Chatee ahora con Soporte
Chat con el soporte

On Demand Migration Current - Entra ID for Devices User Guide

Additional Info

Architecture

The first step towards success on a project using Entra ID for Devices is to understand the product architecture and how this architecture will operate in your environment.

Entra ID for Devices consists of the following components:

  • A directory synchronization engine

  • A REST based web service

  • A management interface

  • A lightweight agent for workstations and member servers

The directory synchronization engine, the web service, and the management interface will all access the same SQL database. In most scenarios, these components will be installed on the same system. In larger or more complex network environments, the components can be distributed across multiple systems.

User workstations, member servers and computers are collectively referred to as Devices in Entra ID for Devices. Computers communicate with the Entra ID for Devices web service using the Active Directory Agent. The Active Directory Agent is a lightweight application that installs as a service on Windows computers.

To ensure that no firewall exceptions are required, the web service does not “call” the Devices to be migrated. Instead, the Active Directory Agents contact the web service at defined polling intervals, using standard HTTPS or HTTP requests to collect jobs. Jobs include key tasks such as system discovery, updating the operating system, file system, and user profile permissions, and migrating the computer to the new domain.

 

Standard Configuration  

In the Standard Configuration for Entra ID for Devices, the Agent is deployed to each Device to be migrated. Those Agents communicate outbound to the Active Directory webserver in Azure over ports 80/443 every 4 hours, when a job is available, or when initially registering. They also communicate outbound to the Active Directory Agent job availability cache in Azure over UDP on port 3030 every 2 minutes.

Standard Configuration

 

Web Proxy Configuration  

In the Web Proxy Configuration for Entra ID for Devices, the Agent is deployed to each Device to be migrated and use of a web proxy is enabled. Those Agents communicate outbound through the defined proxy port to the Active Directory webserver in Azure over port 443 every 4 hours, when a job is available, or when initially registering. They also communicate outbound through the defined proxy port to the Active Directory Agent job availability cache in Azure on port 80 every 2 minutes.

Web Proxy Configuration

Troubleshooting

  • Problem: A workstation that has been successfully cutover no longer responds to any additional jobs, such as Cleanup.  

    Solution: If a workstation that has been successfully cutover now fails to respond to any additional jobs, such as Cleanup, check the Application event log. If you see a "The remote name could not be resolved" error, this most likely means that the SRV record for the Entra ID for Devices Server can no longer be resolved due to a DNS lookup failure.

    If you cannot "Ping" the Entra ID for Devices server from any other machines in the target domain, then you will need to remedy this on a more global scale, such as creating a conditional forwarder on the target machines' current DNS server pointing to the appropriate location.

    If you are able to "Ping" the Entra ID for Devices server, then check the Network Profile that was used during the Cutover to verify that the DNS settings were correct in that profile.

Cutover Job Result Codes

Result Code Error Rollback Possible
1 Unidentified Error - PowerShell Command Error No
2 Source Domain could not be contacted No
4 Bad Source Credentials No
8 Target Domain could not be contacted No
16 Bad Target Credentials No
32 Target DNS Server could not be contacted or could not resolve the target DNS domain No
64 Change Obtain DNS by DHCP  
128 Set DNS Server IPs  
256 Set WINS Servers  
512 Register NIC with DNS  
1024 Clear DNS Suffix Search List / Set to use NIC  
2048 Set Alternate DNS Suffix List  
4096 Enable Dynamic DNS Registration  
8192 Set NIC Specific DNS Suffix  
16384 Domain Disjoin Failed  
32768 Domain Join Failed  
65536 Source domain name does not match the system's domain No
131072 Computer Reboot failed  
262144 Target Domain Name could not be resolved via existing DNS, and new DNS Servers were not provided No

Note: An odd numbered result code represents an error running the Cutover PowerShell script. The most common cause of an odd numbered result code during Cutover is that the computer either has no network card with a default gateway or more than one network card with a default gateway.

Note: Result codes are additive. There are likely multiple errors if the result code is not represented in the table.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación