SMART Active Directory Migrator. Desired End State and Project Prerequisites

Similar documents
Active Directory Domain Migration Checklist ADUM Active Directory Migrator

Windows Server Migration Checklist ManageRED Resemble

SMART Considerations for Active Directory Migration. A Strategic View and Best Practices for Migrating the Corporate Directory

Network Setup Instructions

SMART Directory Sync Known Limitations

CMT for Notes. Installation Guide

CMT Self-Service Archive Migrator Release Notes

a) Network connection problems (check these for existing installations)

DriveLock Quick Start Guide

Using Logon Agent for Transparent User Identification

Agency Pre Migration Tasks

ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains

VMware Mirage Web Manager Guide

NETWRIX ACCOUNT LOCKOUT EXAMINER

(Installation through ADSelfService Plus web portal and Manual Installation)

Networking Best Practices Guide. Version 6.5

Abila MIP. Installation User's Guide

Kaseya 2. User Guide. Version R8. English

Restructuring Active Directory Domains Within a Forest

How to monitor AD security with MOM

CMT Self-Service Archive Migrator 1.2. Comprehensive User Guide

Alpha High Level Description

Introduction. Versions Used Windows Server 2003

Citrix Access Gateway Plug-in for Windows User Guide

Joining. Domain. Windows XP Pro

NetWrix USB Blocker. Version 3.6 Administrator Guide

LepideAuditor Suite for File Server. Installation and Configuration Guide

EventTracker: Support to Non English Systems

LAB 1: Installing Active Directory Federation Services

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

Sophos for Microsoft SharePoint startup guide

Kaseya Server Instal ation User Guide June 6, 2008

WhatsUp Event Analyst v10.x Quick Setup Guide

Objectives. At the end of this chapter students should be able to:

Using DC Agent for Transparent User Identification

HOTPin Integration Guide: DirectAccess

Abila MIP. Installation Guide

Sophos Enterprise Console server to server migration guide. Product version: 5.2

TECHNICAL SUPPORT GUIDE

Outpost Network Security

Kaseya 2. User Guide. Version 1.1

Administration GUIDE. SharePoint Server idataagent. Published On: 11/19/2013 V10 Service Pack 4A Page 1 of 201

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

webkpi SaaS ETL Connector Installation & Configuration Guide

K7 Business Lite User Manual

Privilege Guard 3.0 Administration Guide

NETWRIX WINDOWS SERVER CHANGE REPORTER

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

E2E Complete 4.1. Installation and Configuration Guide

QUANTIFY INSTALLATION GUIDE

How To Install And Configure Windows Server 2003 On A Student Computer

MCSE TestPrep: Windows NT Server 4, Second Edition Managing Resources

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

NetWrix USB Blocker Version 3.6 Quick Start Guide

CLEO NED Active Directory Integration. Version 1.2.0

Sophos Cloud Migration Tool Help. Product version: 1.0

AD RMS Step-by-Step Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Quick Start Guide for Parallels Virtuozzo

SELF SERVICE RESET PASSWORD MANAGEMENT GPO DISTRIBUTION GUIDE

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

DC Agent Troubleshooting

CMT for Exchange 3.7. Requirements

Networking Lab - Vista Public Network Sharing

Migrating MSDE to Microsoft SQL 2008 R2 Express

WatchGuard Mobile User VPN Guide

Quick Start Guide for VMware and Windows 7

Using Microsoft Active Directory (AD) with HA3969U in Windows Server

How To Take Advantage Of Active Directory Support In Groupwise 2014

SQL 2014 Configuration Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Windows 7, Enterprise Desktop Support Technician

PaperPort PSP Server 3 SERVER ADMINISTRATOR S GUIDE

ADMT v3 Migration Guide

Symantec AntiVirus Corporate Edition Patch Update

Using Exclaimer Signature Manager with Office 365

ilaw Installation Procedure

Table of Contents. Introduction...9. Installation Program Tour The Program Components...10 Main Program Features...11

1. Set Daylight Savings Time Create Migrator Account Assign Migrator Account to Administrator group... 4

CA ARCserve Backup for Windows

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

For Active Directory Installation Guide

SPECOPS DEPLOY / OS 4.6 DOCUMENTATION

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

PartnerConnect software. Installation guide

Advanced Event Viewer Manual

InventoryControl for use with QuoteWerks Quick Start Guide

Setup Instructions for Firm-Hosted Client Access

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Installation Instruction STATISTICA Enterprise Server

Password Policy Enforcer

Active Directory Integration

Release Notes for Websense Security v7.2

Active Directory Integration Guide

Automating client deployment

Transcription:

SMART Active Directory Migrator Desired End State and Project Prerequisites uthor Title

Table of Contents Introduction... 3 Purpose... 3 About SMART Active Directory Migrator... 3 Components of SMART AD Migrator... 4 Defining the Desired End-State... 4 Domain Structure... 4 Organizational Units Structure... 5 Duplicate Accounts... 5 Migration Cutover Process... 5 Interaction with External Domains... 5 Policies and Standards... 5 Domain Controllers - Data Migration Options... 5 Source Domain Account Dependencies... 5 SMART AD Migrator Project Prerequisites... 6 Requirements Prior to AD Migrator Installation... 6 Post AD Migrator Installation... 7 Known Installation Issues... 8 Post Active Directory Migration Tasks... 10 Prerequisites:... 10 Post Migration Issues and Resolutions.... 10 Other Known issues to check and confirm:... 11 Appendix 1 Group Policy to Disable Windows Firewall... 12 About Binary Tree... 13 2

Introduction Purpose The purpose of this document is to provide the prerequisites that must be in place prior to starting an Active Directory migration project along with some post installation steps. About SMART Active Directory Migrator Whether your company is performing an Active Directory Migration as a result of an acquisition, merger, or divestiture, or simply as part of rebuilding an existing Active Directory structure to meet technical or organizational needs, SMART Active Directory Migrator dramatically reduces risks, complexity, time, and costs associated with such significant corporate infrastructure changes. SMART Active Directory Migrator is: A project-based comprehensive solution to seamlessly migrate all Active Directory objects, settings and properties Provides complete control of the migration, ensuring security and reliability of the project Provides complete migration of all relevant objects and properties, even those not accessible by conventional means; Active Directory objects are migrated even if the source and target servers are not connected The following Active Directory components are migrated: o OUs, domain users, passwords, user properties, extended Active Directory properties, Terminal Server settings, security groups, distribution groups, group properties and members, contacts, workstations and servers; o Processing of Access Control Lists is comprehensive and includes owners and auditing, as well as permissions; o Comprehensive migration including NTFS, security, shares, local users, profiles, passwords and local groups; Allows you to restructure your Active Directory during business hours with no adverse affect on user productivity: End-users can continue working, totally unaware of the migration project; Administrators can perform all migration-related tasks during business hours, reducing the administrator's workload; Maintains transparent interoperability during the migration; Environments are continuously synchronized to ensure integrity of data; Users have access to all network resources regardless of the migration status. Able to reverse each step in the migration process; This guarantees that the system can be restored to its original status after any step safely and reliably; Can be used for any migration scenario, from consolidation to a complete restructuring of Active Directory; Can be customized to meet unique requirements of any organization; 3

Key Features and Functions Complete Migration No downtime or interruptions Full coexistence Total safety and reversibility Flexible migration Highly customizable Can migrate with or without SID history Components of SMART AD Migrator The following main components of SMART Active Directory Migrator are installed: SMART Active Directory Reporter SMART Active Directory Migrator SMART Active Directory Password Copy Note: SMART Windows Server Migrator is a separate product. Defining the Desired End-State It is important to understand the desired end-state of an Active Directory migration as well as prepare the domain migration team to understand all the challenges that need to be considered prior to beginning the migration process. The following information should be gathered: SOURCE Domain NetBIOS Name: SOURCE Domain DNS Name: TARGET Domain NetBIOS Name: TARGET Domain DNS Name: Domain Structure Is this migration a: Migration to an empty new Active Directory domain? Migration to an existing Active Directory domain? Partial Source Domain migration to an empty new Active Directory domain? Partial Source Domain migration to an existing Active Directory domain? Multiple source domains to an empty new Active Directory domain? Multiple source domains to an existing Active Directory domain? Will all source objects be migrated to the same target domain? 4

Organizational Units Structure Will the source Organizational Units (OUs) be migrated to the root domain? Will the source Organizational Units (OUs) be migrated to a sub OU in the target domain? Will the objects be migrated to the same OU in the target domain? Duplicate Accounts Will duplicate user accounts be merged with the same existing samaccounts? Will duplicate user accounts be renamed in the source domain with a prefix? Will duplicate user accounts be renamed in the source domain with a suffix? Will duplicate user accounts be renamed in the source domain individually? Will duplicate groups be merged with the same existing samaccounts? Will duplicate groups be renamed in the source domain with a prefix? Will duplicate groups be renamed in the source domain with a suffix? Will duplicate groups be renamed in the source domain individually? Migration Cutover Process Will this be a onetime only cutover to the target domain? Will this be an incremental cutover to the target domain? Interaction with External Domains Will domain objects need to be remapped in domains besides the source and target domains? Will servers need to be remapped in domains besides the source and target domains? Will computer objects be migrated to the same domain as accounts? Policies and Standards Will passwords be migrated to the target accounts? Will logon scripts be moved to the target domains? Are logon scripts referenced in user properties? Are logon scripts referenced in group policies? Will group policies be migrated to the target domain? Domain Controllers - Data Migration Options Do the source domain controllers contain shares or data? Will shares or data on domain controllers need to be migrated? Source Domain Account Dependencies Is an Exchange migration part of this project? Are there SQL servers in the source domain? Is SharePoint part of the source domain migration? Are there any IN-HOUSE applications that rely on domain accounts in this migration? 5

SMART AD Migrator Project Prerequisites Before beginning an Active Directory migration, a number of mandatory requirements are needed to be in place in order to complete the migration successfully. These requirements are standards to meet both the requirements for Microsoft Windows migration and the Binary Tree SMART Active Directory Migrator. Throughout this document, the terms source domain and target domain mean the domain from which the objects are being migrated from and the destination domain (Target) being where the objects are being migrated to. Requirements Prior to AD Migrator Installation Windows Trust Requirements Establish a two way trust relationship between the source domain and target domain Verify the trust relationship To verify, check that you are able to list accounts from each domain in each domain Add the source domain s Domain Admins group to the target domain s Administrators group Add the target domain s Domain Admins group to the source domain s Administrators group Windows Password Migration Requirements In the target domain check and verify that the domain Password Policy is equal to or less restrictive then the source domain s password policy. In both the source domain and target domain, enable Account Management Audit for success and failure at both the domain level and the domain controller level. You must reboot the PDC emulator for the policy to take effect. Verify that Account Auditing is working in each domain. Create a test user and delete the users. Check that each event has been recorded in the security logs. In the source domain create a domain local group with the NetBIOS name of the domain followed by three dollar signs with no members. Example DOMANNAME$$$ In the target domain create a domain local group with the NetBIOS name of the domain followed by three dollar signs with no members. Example DOMANNAME$$$ In the source domain and the target domain verify or add the Everyone group as a member of the Pre- Windows 2000 Compatible Access group. NetBIOS Naming Resolution Requirements Install a WINS server on the target domain PDC Emulator (still required for Windows 2008 domains) In the TCP/IP Advanced Network Card Properties of the source and target domain controllers, add the IP Address of the target domain controller under the WINS server tab. Enable NetBIOS over IP for both the source and target domain s PDC Emulator Verify that all domain controllers both source and target have Enable lmhost Lookup enabled Open Firewall Ports between the source and target servers and primary domain controllers 389 LDAP 53 DNS 137-139 Netbios 6

DNS Naming Resolution Requirements In the TC/IP DNS advanced settings of both the source and target domain controllers, verify that the DNS server of both domains are entered with the first entry as the domain name that the domain controller belongs to. Append the domain suffix list to include the DNS name of both domains with the first entry as the domain name that the domain controller belongs to. Enter the domain name for the DNS suffix for this connection Check Register this connection s addresses in DNS Group Policy Requirements Create a Domain Group Policy to disable Windows Firewall in both the source and target domain. (See appendix 1) Verify IP Filtering is disabled for both the source and target domain controllers in the Advanced TCP\IP Options Setting to Permit All For Windows 2008 domain controllers, disable User Account Control (UAC) Logon to the migration computer in the target domain as a member of the target domain s Domain Admins group and install AD Migrator. Workstation Virus Scanning Software Exclude l18.exe, remap2.exe and copypwd.dll for both 32 and 64 bit versions Remote Registry Remote Registry connectivity must be enabled on workstations and servers to be migrated Post AD Migrator Installation Once AD Migrator is installed, updated to the latest build and the domain migration options have been set, verify that all the pre-migration internal checks have a green check mark beside each prerequisite. Verify Clonepr.dll is located in the C:\Windows directory of the target domain Controller. If not, then copy drive:\binarytree\btadmigrator\admigrator\clonepr.dll to the C:\Windows\System32 directory of the target domain Controller. Register Clonepr.dll on the target domain controller. Run Regsvr32 C:\Windows\System32\Clonepr.dll this is required for both sidhistory and computer migration. 7

Known Installation Issues Windows 64 bit Domain Controller (PDC Emulator) In order for the account password copy to process accounts involving Windows 2003, 2008, 2008 R2 64bit or 2012 domain controls acting as the PDC emulator in either the source or target domains, the following registry entries must be in place: Check and verify the registry entries in HKEY_LOCAL_MACHINE System\CurrentControlSet\Lsa. The Entries should match the screen capture above. Pay special attention to the Security Packages Reg_Multi_SZ list it must be exactly as shown. Remove any additional packages and reboot the server for the changes to take effect. The BINARYTREE SMART Scheduling service is not running This is a common issue at the first installation. To remedy, connect to the domain controller(s) that displays the error, start the services MMC and navigate to the BinaryTree Schedule service or FSTScheduler. Click on the logon option. Reenter the service account name and password and click Apply. If the service is running, stop and restart the service. Unable to verify PDC Emulator of the source or target domain This issue will arise when the target domain controller is unable to resolve NetBIOS Names. Launch the BinaryTree SMART LMHCreator to create an lmhosts file. Add the IP Address and name of the source domain controller, add the IP address and the name of the target domain controller, add the IP Address of the source domain controller and the source domain name and add the IP Address of the target domain controller and the target domain name. Save the new lmhosts file. Register the lmhosts file to cache and verify the cache table that all 4 entries are in cache. 8

Administrator Account Password Containing Special Characters A known LDAP issue exists if the first character of the Administrator s password begins with a special character. This issue will prevent migrating computers from the source domain to the target domain because LDAP translation will drop the first character of the password, the password will become incorrect and the operation will fail. To remedy this issue change the password of the source or target domain s Administrator s password so that the password begins with an alpha-numeric character. Anti-Virus Software False Trojan Quarantine Most Anti-virus software will trap the 32 bit version of copypwd.dll as a Trojan. Copypwd.dll is required to extract and set password hashes and is required to copy passwords. Disable or allow copypwd.dll to not to be quarantined on the BINARYTREE SMART console, Source and Target PDC Emulators. Console location - drive:\binarytree\btadmigrator\admigrator and drive:\windows\ PDC Emulator location - drive:\ BinaryTree\BTADMigrator \ADMigrator\ADM\ and drive:\windows\ 9

Post Active Directory Migration Tasks Prerequisites: Help desk personnel must have administrative rights to migrated user accounts, groups and workstations. A network share has been created for the ADUMMTA tools folder Help desk personnel have access to the shared ADUMMTA folder. Help desk personnel have the SID of both the source and target domains for reference. Post Migration Issues and Resolutions. User password is incorrect or user must change password at next logon Verify that the user password property user must change password at next logon does not contain a check mark. By a default domain policy the user must change password at next logon may be enforced when the user account password is copied from the source domain. Unselect this option. Can the user now logon? If the user still cannot logon with their password ask the migration team to recopy the user s password. User is unable to access network shares that they were able to access with their source accounts Check the server share permission and the folder NTFS permission contain 2 sets of permissions source\domain and target\domain groups and accounts. If they correctly match then check the user s group membership and compare the source group memberships with the target group memberships. If the share and NTFS permissions do not contain an identical set of source and target domain accounts the server must be reacled (Remap). Ask the migration team to ReACL the server with the access issues. Once the migrated user logs into the new domain the user receives a new blank default profile In order to trouble shoot profile issues the help desk person must be aware of both the SID of the source domain and the SID of the target domain. Check to see if there is a folder on the workstation C:\ADUMMTA. o If the folder does not exist, the workstation was not remapped. This may occur frequently with laptop users who may have been away during the migration process. o If the C:\ADUMMTA folder exists then check to see if there is a file called LxxReport.txt exists. If the file or folder does not exist then the workstation was not remapped. 10

To correct a failed profile Log into the workstation as an administrator. Delete the newly created profile. o In Windows XP Navigate to C:\Documents and Settings folder and find the user account with.xxx extension. (userid.new) Delete this folder and all sub folders and files folders and files. o For Windows 7 or Vista Navigate to the C:\USERS folder and find the user account with.xxx extension. (userid.new) Delete this folder and all sub folders and files folders and files. Next run regedit.exe, from the start button, run Regedit.exe. Navigate to: HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\Current Version\Profilelist Delete all subkeys that contain the Target Domain SID On 64 bit windows computers you must perform this at HKEY_LOCAL_MACHINE Software\Wow6432Node\Microsoft\Windows NT\Current Version\Profilelist as well. Navigate to C:\ADUMMTA and double click Lxx.exe where xx is a number from 15 or higher if there are multiples use the highest number. Wait about 3 minutes for the remap process to stop running. If C:\ADUMMTA does not exist, copy the ADUMMTA folder to the C: drive of the workstation. Logoff the workstation ask the user to log back into the target domain. Other Known issues to check and confirm: Did the user get all their mapped drives? If not, then check logon scripts. Can the user access their email? If not, then check with the Exchange team. Can the user access SQL? If not, then check with the Database team. Can the user access in house apps? If not, then check with the appropriate team. Can the user print? If not, then check printer permissions and printer. Does the user have access to their home drive? If not, then check permissions and account properties. Is the user s desktop layout the same as before? If not, then the workstation needs to be remapped. 11

Appendix 1 Group Policy to Disable Windows Firewall Create a new Group Policy object, and give the object a descriptive name (for example, ITS-Turn off Windows Firewall). Select the newly created group policy. Right-click on the newly created policy and select Edit. Expand the Computer Configuration folder, then the Administrative Templates folder. Expand the Network folder, then the Network Connections folder, then the Windows Firewall folder. Select the Standard Profile folder. Double-click the Windows Firewall: Protect all network connections option. Select Disabled, and then click OK. Select the Domain Profile folder. Double-click the Windows Firewall: Protect all network connections option. Select Disabled, and then click OK. Close the Group Policy dialog box. In the Security Filter section, click Add. Search for the objects that this group policy will be applied to, then click OK. Close the Group Policy editor. 12

About Binary Tree Binary Tree is a leading provider of software for migrating enterprise messaging users and applications to onpremises and cloud-based versions of the Microsoft platform. Since 1993, Binary Tree and its business partners have helped over 6,000 customers around the world to migrate more than 25 million email users. Binary Tree s suite of software provides solutions for migrating from Exchange 2003/2007 and Lotus Notes to on-premises and online versions of Exchange and SharePoint. Binary Tree is represented by business partners worldwide who provide specialized services and a proven methodology for guiding customers through complex transitions. Binary Tree is a Microsoft Gold ISV Partner, an IBM Premier Business Partner, and is Microsoft s preferred vendor for migrating to Microsoft Office 365. Binary Tree is headquartered in the New York metropolitan area with international offices in London, Paris, Stockholm, Singapore, and Sydney. For more information, please visit us online at www.binarytree.com. Binary Tree Social Media Resources Facebook Twitter LinkedIn YouTube Copyright 2013, Binary Tree, Inc. All rights reserved. Binary Tree, the Binary Tree logo, and any references to Binary Tree s CMT software products, are trademarks of Binary Tree, Inc. All other trademarks are the trademarks or registered trademarks of their respective rights holders. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information