The preinstalled service feature allows you to use Active Directory synchronization accounts that are domain members not included in Administrators group to migrate passwords and/or SID History. The preinstalled service must be also configured for environments where Microsoft Local Security Authority (LSA) protection is used.
To use this feature the following requirements should be met:
Preinstalled service can be disabled when necessary as described in Disabling Preinstalled Service.
|
IMPORTANT: Directory Synchronization Agent assigned for preinstalled service will not try to install binaries that should be installed to source and target DC under standard workflow. In case the existing Directory Synchronization Agent is used for multiple domain pairs, and preinstalled service feature will be used for part of them, Quest recommends to install and configure separate Directory Synchronization Agent assigned for preinstalled service feature usage only. If the source or target Active Directory domain contains more than one DC, the preferred DC/GC must be specified in the Directory Synchronization Agent properties for source and target domains and configured to use preinstalled service feature. For details how to install and configure Directory Synchronization Agent see Agent Manager topic of Quest Migration Manager for AD User Guide. |
To configure source and target DC using AllowAccess.ps1 script
On the computer where Migration Manager is installed:
Copy Preinstalled Service folder located on the Migration Manager installation CD in the \QMM ResKit\Scripts subfolder to the %ProgramFiles%\Quest Software\Migration Manager\Common\BIN\DeployDistr folder.
Copy the following files from %ProgramFiles%\Common Files\Aelita Shared\ to the %ProgramFiles%\Quest Software\Migration Manager\Common\BIN\DeployDistr\Preinstalled Service folder:
The compiled preinstalled service distributive is now available by network in \\QMM_host\DSASetup\.
On source or target DC:
Net Use Z: \\QMM_host\DSASetup
Z:
cd “Preinstalled Service”
.\AllowAccess.ps1 <NetBIOSDomainName> <userName>
Where NetBIOSDomainName and UserName is the account specified for the domain in the domain pair configuration.
|
Remember: The agent installation will not be complete and functional until the domain controller has been rebooted. |
To configure the Directory Synchronization Agent using the EnablePreinstalledMode.ps1 script
Net Use Z: \\QMM_host\DSASetup
Z:
cd “Preinstalled Service”
.\EnablePreinstalledMode.ps1
To disable preinstalled service when necessary perform the following actions:
All these actions should be performed to disable preinstalled service successfully.
To disable preinstalled service on a source and target DC
Net Use Z: \\QMM_host\DSASetup
Z:
cd “Preinstalled Service”
.\DisableAccess.ps1
on computers running 32-bit Microsoft Windows
on computers running 64-bit Microsoft Windows
To disable preinstalled service on a computer where Directory Synchronization Agent is hosted
Net Use Z: \\QMM_host\DSASetup
Z:
cd “Preinstalled Service”
.\DisablePreinstalledMode.ps1
Account under which Active Directory Processing Wizard (ADPW) performs Active Directory processing must have the following permissions:
1. For processing Group membership grant account the Write Members permission on group objects.
2. For processing Linked attributes grant account permissions to Write corresponding linked attributes for processed objects.
3. For processing Active Directory permissions, the following permissions must be granted to the account:
4. For processing Default schema permissions grant account the Write defaultSecurityDescriptor permission on classSchema objects inside schema naming context.
5. For processing Exchange mailbox permissions, the account must have the following permissions:
|
Note: The Administer Information Store permission is required only for Microsoft Exchange 2010 or lower. |
6. For processing the Other Exchange permissions, the following permissions must be granted to the account:
Account under which Exchange Processing Wizard performs Exchange servers processing must have the following permissions:
1. Read All Properties and List content permissions on the Exchange organization. To grant these permissions to the account, use the following script in Exchange Management Shell:
Get-OrganizationConfig | Add-ADPermission -User <ServiceAccount> -AccessRights "ListChildren, ReadProperty"
2. To process client permissions of mailboxes, grant the ApplicationImpersonation management role.
3. To perform public folder processing:
Account must have the ReadItems, EditOwnedItems, EditAllItems, FolderOwner, FolderContact, and FolderVisible on the public folders to be processed.
-OR-
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center