When migrating with Quest Migration Manager what functional level does the source and target domain need to be set to?
The behaviour is by design of Microsoft NT and AD directories. Serious considerations need to be taken when migrating from native mode to mixed mode domains. Please see the details below.
There are no specific requirements to the functional level of source or target domain when migrating; however, the following limitations of mixed mode need to be taken into consideration:
1. According to Microsoft KB Article ID Q322970: http://support.microsoft.com/kb/322970/en-us.
"The sIDHistory is a multivalued attribute of security principals in the Active Directory that may hold up to 850 values. To provide backward-compatibility with domain controllers that are running earlier versions of Windows, the sIDHistory attribute is only available in domains that are operating at the functional level of Windows 2000 Native mode or later."
2. If source domain is running in native mode or later and target domain is in mixed mode, the following limitation with regards to the "Nesting groups" functionality needs to be considered:
http://technet2.microsoft.com/windowsserver/en/library/3fbe961d-1124-4a56-9d95-4be9e0dc59951033.mspx?mfr=true
For Example:
a. Source LG1 local group has LG2 local group as a member. It is possible in the domain with native mode. When migrating both LG1 and LG2 to the target domain running in mixed mode it will report "Unresolved Link" in the attribute "member" of group LG1. LG2 will not become a member of LG1 in the target domain because this is not supported in mixed mode domain environment.
b. Similar issue will occur in the GG1-GG2 global groups scenario because global group can not contain global group as member in mixed mode domain.
c. Migration of universal groups will not be possible and the following error will be reported:
Error 0xe3000007. Cannot create universal security group or change the group type to universal because the target domain is in mixed mode.
3. When migrating file system resources that have access control set for the Domain Local Groups on the source, and going from source domain in native mode to the target domain in mixed mode, target users will not get access to the resources via the membership in these Local Groups. This behaviour is by design and described in the following Microsoft KB article 260534:
http://support.microsoft.com/kb/260534/en-us
"This behavior can occur because the Windows 2000 domain is running in Mixed mode, and in Mixed Mode local groups cannot grant permissions on computers that they do not reside on. Note that in Mixed mode local groups behave the same in both Microsoft Windows NT and Windows 2000. There is an exception for domain local groups created on a domain controller. The replication between domain controllers causes domain local groups to be shared between the domain controllers."
Please also see these Microsoft KB articles:
http://support.microsoft.com/kb/259392/en-us
"If a Windows 2000 domain is operating in mixed mode, the scope of a Domain Local Group is within the set of domain controllers only. The domain controllers include Windows 2000 domain controllers as well as Windows NT 4.0 BDCs. The Windows 2000 Domain Local Group Scope behaves similarly to the Windows NT Local Group in mixed mode. If the Windows 2000 domain is operating in native mode, the scope of a Domain Local Group is within all the members of the domain."
http://support.microsoft.com/kb/101471/
"User Manager represents local groups with a graphic of two faces imposed over a computer. A local group is local to the security system in which it is created. A local group created on a Windows NT work group workstation is available only on the workstation on which it is created. A local group created on a Domain Controller is available on all Domain Controllers."
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Términos de uso Privacidad Cookie Preference Center