Chatta subito con l'assistenza
Chat con il supporto

Preparing Migration 8.15 - Installation Guide

Preparing the Source and Target Environments for Active Directory Migration

The suggested preparation steps as follows:

Establishing Trusts

Trusts between the source and target domains are not required for Active Directory or Exchange migration with Migration Manager. However, we recommend that you establish two-way trusts between each source and target domain that will participate in migration.

If the forest functional level in both source and target forests is set to Windows 2003 or higher, you can establish forest trust between the forest root domains.

Trusts make it possible to resolve objects’ security identifiers (SIDs), which in turn helps to distinguish objects and check that everything is going right. Trusts also help provide co-existence of two environments, including uninterrupted access to the resources for both switched users and users not yet switched.

For more information about the restrictions that apply and possible migration scenarios without having trusts established, refer to the Migration Manager Best Practices document.

Configuring SID Filtering

SID filtering is set on all trusts to prevent malicious users who have domain or enterprise administrator level access in a trusted forest from granting (to themselves or other user accounts in their forest) elevated user rights to a trusting forest.

SID filtering should be turned off only if you want target accounts to obtain all privileges of the source accounts for the period between account migration and resource processing. Otherwise, if you do not plan to use target accounts until resource processing will be completed, turning off SID filtering is not required.

Important: Note that only domain administrators or enterprise administrators can modify SID filtering settings.

Disabling SID Filter Quarantining on External Trusts

To disable SID filter quarantining for the trusting domain, type a command using the following syntax at a command-prompt:

Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /usero: domainadministratorAcct /passwordo: domainadminpwd

To re-enable SID filtering, set the /quarantine: command-line option to Yes.

Allowing SID History to Traverse Forest Trusts

The default SID filtering applied to forest trusts prevents user resource access requests from traversing the trusts with the credentials of the original domain. If you want to enable users to use the credentials that were migrated from their original domain, you can allow SID history to traverse forest trusts by using the Netdom command.

To allow SID history credentials to traverse a trust relationship between two forests, type a command using the following syntax at a command-prompt:

Netdom trust TrustingDomainName /domain: TrustedDomainName /enablesidhistory:Yes /usero: domainadministratorAcct /passwordo: domainadminpwd

To re-enable the default SID filtering setting across forest trusts, set the /enablesidhistory: command-line option to No.

For more information about configuring SID filtering refer to the Microsoft article available at https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx.

Checking Host Name Resolution

DNS Name Resolution

Make sure that DNS is configured and functioning properly in your environment.

The following computers' DNS names must be successfully resolved to IP addresses from the servers running the Directory Synchronization Agents and Migration Manager console:

  • Source and target servers
  • Server on which the AD LDS or ADAM project partition is located
  • Server hosting the SQL configuration database

NetBIOS Name Resolution

Since the agents installed on agent hosts communicate with Exchange servers and with each other, agent hosts and Exchange servers must be able to resolve each other’s NetBIOS names to IPv4 addresses. In other words, each server must be able to “see” the other servers by NetBIOS.

Windows Internet Naming Service (WINS) is usually used to resolve servers’ NetBIOS names to IP addresses. If WINS is not configured in your environment, host files can be used instead.

Check the host NetBIOS name resolution and make sure that the servers’ NetBIOS names can be resolved from the console as well.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione