Migration Manager for AD 8.15 - Cached Credentials Utility Administrator Guide

Overview

One of the main goals for Migration Manager for Active Directory is to provide a seamless migration for your company while allowing employees (hereafter referred to as users) to maintain uninterrupted access to all their resources, regardless of whether the resources are being processed. The resource processing is performed to grant users migrated to the target domain the same privileges as they had in the source domain. For the vast majority of users, all the steps required to process resources properly are described in the Migration Manager for Active Directory – Resource Processing Guide.

However, for users that rarely work in the company's office, you may need to alter traditional migration process. Such remote users connect to the enterprise network through VPN from their laptops (or personal computers). The biggest challenge is to update and change the domain membership of remote users' computers while maintaining access to the enterprise network.

The Cached Credentials Utility (CCU) takes this challenge. The utility captures the users’ credentials for the target domain, caches them while the user is logged on to the source domain and makes those credentials available once the user's computer changes domain membership. Steps required to configure the utility, deploy it and instruct end-users how to use it are described in this guide.

Additionally the CCU launches Vmover utility which is a part of Migration Manager for Active Directory to perform re-permissioning. This happens right before a laptop is moved to the target domain.

Terminology

Throughout this guide, the following terms are used:

Remote user is a user that usually works outside the company's office.

Remote computer is a personal computer or a laptop the remote user uses to connect to the enterprise network through VPN.

Administrator is a person who configures the CCU installation package, deploys it to remote computers and instructs remote users how to use the utility.

Getting Started

The CCU files are located on the Migration Manager installation CD in the \QMMAD\Cached Credentials Utility subfolder.

The following files reside at that location:

• CachedCredsSetupTemplate.msi — Template to generate Setup.msi (CCU installation package) using update_msi.cmd command file.

• cachecredconf.exe — Utility that encrypts credentials of the account that will be used to move computers to the target domain.

• update_msi.cmd — Command file that is used to generate configured Setup.msi installation package. update_msi.cmd parameters should be edited according to on your enterprise configuration. For details on adjustable parameters, see Technical Reference: Utility Configuration Parameters.

• update_msi.js — Auxiliary script used by update_msi.cmd.

• remove_sign.ps1 — Auxiliary script used by update_msi.cmd.

• cachecred.text.ini — File containing localized message and caption descriptions that CCU will use. For details, see Providing Multilanguage Support.

The main part of CCU is a service which is meant to be installed on remote users' computers. Configured setup.msi installation package for this service should be deployed on remote users' computers.

Supported Operating Systems

The Cached Credentials Utility is designed to be used in conjunction with Resource Updating Manager and compatible with all operating systems listed in the Resource Updating Manager Processed Platforms.

How It Works

Problem Description

Remote users that are working outside the enterprise office have to log on to their laptops or personal computers before they can connect to the enterprise network using VPN. To log the user on, user's credentials from the local cache are used. Once user's laptop or computer is moved to the target domain, he or she cannot log on to the laptop, because user's credentials in the target domain haven't been cached on the computer yet.

Solution

The Cache Credentials Utility (CCU) provides a solution for that problem by caching the user credentials for the target domain, while the user is logged on to the source domain via VPN. The main part of the CCU is a service which is deployed to the remote users’ computers. It is installed from a specifically pre-configured CCU installation package.

The general workflow for using the CCU is as follows:

1. The administrator (You in this case) configures the CCU installation package according to the enterprise environment specifics and sets the date when processing of the remote computers must be started. After configuration is completed, a CCU installation package with all specified settings will be generated.
2. After that administrator deploys the CCU installation package to remote users' computers and provides instructions how to use the utility.
3. The CCU service starts on a remote computer on date specified on step 1. If currently logged on user is found in a specified Migration Manager for Active Directory migration mapping file (vmover.ini file) he or she will be asked to enter password of the corresponding target user.
4. The utility checks whether the password is correct and if so the service will cache the target credentials in the registry of the corresponding remote computer.
5. After that, the utility will launch Vmover utility to process resources using the specified vmover.ini file.
6. On the last step, the remote computer is moved to the target domain by the Vmover utility.

Configuring CCU Installation Package

In this section you will adjust the Cached Credentials Utility settings according to your enterprise configuration and generate the corresponding CCU installation package that later will be deployed to remote users' computers.

For that, take the following steps:

1. From the command prompt, run the cachecredconf.exe utility with the -encrypt key to encrypt an account to be used to move remote computers to target domain:

cachecredconf.exe -encrypt "Domain\Username;Password"

The value of the above output should be copied to the JOIN_CRED field on step 2.

2. Using a text editor of your choice, open update_msi.cmd file and change the following fields according to your needs:

• MOVE_DATE — The date in the YYYY-MM-DD format that defines when to move the remote users' computers to the target domain
• TRG_DOMAIN — NETBIOS name of target domain.
• TRG_DOMAIN_DNS — FQDN of target domain.
• MAP_FILE — Full path to network share with read only access to Everyone where vmover.ini and vmover.exe files are located. For details, see Preparing Vmover Files.
• JOIN_CRED — Hash string obtained on step 1 that contains encrypted credentials of the account that will be used to move computers to the target domain.
• DELETE_TARGET_PROFILE - This parameter determines whether the solution must delete target user profile (if it exists). If the target profile is not presented, the Vmover utility will bind source user profile to the target user. By default, the profile is deleted (parameter value is 1).

3. Once done editing the above file, save the changes and double click on it to generate setup.msi file. When generation completes, follow the instructions provided in the Deploying the Utility.

Preparing Vmover Files

The utility uses the Vmover utility and its configuration file vmover.ini to perform resource processing. The vmover.ini file contains instructions for the Vmover utility and all the user and group mappings between source and target domains.

The vmover.exe and vmover.ini files must be placed on the network share with Everyone having Read access rights. The path to this share is specified in the MAP_FILE parameter during configuration of the CCU installation package.

If you want to process both 32-bit and 64-bit computers, you will also need to create a vmover.cmd command file and place it on that network share.

Locating the vmover.exe

The vmover.exe file is part of Migration Manager for Active Directory. You can find the vmover.exe file on a computer where Migration Manager is installed in the %ProgramFiles%\Common Files\Aelita Shared\Migration Tools\Resource Updating\Agent folder

Copy the vmover.exe file to the network share specified above. Also create the x64 folder on that share and copy the 64-bit version of vmover.exe located in the x64 subfolder there.

Exporting the vmover.ini

To export a new vmover.ini file from the Resource Updating Manager console and copy it to the network share, take the following steps:

1. In the Resource Updating Manager console, add all remote computers to a new collection.
2. Right-click on the collection and choose Create Task | Processing.
3. In the Create Processing Task wizard, specify the processing settings. Do not start the task.
4. Click on the Tasks tab in the right pane.
5. Right-click on the newly created task and select Export Settings to File.
6. Save the INI file in the desired location as vmover.ini.
7. Open the INI file in any text editor and verify that the settings are accurate and the file contains the desired objects only.
8. Finally, copy the vmover.ini file to the network share specified above.

Creating the vmover.cmd

If you want to process both 32-bit and 64-bit computers, create a file named vmover.cmd on the same network share as where vmover.ini, vmover.exe and x64\vmover.exe files reside.

The vmover.cmd file should have the following content:

if "%ProgramFiles(x86)%"=="" goto execute

copy /y \\server\share\x64\vmover.exe %0\..\vmover.exe

:execute

%0\..\vmover.exe /c /ini=%1 /statefile=%2 /log=%2\..\vmover.log

del %0

Where \\server\share should be replaced with actual full path to the network share with Vmover files.