Since the Migration Manager agents are installed and updated from the console over RPC and the agents transfer data directly between source and target servers over RPC as well, RPC traffic must be allowed over the routers separating the subnets.
Make sure that the following ports are open on workstations, servers, routers, and firewalls: 135 and 137–139.
For the comprehensive list of port requirements for most of the Migration Manager components, refer to the Migration Manager Required Ports document.
|
NOTES
- For more detailed information on what ports and protocols Microsoft operating systems and programs require for network connectivity, refer to Microsoft Knowledge Base article 832017: Service overview and network port requirements for the Windows Server system.
- You can use the DCDiag and NetDiag utilities from Windows Support Tools to test network connectivity. To install Windows Support Tools, run Setup.exe from the \SUPPORT\TOOLS folder of Windows distributive CD. For more information about the utilities, refer to their online help and other documentation.
|
In Windows XP Service Pack 2, Microsoft introduced the Security Centre, which includes a client-side firewall application. The firewall is turned on by default and configured to filter the packets sent to the ports 137–139, and 445. These ports are used by the File and Printer Sharing service that must be installed and running on the computer to be updated.
|
IMPORTANT: In order to successfully update Windows XP Service Pack 2 and Windows Vista computers from Resource Updating Manager, the File and Printer Sharing service must be added to the firewall Exceptions list and ports 137–139 and 445 must be unblocked. |
For more information on resource processing requirements, refer to Migration Manager for Active Directory Resource Processing Guide.
When granting the required permissions to the administrative accounts in Active Directory, you should also make sure that permissions inherited from the parent are not blocked at any level in your Active Directory.
If the Domain controller: LDAP server signing requirements policy is set to Require signing at your Active Directory domain controllers, you must make sure the client Network security: LDAP client signing requirements policy is set to Negotiate signing, which is the default, or Require signing. This policy must never be set to None for the client as this would result in loss of connection with the server.
This requirement is applicable for the following components:
- Migration Manager Console
- Migration Manager for Active Directory (Microsoft Office 365) Console
- Directory Synchronization Agent Server
- Directory Migration Agent Server
- Standalone Resource Updating Manager Console
- Active Directory Processing Wizard
- Exchange Processing Wizard
- Migration Manager for Exchange Console
- Statistics Collection Agent Server
- Exchange Migration Agents Server (Legacy and MAgE)
The RC4 encryption (Rivest Cipher 4 or RC4-HMAC) is an element of Microsoft Kerberos authentication that Quest migration products require to sync Active Directory passwords between Source and Target environments. Disabling the use of the RC4 protocol enabled makes password syncing between environments impossible.
Beginning on November 8, 2022 Microsoft recommended an out of band (OOB) patch be employed to set AES as the default encryption type. The enabling and disabling use of the RC4 encryption protocol has potential impact beyond the function of password syncing of Quest migration tooling and should be considered carefully.