サポートと今すぐチャット
サポートとのチャット

Preparing Migration 8.15 - System Requirements and Access Rights

Migration Manager Console Migration to Microsoft Office 365 License Server Migration Manager Database Servers Migration Manager Agent Servers Statistics Portal Server Resource Updating Manager Resource Updating Wizards Processed Platforms Additional Environment Security Configuration Ports Used by General Migration Manager Components Ports Used by Migration Manager for Exchange Components Ports Used by Migration Manager for Active Directory Components Ports Used by Resource Updating Manager Accounts Required for Migration Manager Operation Accounts Used by the Directory Synchronization Agent Source Accounts Used by Migration Manager for Exchange Agents Target Accounts Used by Migration Manager for Exchange Agents Agent Host Account Used by Legacy Migration Manager for Exchange Agents Agent Host Account Used by Migration Agent for Exchange (MAgE) Accounts Used for Migrating to Microsoft Office 365 Accounts Used by RUM Agent Service Accounts Used by RUM Controller Service Account Used by Statistics Collection Agent Service Accounts Used by Statistics Portal Accounts Accounts and Rights Required for Active Directory Migration Tasks Accounts and Rights Required for Exchange Migration Tasks Using the Exchange Processing Wizard with Exchange 2010 or later Appendix. How to Set the Required Permissions for Active Directory Migration

Account Used by Statistics Collection Agent Service

Statistics Collection Agent service account

Description Where Specified Rights and Permissions

Used to start and run the Statistics Collection Agent service on the server where the agent is installed

During Statistics Collection Agent setup

  • Member of the local Administrators group on the server where the agent is installed
  • Log on as a service right enabled on the server on which the agent is installed.

To verify that this right is granted, do the following:

  1. Start the Local Security Settings snap-in.
  2. In the left pane, select User Rights Assignment under the Local Policies node.
  3. Double-click the Log on as a service right in the right pane. Verify that the Statistics Collection Agent service account is in the list of accounts that are granted the right. If it is not, add it.

NOTE: The Statistics Collection Agent service account can be changed on the Server page of the Statistics Collection Agent Properties dialog box.

Accounts Used by Statistics Portal Accounts

The account used to configure the Statistics Portal from the Open Project Wizard must be a member of local Administrators group on the IIS server on which the portal is installed.

Statistics Portal account to connect to ADAM/AD LDS project partition

Description Where Specified Rights and Permissions

Used to connect to ADAM/AD LDS

When you configure Statistics Portal (create a new portal configuration)

Requires Full Control rights in the project.

Statistics Portal account to connect to the SQL configuration database

Description Where Specified Rights and Permissions
Used to connect to the SQL configuration database to read the statistical information When you configure Statistics Portal (create a new portal configuration)

At least the db_datareader role on the configuration database.

Important: Only SQL Server authentication is supported for this operation by the Statistics Portal Server. AD-integrated authentication (Windows authentication) is not supported.

IMPORTANT: To see statistical information on a particular directory or Exchange synchronization job or on a resource processing task, a user must be delegated at least the Reader role at the Migration Project, Directory Migration, or domain pair node in the migration project, regardless of whether a delegated migration task for that user has been created. For more information on Migration Manager delegation model, refer to the Delegating Migration Tasks section of the Migration Manager for Active Directory User Guide.

Accounts and Rights Required for Active Directory Migration Tasks

Migration Manager for Active Directory requires administrative access for the source and target domains, processed servers, and workstations.

Migration Manager for Active Directory allows you to use different administrative accounts to access domains and computers involved in migration. For directory migration and synchronization Migration Manager uses the source and the target Active Directory accounts to access the source and the target domains, respectively.

The table below shows what privileges each account must have. To learn how to set these permissions, please see Appendix. How to Set the Required Permissions for Active Directory Migration and Exchange environment preparation documents.

Directory migration

Accounts Involved Requirements How To Grant

Source and target Active Directory accounts

Administrative access to each source and target domain involved in Active Directory migration

We recommend that you to create a new user account for the migration activities in each source and target domain instead of using an existing one. Add these accounts to the domain’s local Administrators group in the corresponding domains. For details, see Appendix. How to Set the Required Permissions for Active Directory Migrationand dedicated Exchange environment preparation documents..

Note: If you have established two-way trusts between each source and target domain or forest trust, you can grant this single account administrative access to each source and target domain.

Important: This powerful account must be maintained closely and should be deleted after the project is complete. It is recommended that this account be owned by one individual and one backup individual (or as few individuals as possible).

Distributed resource update

Accounts Involved Requirements
The account used to update a computer

Member of the computer’s local Administrators group

Migration Manager RUM Controller Service account
  • Member of the local Administrators group on the computer running the Resource Updating Manager
  • Full Admin access rights on the ADAM/AD LDS database access rights on the ADAM/AD LDS database

Exchange update

Full Exchange Administrator role for the Exchange organization

Intraforest mailbox reconnection

Accounts Involved Requirements
The account that the DSA uses to connect to the source domain Full Control for the Exchange store where the reconnected mailboxes reside

SMS update

Accounts Involved Requirements
The account used to process the SMS server Administrative rights to all SMS classes

SQL update

Accounts Involved Requirements
Account used to process SQL server Member of the sysadmin role

SharePoint permissions processing

Accounts Involved Requirements How To Grant
The account used to reassign SharePoint permissions after migration

For SharePoint versions prior to 2010:

  • Member of the SharePoint administration group on SharePoint server
  • Member of the local Administrators group on the computer running the SharePoint permissions processing

For SharePoint 2010:

  • Member of the Farm Administrators group on SharePoint server
  • Full Control permission on User Profile Service Application
  • Member of the local Administrators group on the computer running the SharePoint permissions processing

How to specify the SharePoint administration group:

  1. On the server that is running SharePoint Products, click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  2. Under Security Configuration, click Set SharePoint administration group.
  3. In the Group account name box, type the domain group you want to allow to administer.
  4. Click OK.

For more information about Central Administrator group for SharePoint, see the following Microsoft KB article: Managing the SharePoint Administration Group.

How to add user account to the Farm Administrators group:

  1. On the server that is running SharePoint Products, click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  2. Under Security click Manage the farm administrators group.
  3. Expand the New menu, and then click Add Users.
  4. On the Add Users page, in the Add Users section, specify user accounts which should be added to the Farm Administrators group.
  5. Click OK.

How to grant user account the Full Control permission on User Profile Service Application:

  1. On the server that is running SharePoint Products, click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  2. Click Application Management.
  3. Then click Manage service applications.
  4. Select User Profile Service Application.
  5. Click Permission and grant the Full Control permission to desired user account.
  6. After that, click Administrators and grant the Full Control permission to the user account.

Accounts and Rights Required for Exchange Migration Tasks

This section lists the tasks that will be performed during Exchange migration, and names the required accounts.

Migration Manager for Exchange agents work with different servers on the network. They create and modify Exchange and Active Directory objects and work with mailboxes and public folders. To accomplish all these tasks, the agents must have the appropriate permissions.

Migration Manager for Exchange allows you to use different administrative accounts for different purposes. Exchange data is migrated by the Exchange agents, which use the Exchange and Active Directory accounts.

Enumerate source and target Exchange organizations (added to the migration project)

Accounts Involved Requirements How To Grant

Account intended to enumerate organizations (specified while adding source and target organizations to migration project; see the Registering Source and Target Organizations section of the Migration Manager for Exchange User Guide for details)

Note: This account will be set by default as the Exchange account, Active Directory account and Agent Host account for all the Exchange servers in the registered organization for subsequent migration. If you do not want to change the Exchange account after the organization is registered for each server, grant this account the permissions required for Exchange migration.

Read access to Active Directory (sufficient to read the Exchange configuration)

To grant an account this permission, complete the following steps:

  1. In the Active Directory Users and Computers snap-in, right-click the domain name, and then click Properties on the shortcut menu.
  2. On the Security tab, click Add and select the account to which you wish to assign permissions.
  3. Select the account name, and then enable Allow option for the Read permission in the Permissions box.
  4. Click the Advanced button. In the Advanced Security Settings dialog, select the account you specified in step 2 and click Edit.
  5. In the Permissions Entry dialog, select This object and all child (descendant) objects from the Apply onto drop-down list, and click OK.
  6. Close the dialog boxes by clicking OK.

Migrate Exchange data (using Migration Manager for Exchange agents)

Accounts Involved Requirements How To Grant
Exchange and Active Directory accounts (source and target) Rights and permissions sufficient to create and modify Exchange and Active Directory objects, to work with mailboxes and public folders, etc. You can create a single administrative account that has all the required permissions. For step-by-step instructions on creating such an account, please see dedicated Exchange environment preparation documents.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択