropriate Permissions Please make sure that the account under which the component is running has all the required permissions. The Network Configuration subsection of the System Requirements section and component description in this user s guide will help you to set any of the missing permissions. 174

177 Information Required for Support Cluster Server Migration If none of the steps described above helps you to solve the issues, please provide the following information to Quest Technical Support: Detailed description of the problem, including affected server, account names and what exactly is going wrong. Configuration of the servers affected by the problem (i.e., the source, target, Domain Migration Wizard console servers). Please provide information about the software and service pack versions installed. The logs, INI files and the databases of the problem component and the screenshot of the error. Make sure you send the log that contains the error message. The table below shows the folders in which the components store their auxiliary files. COMPONENT'S FULL NAME SHORT NAME LOG FILE LOCATION FILE NAMES Project Manager PM Project folder (Program Files\Quest Software\Domain Migration Wizard\Project by default) DmwPm.log Project.PDW Trust Migration Wizard TMW Program Files\Quest Software\Domain Migration Wizard TMW.log Domain Migration Wizard DMW Project folder SessionName. SSN SessionName. SDB SessionName.L OG Agent Manager AM Project folder VMover.log VMover.ini VMTotal.log Directory Processing Wizard Exchange 5.5 Processing Wizard DPW Project folder DmwAD.log EPW Project folder EPW.log 175

178 Quest Domain Migration Wizard COMPONENT'S FULL NAME SHORT NAME LOG FILE LOCATION FILE NAMES Exchange 2000 Processing Wizard E2KPW Program Files\Common Files\Aelita Shared\Migration Tools (or project folder when the wizard runs with the Process as specified in the exported INI settings file option) E2KPW.log SMS Processing Wizard SQL Processing Wizard SMSPW Project folder SMSWisard.log SQLPW Project folder SQLWis.log This information will help Quest Technical Support to find the cause of the problem and suggest an appropriate resolution for it. Some of the required information can be retrieved with the help of the Quest Support Wizard. Quest Support Wizard The Quest Support Wizard helps to collect information about your system configuration and installed software. To start the wizard, run the AelitaSupport.exe file in the Program Files\Common Files\Aelita Shared\Support Wizard folder. The collected information will be used only for the purposes of Quest products troubleshooting and support. To collect the system information with the help of the Quest Support Wizard: 1. Browse to the file where the collected data will be stored. The default path is Program Files\Common Files\Aelita Shared\Support Wizard\result.ini. 2. Specify a SQL Server and the database name from which you wish to retrieve the information. If you do not use a Trusted connection, you should also specify credentials that will be used to connect to the specified SQL server. 176

179 Cluster Server Migration 3. Wait while the wizard collects the information. When the wizard finishes collecting information, click Finish to close the wizard dialog box. The Quest Support Wizard has collected into the result.ini file such information as: DB information System information Operating system information SQL Server information OLAP information Time zone information Versions of.ocx,.dll,.exe,.ini,.fll and.cpl files retrieved from WINNT\System32, Program Files\Common Files\Aelita Shared and other folders Jscript, VBScript information and other data 177