On Demand Migration Current - Active Directory Offline Domain Join Credential Cache Quick Start Guide

Trust Creation

From a Source Forest Domain Controller, launch Server Manager, using the Tools drop down menu select Active Directory Domain and Trusts.
In Active Directory Domain and Trusts, right click and choose Properties.
On the domain properties sheet, click on the Trusts tab.
Click on New Trust, on the Welcome to the Trust Wizard click Next.
On the Trust Name page, enter the name of the forest you want to establish the trust with, click Next.
On the Trust Type page click on External trust, click Next.
On the Direction of Trust page choose One-way: outgoing, click Next.
On the Sides of Trust page, in order to set the trust up for both domains you will need the administrative privileges or know the administrator account and password for both domains. In this example I will choose This Domain Only, click Next.
On the Outgoing Trust Authentication Level page, choose Selective authentication, click Next.
On the Trust Password page, enter a password that the administrators from both forests have agreed upon as the trust password, click Next.
On the Trust Selections Complete page click Next.
On the Trust Creation Complete page click Next.
On the Confirm Outgoing Trust page and the Confirm Incoming Trust page click Next. You will not be able to confirm the trust until the target side has been completed or if you are creating both relationships at the same time.
On the Completing the New Trust Wizard page click Finish.
On the Domain Properties page, click Apply.
Once the Forest Trust has been created you must have an administrator for the Target Forest complete the same process but for a one-way: incoming trust using the Password agreed upon when setting up the source side trust relationship.
Once both sides have been setup you can then Validate the relationship from the Source Forest Active Directory Domain and Trusts Properties view for the outgoing trust.

Configuring Authentication Permissions

With our Active Directory Trust configured and validated we can now move to setting up selective permissions for Cache Credentials to work with Offline Domain Join.

Configure Access Group

In order to limit the target accounts that have access to use cached credentials we will use a Domain Local group in the Source Environment to add in the target account members to control which target users accounts will have the ability to authenticate to source workstations.

In Active Directory Users and Computers Create a Domain Local Group.
Open the group and add in the target user accounts for all migrating source users. In the below example I am adding the target account for Alissa Loftis who is a migrating user from the Source Forest.
Once everyone’s Target user accounts have been added to the source local group, we will then want to assign the right to authenticate for that domain local group on any OU containing workstations being migrated.
Once you find the OUs you need to assign the permissions to you want to right click the OU and choose Properties.
Click on the Security tab and choose Advanced.
On the Advanced Security Setting screen click on Add.
Click Select a Principal and find the domain local group you created previously, ensure the type is set to Allow and the Applies to is set to Descendant Computer Objects. Once the permissions have loaded you want to find and check off the permission Allowed to authenticate. You may have to screen down the list of available permissions to find it. Click Ok, once completed.
Back on the Advanced Security Settings screen, click Apply and close both menus.
Repeat this process for any OU that you have migrating workstations to ensure each workstation is allowing the domain local group the ability to authenticate so we can pre cache their credentials prior to cutover.
Once all the steps have been completed you should be able to successfully run the Cache Credentials action without error. If you are getting the below error for a workstation, ensure that the domain local group has been assigned the permission to authenticate to it.