One of the main goals for Migration Manager for Active Directory is to provide a seamless migration for your company while allowing employees (hereafter referred to as users) to maintain uninterrupted access to all their resources, regardless of whether the resources are being processed. The resource processing is performed to grant users migrated to the target domain the same privileges as they had in the source domain. For the vast majority of users, all the steps required to process resources properly are described in the Migration Manager for Active Directory – Resource Processing Guide.
However, for users that rarely work in the company's office, you may need to alter traditional migration process. Such remote users connect to the enterprise network through VPN from their laptops (or personal computers). The biggest challenge is to update and change the domain membership of remote users' computers while maintaining access to the enterprise network.
The Cached Credentials Utility (CCU) takes this challenge. The utility captures the users’ credentials for the target domain, caches them while the user is logged on to the source domain and makes those credentials available once the user's computer changes domain membership. Steps required to configure the utility, deploy it and instruct end-users how to use it are described in this guide.
Additionally the CCU launches Vmover utility which is a part of Migration Manager for Active Directory to perform re-permissioning. This happens right before a laptop is moved to the target domain.
Throughout this guide, the following terms are used:
Remote user is a user that usually works outside the company's office.
Remote computer is a personal computer or a laptop the remote user uses to connect to the enterprise network through VPN.
Administrator is a person who configures the CCU installation package, deploys it to remote computers and instructs remote users how to use the utility.
The CCU files are located on the Migration Manager installation CD in the \QMMAD\Cached Credentials Utility subfolder.
The following files reside at that location:
cachecredconf.exe — Utility that encrypts credentials of the account that will be used to move computers to the target domain.
update_msi.js — Auxiliary script used by update_msi.cmd.
cachecred.text.ini — File containing localized message and caption descriptions that CCU will use. For details, see Providing Multilanguage Support.
The main part of CCU is a service which is meant to be installed on remote users' computers. Configured setup.msi installation package for this service should be deployed on remote users' computers.
The Cached Credentials Utility is designed to be used in conjunction with Resource Updating Manager and compatible with all operating systems listed in the Resource Updating Manager Processed Platforms.
Problem Description
Remote users that are working outside the enterprise office have to log on to their laptops or personal computers before they can connect to the enterprise network using VPN. To log the user on, user's credentials from the local cache are used. Once user's laptop or computer is moved to the target domain, he or she cannot log on to the laptop, because user's credentials in the target domain haven't been cached on the computer yet.
Solution
The Cache Credentials Utility (CCU) provides a solution for that problem by caching the user credentials for the target domain, while the user is logged on to the source domain via VPN. The main part of the CCU is a service which is deployed to the remote users’ computers. It is installed from a specifically pre-configured CCU installation package.
The general workflow for using the CCU is as follows:
|
Caution: Due to the specifics of working with cached credentials, the user's remote computer will need to be restarted twice after utility finishes processing. After that, CCU will be automatically removed except its log file. |
In this section you will adjust the Cached Credentials Utility settings according to your enterprise configuration and generate the corresponding CCU installation package that later will be deployed to remote users' computers.
For that, take the following steps:
1. From the command prompt, run the cachecredconf.exe utility with the -encrypt key to encrypt an account to be used to move remote computers to target domain:
cachecredconf.exe -encrypt "Domain\Username;Password"
|
Important: This account must have sufficient privileges to move computers to the target domain. |
The value of the above output should be copied to the JOIN_CRED field on step 2.
2. Using a text editor of your choice, open update_msi.cmd file and change the following fields according to your needs:
|
Caution: Using CCU and RUM to process the same users' computer or server is not recommended. If CCU is run on a machine after RUM processing has processed the user Profile, the profile (which will have been redirected to the target user by RUM) will be deleted, resulting in data loss. If CCU might run after RUM processing, change the value of DELETE_TARGET_PROFILE to 0, or Revert the the RUM processing prior to running CCU. |
|
TIP: To get descriptions of all adjustable parameters in the update_msi.cmd file, see Technical Reference: Utility Configuration Parameters. |
3. Once done editing the above file, save the changes and double click on it to generate setup.msi file. When generation completes, follow the instructions provided in the Deploying the Utility.
The utility uses the Vmover utility and its configuration file vmover.ini to perform resource processing. The vmover.ini file contains instructions for the Vmover utility and all the user and group mappings between source and target domains.
The vmover.exe and vmover.ini files must be placed on the network share with Everyone having Read access rights. The path to this share is specified in the MAP_FILE parameter during configuration of the CCU installation package.
|
Caution: Do not grant Write permissions on the network share where Vmover files will be located to anyone except for administrators responsible for performing migration. |
If you want to process both 32-bit and 64-bit computers, you will also need to create a vmover.cmd command file and place it on that network share.
Locating the vmover.exe
The vmover.exe file is part of Migration Manager for Active Directory. You can find the vmover.exe file on a computer where Migration Manager is installed in the %ProgramFiles%\Common Files\Aelita Shared\Migration Tools\Resource Updating\Agent folder
|
Note: If the computer runs 64-bit version of Windows, replace %ProgramFiles% with %ProgramFiles(x86)%. |
Copy the vmover.exe file to the network share specified above. Also create the x64 folder on that share and copy the 64-bit version of vmover.exe located in the x64 subfolder there.
Exporting the vmover.ini
To export a new vmover.ini file from the Resource Updating Manager console and copy it to the network share, take the following steps:
|
Caution: If new users or groups are migrated after the file is exported, a vmover.ini file needs to be re-exported in order to contain the new users or groups. |
Creating the vmover.cmd
If you want to process both 32-bit and 64-bit computers, create a file named vmover.cmd on the same network share as where vmover.ini, vmover.exe and x64\vmover.exe files reside.
The vmover.cmd file should have the following content:
if "%ProgramFiles(x86)%"=="" goto execute
copy /y \\server\share\x64\vmover.exe %0\..\vmover.exe
:execute
%0\..\vmover.exe /c /ini=%1 /statefile=%2 /log=%2\..\vmover.log
del %0
Where \\server\share should be replaced with actual full path to the network share with Vmover files.
© ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center