Introduction to Resource Update
In Active Directory, permissions are assigned to users via Access Control Lists (ACLs). The list contains references to security identifiers (SIDs) of the accounts to which the rights are granted.
To ensure that resources will still be available to users when they start using their target accounts and when you have cleaned up SIDHistory, permissions granted to source accounts to access the resources must be re-assigned to the target accounts. This means that ACLs of all the resources in the network need to be processed to refer to the new SIDs.
Service accounts and accounts used to run scheduled tasks must also be changed to the corresponding target accounts to ensure that services and scheduled tasks will run correctly after the source accounts are disabled. This is done during the resource update phase.
The resources can be divided in two groups:
- Distributed resources, such as end-user workstations, file and print servers, servers running IIS, scheduled tasks, and other services and applications
- Production servers, such as Exchange server, SQL server, SharePoint server , Systems Management Server (SMS) and System Center Configuration Manager (SCCM).
To make the migration transparent to users, Migration Manager for Active Directory uses a set of tools to provide automated resource processing to reflect the domain reconfiguration. These tools are described in the table below.
| Resource Update Task | Description | Tool Used | Reference |
|---|---|---|---|
| Distributed resource update | Update ACLs for distributed resources, service accounts, user profiles, etc., including those residing on cluster servers | Resource Updating Manager | See the Delegating Resource Update topic. |
| Active Directory update | Update security descriptors for Active Directory objects in selected domains | Active Directory Processing Wizard | See the Active Directory Processing topic. |
| Exchange Server update | Update permissions set on Exchange 2000–2013 servers | Exchange Processing Wizard | See theExchange Server Processing topic. |
| Systems Management Server update | Update permissions on Systems Management Server and System Center Configuration Manager | SMS Processing Wizard | See the SMS Processing topic. |
| SQL Server update | Update permissions on SQL servers | SQL Processing Wizard | See the SQL Server Processing topic. |
| SharePoint permissions update | Reassign SharePoint permissions after your migration | SharePoint Permissions Processing Wizard | See theSharePoint Processing topic. |
Distributed Resource Update
Distributed resource update is the most time-consuming and requires the most planning. It is performed in the Resource Updating Manager console.
The typical scenario for working with Resource Updating Manager is as follows:
- Identify the computers to be processed and install resource processing agents on them.
- Organize the computers into collections for scheduling purposes.
- Schedule the processing and subsequent move operations for the collections.
- After the computers have been moved to the target domain, decommission the resource processing agents installed on them.
For details about using Resource Updating Manager, see the Distributed Updates in Resource Updating Manager topic.
Resource Updating Manager can be used centrally on the Migration Manager Console computer. You can also package and use a standalone Resource Updating Manager console. This lets you delegate the task to other administrators. For details, see the Delegating Resource Update topic.
Production Server Update
Production server-related tasks that do not involve Resource Updating Manager can be performed in two ways:
- Centrally, from the Migration Manager console. You need to create and start a resource processing task of the desired type, for that, refer the table in the Introduction to Resource Update topic. To create the task, in Migration Manager go to the Resource Processing | Tasks node and click the corresponding button in the right pane. For more detail, see the table in the Introduction to Resource Update topic.
- Locally, by delegating resource processing tasks to other persons, for example, to site administrators who are responsible for the resources in their location and already have the appropriate permissions to update them. There are two ways to delegate resource processing tasks:
- Create a setup package for a resource processing task and send it to the person who will update resources. That person installs the package and runs the task.
- Create a self-contained export INI file with the resource processing settings. Resource processing is later performed in stand-alone mode from the resource updating tool (see the table in the Introduction to Resource Update topic) or from the command line by specifying this INI file. Refer to the Delegating Resource Update topic for more details.
For more details, see the related topics:
- Selecting Objects for Processing Explicitly
- Delegating Resource Update
- Resource Update Considerations
- Active Directory Processing
- Exchange Server Processing
- SMS Processing
- SQL Server Processing
- Cluster Server Migration
- Command-Line Resource Update
- SharePoint Processing
Distributed Updates in Resource Updating Manager
Resource update is among the most challenging tasks of a migration. While directory data is usually centralized, the resources (servers and end-user workstations) may be spread over domains, sites, buildings, offices, and countries. Resource Updating Manager is the main tool that lets you automate the update of various resources in your network.
After performing a directory migration, Resource Updating Manager is used to update resources so that the new users have the same permissions in the target domain as the corresponding users have in the source domain.
Resource Updating Manager facilitates resource update by automating the following tasks:
- Processing of all the selected computers in parallel
- Updating permissions, ownership information, and auditing on registries, shares, folders, and printers
- Updating local group membership
- Updating user rights and privileges
- Updating local user profiles
- Updating roaming user profiles
- Updating services and scheduled tasks
- Updating Internet Information Services (IIS) permissions
- Updating DCOM and COM+ objects’ permissions
- Restoring to a previous state with advanced undo and cleanup
- Moving computer accounts to the target domain without rebooting them and changing the last logged-in domain to the target domain
- Processing published resources when moving computers to the target domain
The actual processing is done by Resource Updating Manager agents, which are deployed on the computers you need to process and controlled from the Resource Updating Manager console. To handle large, geographically dispersed networks, the agents can be distributed using Group Policy or SMS. One of the main features of Resource Updating Manager is parallel processing during resource migration: the actual resource processing is performed locally on each migrated computer. Because all the selected computers are updated simultaneously, 1000 resource servers can be updated in the same time required to update 10 servers.
|
|
NOTE: Legacy Components under the COM+ node are processed by Resource Updating Manager only if you select the DCOM option before starting resource processing. |
To start Resource Updating Manager, in Migration Manager console management tree expand the Resource Processing node and click Tasks. In the right pane of the Migration Manager console click Resource Updating Manager. Alternatively, run the application directly from the Start menu.
- セルフ・サービス・ツール
- ナレッジベース
- 通知および警告
- 製品別サポート
- ソフトウェアのダウンロード
- 技術文書
- ユーザーフォーラム
- ビデオチュートリアル
- RSSフィード