Chatta subito con l'assistenza
Chat con il supporto

On Demand Migration Current - Active Directory User Guide

Devices and Servers

What is the Devices + Servers page used for?  

The Servers + Devices screen allows the administrator to register devices and servers, set the ReACL profile, upload migration logs, and manage the device Discovery, ReACL, Cutover, and Cleanup processes.

Select the gear icon above the "Ready Devices" list to select the columns to display for the current session.

 

What is the difference between a "Ready Device" and a "Not Ready Device?"  

"Ready Devices" are devices that have the necessary agent installed, are communicating, and are ready for actions to be scheduled. "Not Ready Devices" are devices which that have not yet had an agent installed and communicating.

Note: Initial agent registration is uniformly distributed over a four hour interval from agent start time.

 

What actions can be performed on Devices and Servers?  

The following actions can be performed on devices by selecting the devices in the list, selecting an action from the drop-down list, and then clicking the Apply Action button.

  • Discovery

    The Discovery process gathers properties (OS versions, network properties, and so on) from the device to allow additional future functionality. The first discovery process begins for a device when the device becomes registered with Power365 which will automatically occur after the Device Agent has been installed, as long as the environment is properly configured.

    To select when the process will begin check Do not start before and then enter or select a date and time. If using the Do not start before option, the Discovery Status will be displayed as Queued in the Devices table and the "Do Not Start Before" column in the Device Jobs table will be populated with the selected date.

  • Set Target Environment

    The Set Target Environment action provides the ability to specify the target environment for the selected devices. The ReACL, Cache Credential, Offline Domain Join, Cutover, Cleanup, Rollback, and ReACL Rollback actions cannot be started for the selected devices if the target environment is not set.

    To set to the target environment, select a target environment for the selected devices from the list and click Save. The target environment can be cleared by selecting None from the list.

  • ReACL

    The ReACL process updates the Device’s domain user security ACL with the matching target user ObjectSID. User Profiles will only be processed during Device Cutover which will be triggered automatically when running the Cutover Actions.

    Note: During device cutover, ReACL also process the device’s domain user profiles for use by the matching target user after cutover.

    Note: It is recommended to remove or disable anti-virus software immediately prior to the ReACL process and only after a recent clean scan has been completed.

    Before ReACL can occur, the target Users and Groups which have permissions set on the Device must be migrated to the target.

    To select when the process will begin check Do not start before and then enter or select a date and time. If using the Do not start before option, the ReACL Status will be displayed as Queued in the Devices table and the "Do Not Start Before" column in the Device Jobs table will be populated with the selected date.

    Note: Two checks are performed at the start of the ReACL process. The first check is for invalid Source Profiles, which will be logged as a WARNING and those profiles will be skipped. The second check is for invalid Target Profiles, where a user may have created a profile with the target account before their machine is ReACL’d and cutover. By default, this is logged as a FATAL ERROR and will halt the ReACL process. However, it can be changed to a WARNING with the –t switch passed by editing the command in SQL.

    The ReACL Agent will automatically create two files on the device being ReACL’d, map.usr and map.gg. These files are used to find the source permissions and add the appropriate target permissions during the ReACL process. System groups, such as Domain\Domain Admins and Domain\Domain Users are included in the map.gg file for updating the group permissions during the ReACL process. If the Active Directory environment is non-English, the values in the sAMAccountName column of the BT_SystemGroup table in the SQL database will need to be changed after Directory Sync is installed to have the appropriate non-English values.

    If the Mapped Network Drive is being mapped via GPO or using an integrated credential such as the current Windows logon session, ReACL will create a warning entry in the log “…WARNING: The UserName value for drive U was empty and could not be mapped to the target user.” This warning does not mean that the mapped drive cannot be accessed after Cutover.

    Note: The user profile ReACL process is decoupled from actions against files and folders.

    ReACL will update all files and folders entries found on the machine except for the user profile folders, ntuser.dat, and usrclass.dat even if the user profiles option is selected in the ReACL profile.

    Remaining ReACL activities against user profiles and registry are processed by a separate ReACL task when a cutover operation is performed.

  • Cache Credential

    The Cache Credentials process assigns a Cache Credentials job to workstation(s). See the Credential Cache and Offline Domain Join topic for more information.

  • Offline Domain Join

    The Offline Domain Join process is similar to the Cutover process for machines that are directly connected to the network. See the Credential Cache and Offline Domain Join topic for more information.

    Warning: Do not perform the Cutover process on Offline Domain Join workstations. The Offline Domain Join process takes the place of Cutover for workstations connecting via VPN.

  • Cutover

    The Cutover process moves a Device from the source domain to the new target domain.

    Check Ignore ReACL Status to cutover the device regardless of the ReACL status (otherwise the cutover process will not proceed if there is an error with ReACL process).

    Check Do not start before and then enter or select a date and time when the process will begin. If using the Do not start before option, the Cutover Status will be displayed as Queued in the devices table and the "Do Not Start Before" column in the Device Jobs table will be populated with the selected date. The Cutover process will begin as soon as possible if not using this option.

    Note: Devices should not be ReACL'd once they have been cutover to the Target. This is not a best practice and is not supported as this can cause problems with the registry and user profiles.

    Note: Certificates are not migrated with Device Cutover.

  • Microsoft Entra ID Cutover

    The Microsoft Entra ID Cutover process moves a Device from the source domain to an Azure target environment.

    Check Ignore ReACL Status to cutover the device regardless of the ReACL status (otherwise the cutover process will not proceed if there is an error with ReACL process).

    Check Do not start before and then enter or select a date and time when the process will begin. If using the Do not start before option, the Cutover Status will be displayed as Queued in the devices table and the "Do Not Start Before" column in the Device Jobs table will be populated with the selected date. The Cutover process will begin as soon as possible if not using this option.

    Note: Devices should not be ReACL'd once they have been cutover to the target. This is not a best practice and is not supported as this can cause problems with the registry and user profiles.

    Note: If the Entra ID Join profile has the Auto-Pilot Cleanup option selected, the Autopilot remove status must be completed before the Microsoft Entra ID Cutover action can be used.

  • AutoPilot Cleanup

    The AutoPilot Cleanup action clears existing Auto-Pilot provisioning information from the device. This must be done before the cutover if the source Entra ID Joined device is Autopilot-provisioned and the Entra ID Join Profile has the Auto-Pilot Cleanup option selected.

  • Set Intune Primary User

    The Set Intune Primary User action is used after the Device Cutover is completed to set the primary user.

  • Cleanup

    The Cleanup process removes the Source SIDs after the Cutover process completes.

    Note: Cleanup should be done when the migration project is completed. Before running the Cleanup process if a trust is in place, the trust can be broken to test if any application permissions are broken.

    In the Job Options window, click Apply to begin the Cleanup process as soon as possible. To select when the process will begin check Do not start before and then enter or select a date and time. If using the Do not start before option, the Cleanup Status will be displayed as Queued in the Devices table and the "Do Not Start Before" column in the Device Jobs table will be populated with the selected date.

  • Upload Logs

    Log files from the Active Directory Agent can be uploaded to the Active Directory Web Server using Microsoft BITS. To enable this functionality, the installer enables BITS Server Extensions for IIS and create a virtual directory called DeviceLogs where all uploaded files will be stored.

    In the Job Options window, click Apply to begin the Upload Logs process as soon as possible. To select when the process will begin check Do not start before and then enter or select a date and time. If using the Do not start before option, the Do Not Start Before column in the Device Jobs table will be populated with the selected date.

    The logs will be stored in the configured Agent Logs Repository

    The device logs will be zipped, and the file names will be in the following format with a unique file name: SMART-WIN7X86-1_201573111235.zip

  • Rollback

    The Rollback process moves a Device back to the original source domain and restores any modified network settings. The Device must have attempted Cutover for this explicit Rollback process to work.

    In the Job Options window, click Apply to begin the Rollback process as soon as possible. To select when the process will begin check Do not start before and then enter or select a date and time. If using the Do not start before option, the "Do Not Start Before" column in the Device Jobs table will be populated with the selected date.

    Note: Rollback is not supported for Entra ID Device Cutover.

  • ReACL Rollback

    The ReACL Rollback process rolls back all changes made by the ReACL process. ReACL Rollback can be performed on Devices that have completed the ReACL process.

    In the Job Options window, click Apply to begin the ReACL Rollback process as soon as possible. To select when the process will begin check Do not start before and then enter or select a date and time when the process will begin. If using the Do not start before option, the "Do Not Start Before" column in the Device Jobs table will be populated with the selected date.

  • Status Resets

    Use the Status Resets action to reset the statuses of the selected devices.

  • Set Device ReACL Profile

    Use the Set Device ReACL Profile action to assign a Device ReACL profile to the selected devices.

  • Set Migration Wave

    Use the Set Migration Wave action to set a migration wave to the selected devices.

  • View Jobs

    Use the View Jobs action to view the device jobs of the selected devices.

    Note: Jobs can be canceled when the Status or Rollback Status is either Queued, Scheduled, Started, or In Progress.

  • View Profiles

    Use the View Profiles action to view the profiles of the selected devices.

  • View Properties

    After the Discovery process has been completed for a Device, you can view the properties of that Device.

    Click the Export All button to export the content of the window in Excel, text, CSV, or HTML format.

  • Custom Actions

    If any Custom Actions have been created for Devices, they will appear in the Actions menu.

    In the Job Options window, check Do not start before and enter a date if you do not want the job to begin immediately. Select the Admin Agent and the Agent Admin Credentials to use from the drop-down lists. The Cutover options will also appear if the selected Admin Agent action includes the Cutover action.

File Shares and Network Storage

What is the File Shares + Network Storage page used for?  

The File Shares + Network Storage screen allows you to ReACL File Share and Network Storage devices via a network share.

 

How is a File Share or Network Storage device added?  

To add a File Share or a Network Storage device:

  1. Select the Add icon. The File Share window appears.

  2. Enter values in the following fields:

    • UNC Path - the UNC path that will be the starting location for ReACL on the File Share computer
    • Device - The name of the Computer used to access the File Share computer. This computer must be local (same network, region, and so on) to the File Share device. This is a sAMAccountName, not an FQDN.
    • Username - The username to access the File Share device. UserPrincipalName values (user@domain.dom) or domain\username format are supported.
    • Password - the Password to credential access the File Share computer
  3. Click OK. The File Share device is added to the list.

 

What actions can be performed on File Shares and Network Storage devices?  

The following actions can be performed on File Shares and Network Storage devices by selecting the devices in the list, selecting an action from the drop-down list, and then clicking the Apply Action button.

  • ReACL

    The ReACL process updates the File Share’s domain user profiles for use by the matching target user after cutover.

    In the Job Options window, click Apply to begin the ReACL process as soon as possible. To select when the process will begin check Do not start before and then enter or select a date and time. If using the Do not start before option, the ReACL Status will be displayed as Queued in the File Share table and the "Do Not Start Before" column in the File Share Computer Jobs table will be populated with the selected date.

  • Cleanup

    The Cleanup process removes the Source SIDs after the Cutover process completes.

    In the Job Options window, click Apply to begin the Cleanup process as soon as possible. To select when the process will begin check Do not start before and then enter or select a date and time. If using the Do not start before option, the Cleanup Status will be displayed as Queued in the File Share table and the "Do Not Start Before" column in the File Share Computer Jobs table will be populated with the selected date.

  • ReACL Rollback

    The ReACL Rollback process rolls back all changes made by the ReACL process. ReACL Rollback can be performed on File Share computers that have completed the ReACL process.

    In Job Options window, click Apply to begin the ReACL Rollback process as soon as possible. Check Do not start before and then enter or select a date and time when the process will begin. If using the Do not start before option, the Do Not Start Before column in the File Share Computer Jobs table will be populated with the selected date.

  • Set Share ReACL Profile

    Use the Set Share ReACL Profile action to assign a File Share ReACL profile to the selected devices.

  • View Jobs

    Use the View Jobs action to view the device jobs of the selected devices.

  • Custom Actions

    If any Custom Actions have been created for File Share, they will appear in the Actions menu.

How-To

Offline Domain Join (ODJ)

Normally, right after a Device is Cutover to a new domain VPN users can’t log in to their workstation because Windows must be able to contact the target domain to authenticate against a domain controller for that very first login. Typically, a remote user not on the VPN would need to log in to their machine first and then establish a VPN connection.

Active Directory answers this problem by building on Microsoft’s Offline Domain Join (ODJ) process to allow a workstation to join a domain without contacting a Domain Controller. This solution is achieved by first creating an ODJ file for each workstation and then taking advantage of Windows’ ability to cache credentials. If users have logged in to the target domain previously, Windows can log them in again even if they can no longer reach a domain controller by using cached credentials.

Active Directory’s ODJ process has users pre-login to the new domain before the computer needs to be Cutover so the target credentials can be cached and used for the first post-Cutover login without the need to contact a domain controller first. Then when the administrator is ready to Cutover workstations using the ODJ Action, Active Directory allows the workstation to join the new domain without having the user connect to the corporate VPN and manually join their workstation to the new domain.

The computers that the ODJ process is being run on must have network connectivity to BOTH the source and target environments at the same time sometime pre-cutover in order to have the Cache Credentials function work properly.

Additionally, computers will be unable to save the cached credentials unless the source environment trusts the target environment. The AD Offline Domain Join Credential Cache Quick Start Guide provides guidance on configuring an AD trust to enable Offline Domain Join functionality.

1. CREATING ODJ FILES FOR EACH WORKSTATION  

The first step in the ODJ process is for an administrator to use Microsoft’s DJOIN utility to create a provisioning file. Only the provisioning part of the DJOIN process is needed. Complete information on DJOIN can be found here.

The Provision, Domain, Machine, and Savefile parameters are required at a minimum. There is the option to control where the target machine will be created using the MachineOU parameter as in the sample shown here.

DJOIN.EXE /Provision /Domain BTADLAB.com /Machine Sales220 /Savefile “\\server\odj-share\Sales220.txt” /MACHINEOU OU=SalesComputers,OU=Sales,DC=BTADLAB,DC=COM

The file must be saved in the ODJ folder in the Repositories path that was configured in the UI.

Generating these files can be completed for all in scope workstations early in the migration process.

WARNING: Be sure to name each text file with the exact matching machine name.

 

2. CONFIGURING THE CREDENTIAL CACHE PROFILE  

The next step is to configure the existing Default Credential Cache profile with the IP address of a Target domain controller, or to create a new profile for this setting.

From the Profiles page select Credential Cache Profiles. Click on Add to create a new profile, or Edit to modify an existing profile. If you choose to use the Default profile, you must edit it to include a Target DC IP address.

  • The Target Domain Controller Ping Interval setting determines how long the script will sleep before pinging the DC again.
  • The Timeout Before Job Failure setting determines the Credential Cache app timeout value that will be used for the job once downloaded to the agent managed machine.
  • The Timeout For User Credential setting determines how long the user is presented with a dialog box to enter their target domain credentials.

 

3. CACHE CREDENTIALS JOBS  

Now that a profile has been configured with a target DC IP address, we can assign a Cache Credentials job to each in scope workstation.

In the Devices list, select one or more Computers. Select Cache Credentials from the Actions dropdown menu and click the Apply Action button. The Credential Cache Options box appears.

Select a Credential Cache Profile.

A date and time for the Cache Credentials job can be chosen to run the job at a later time. This date/time combination represents the earliest time that this job could run.

If a date/time is not chosen, this job will run on the workstation the next time the agent checks for jobs.

The Devices list will reflect a status of "Queued". When the job is collected by the agent the status will change to "In Progress", and then finally it will transition to a status of "Completed" or "Failed".

On the workstation side, when the Cache Credentials Job is received, the user will be prompted to enter their target credentials. Below is an example of what the user will see when the Cache Credential job runs:

Figure 1: Enter Cutover Credentials

 

4. REACL  

Following Cache Credentials the next recommended step is the ReACL process. The ReACL process can be run repeatedly as needed before ODJ, but it is suggested to be run at least once right after the Cache Credentials process is run.

In the Devices list, select one or more Computers. Select ReACL from the Actions dropdown menu and click the Apply Action button.

The Job Options box appears. A specific date/time combination can be chosen for when to run the job, or just click Apply Action to have this job received by the workstations during their next check for jobs.

 

5. OFFLINE DOMAIN JOIN JOB  

The final step is the actual Offline Domain Join job itself. This is similar to the Cutover process used for machines that are directly connected to the network.

WARNING: Do not perform the Cutover process on Offline Domain Join workstations. The Offline Domain Join process takes the place of Cutover for workstations connecting via VPN.

In the Devices list, select one or more Computers. Select Offline Domain Join from the Actions dropdown menu and click the Apply Action button.

The Job Options box appears. A specific date/time combination can be chosen for when to run the job, or just click Apply Action to have this job received by the workstations during their next check for jobs.

WARNING: The Offline Domain Join (Job Scheduling Options dialog box) start date and time must be set AFTER the Cache Credentials job (Cache Credential Options dialog box) start date and time.

The Offline Domain Join process does not support rollback.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione