지금 지원 담당자와 채팅
지원 담당자와 채팅

Migrator Pro for Active Directory 20.11.2 - User Guide

User Management

The User Management page allows you to enable role-based access control. When using role-based access control, users can be assigned a role to limit actions and access to information in the application.

 

The User Management page can be accessed by selecting Manage Roles under Settings in the action menu. This page is visible to all users if no Global Administrators have been defined and only to Global Administrators when one or more have been defined.

 

User Roles

Global Administrator

  • Allows creation of new profiles
  • Allows modification of configuration in the application/database for all profiles
  • Allows creation or modification of Cutover activities and custom actions for all profiles
  • Can submit migration events, including ReACL and Cutover actions for workstations, as well as user Cutover actions (enable/disable) for all profiles
  • All configuration pages can be accessed

 

Profile Administrator

  • Cannot create of new profiles
  • Can submit migration events, including ReACL and Cutover actions for workstations, as well as user cutover actions (enable/disable)
  • All configuration pages can be accessed
  • Allow modification of configuration in the application/database
  • Allow creation or modification of Cutover activities and custom actions

 

Migration Operator

  • Can submit migration events, including ReACL and Cutover actions for workstations, as well as user cutover actions (enable/disable)
  • Configuration pages cannot be accessed
  • Cannot modify configuration in the application/database
  • Cannot create or modify Cutover activities and custom actions

 

Read Only User

  • Can view directory synchronization results and logs
  • Can view Active Directory Cutover status
  • Configuration pages cannot be accessed
  • Cannot modify configuration in the application/database
  • Cannot create or modify Cutover activities and custom actions

Troubleshooting

  • Problem: What do you do when a user tries to use a network printer post ReACL process and/or Cutover and receives an access denied error?

    Solution: Synchronize the SID History for that User to resolve the problem.

  • Problem: ASP.NET will sometimes not register properly with IIS, which can cause errors when the Migrator Pro for Active Directory Agent tries to communicate with the Web Service. How do I address this?

    Solution: During installation, the installer needs to enable the IIS feature for the Server if the feature was not enabled so that web-service can be installed and configured. To address this problem, you should manually re-register the ASP.NET with IIS. To do this, run the below command on the server under C:\Windows\Microsoft.NET\Framework\v4.8:

    aspnet_regiis -i

  • Problem: What do I do if the Agent_<datetime>.log shows an Error: Login failed for user 'IIS APPPOOL\ADM AppPool' in System.Data.SqlClient.SqlException?

    Solution: To fix this:

    1. Open SQL Management Studio where Directory Sync Pro for Active Directory databases were setup
    2. Go to SQL Server Security -> Logins
    3. New Login
    4. User name: IIS APPPOOL\ADM AppPool

    5. Click on User Mappings

    6. Select BTCodex for the database

    7. Select db_datareader and db_datawriter for Roles

    8. Click OK

    9. Restart the Agent on the workstation or wait for the next polling interval

  • Problem: Observed Access Denied error when trying to ReACL a Windows NAS Shared Drive.

    Solution: To fix this:

    1. Add the user credential in the NAS Profile screen in the Migrator Pro for Active Directory Console. This user should be installed on a workstation with Local Admin Rights
    2. After the Agent is installed on the workstation, change the Migrator Pro for Active Directory Agent Service account from Local System to the user credential specified in step 1. This user should also be logged in on the workstation as well
    3. Turn off UAC on the workstation
    4. ReACL the Windows NAS Shared Drive
  • Problem: Users are getting an error message that their Recycle Bin has been corrupted once their computer has been migrated.

    Solution: This is a common issue with Domain Migrations and is caused when the Recycle Bin is not empty. This is happening because the name of the Recycle Bin is the user’s SID and the Recycle Bin cannot be ReACL’d. After the workstation has been ReACL’d and migrated when the user logs on, if the existing Recycle Bin is not empty the user cannot access it. But if the existing Recycle Bin is empty a new one is created and the Target user’s SID is the name of the Recycle Bin.

    Resolution: Empty the Recycle Bin as part of the Cutover process

  • Problem: Directory Sync Pro for Active Directory does not start if SQL Authentication method is used with Windows Authentication.

    Solution: Manually add the computer account to the SQL server and grant it the sysadmin role. To accomplish this, perform the following steps.

    1. Via the SQL Management Studio, open a new query window and enter the below script
    2. CREATE LOGIN [Domain\machine_name$] FROM WINDOWS
    3. Via the Security and Logins, locate the newly created Computer Name
    4. Grant this user with sysadmin role
  • Problem: A workstation that has been successfully cutover no longer responds to any additional jobs, such as Cleanup.

    Solution: If a workstation that has been successfully cutover now fails to respond to any additional jobs, such as Cleanup, check the Application event log. If you see a "The remote name could not be resolved" error, this most likely means that the SRV record for the Migrator Pro for Active Directory Server can no longer be resolved due to a DNS lookup failure.

    If you cannot "Ping" the Migrator Pro for Active Directory server from any other machines in the target domain, then you will need to remedy this on a more global scale, such as creating a conditional forwarder on the target machines' current DNS server pointing to the appropriate location.

    If you are able to "Ping" the Migrator Pro for Active Directory server, then check the Network Profile that was used during the Cutover to verify that the DNS settings were correct in that profile.

Password Sync Troubleshooting

  • Problem: If you encounter "Access is denied" errors when syncing passwords with Directory Sync Pro for Active Directory.

    Solution: This is most likely because the utility (psexec.exe) used for remote calls to the Global Catalog is failing. Some things you can try are:

    1. Try the GC server's IP address, FQDN and Shortname. IP address often works when others do not.
    2. From the Directory Sync Pro for Active Directory machine browse to \\[GC]\admin$ with the admin username\password
    3. Run the Directory Sync Pro for Active Directory service with credentials that have access to the GC instead of as LocalSystem
    4. Firewalls\Anti-Virus software should not be a problem but turning them off may help

Migrator Pro for Active Directory Agent Installation Troubleshooting

  • Problem:The Computer registers, but does not get discovered (Discovery Status remains blank in the Migrator Pro for Active Directory console).

    Solution: Install PowerShell 2.0 or higher on the client. Operating systems earlier than Windows 7 do not natively include PowerShell.

  • Problem: During manual installation, a "wizard interrupted" error appears.

    Solution: Install .NET 4.5.2 or higher on the client and run the installer again.

  • Problem: After a successful manual install, an "Unable to register" error appears in the Event Viewer.

    Solution: Verify the path to the Migrator Pro for Active Directory server is correct and complete.

  • Problem: After a successful manual install, an "Unable to auto-discover" error appears in the Event Viewer.

    Problem: The SRV records are missing, incorrect, or unreachable. Verify SRV records are set up properly.

Migrator Pro for Active Directory BITS Troubleshooting

  • Problem: The Migrator Pro for Active Directory UI issued the ‘Upload Logs’ command to the Agent for a device, but nothing was uploaded to the web server.

Solutions:

   From the IIS Web Server where Migrator Pro for Active Directory Web Service is installed:

  1. Open IIS Manager.
  2. Verify that Default Web Site > adm > DeviceLogs exists
    1. Verify there is a BITS Uploads option icon in the Feature View (at the bottom)

      If not, use PowerShell to install

      Import-Module ServerManager

      Add-WindowsFeature BITS-IIS-Ext

    2. Verify in the BITS Upload view, that "Allow clients to upload files" is checked

 

  1. Open IIS Manager
  2. Go to Default Web Site -> adm -> DeviceLogs
  3. Click on Basic Settings in the right pane
    1. Verify the Application Pool is set to "ADM AppPool"
  4. Click on Edit Permissions -> Security tab
    1. Verify the IUSR account is in the list and has the following permissions: Modify, Ready & execute, List folder contents, Read, Write

   On the Device where the ‘Upload Logs’ command was issued:

  1. Navigate to C:\Program Files (x86)\Binary Tree\ADPro Agent\Files
  2. Open the agent_<date>.log in Notepad
    1. Verify the URI for the server /api and /devicelogs location is correct

 

  1. Navigate to C:\Program Files (x86)\Binary Tree\ADPro Agent\Files
  2. Open the PowerShell-<date>-<time>-BT-UploadLogs.log file
    1. Check for problems or errors

 

  1. Go to Start -> Run -> services.msc
  2. Verify the Background Intelligent Transfer Service is started

Additional Information

Cutover Job Result Codes

Result Code Error Rollback Possible
1 Unidentified Error - PowerShell Command Error No
2 Source Domain could not be contacted No
4 Bad Source Credentials No
8 Target Domain could not be contacted No
16 Bad Target Credentials No
32 Target DNS Server could not be contacted or could not resolve the target DNS domain No
64 Change Obtain DNS by DHCP  
128 Set DNS Server IPs  
256 Set WINS Servers  
512 Register NIC with DNS  

1024

Clear DNS Suffix Search List / Set to use NIC  
2048 Set Alternate DNS Suffix List  
4096 Enable Dynamic DNS Registration  
8192 Set NIC Specific DNS Suffix  
16384 Domain Disjoin Failed  
32768 Domain Join Failed  
65536 Source domain name does not match the system's domain No
131072 Computer Reboot failed  
262144 Target Domain Name could not be resolved via existing DNS, and new DNS Servers were not provided No

An odd numbered result code represents an error running the Cutover PowerShell script. The most common cause of an odd numbered result code during Cutover is that the computer either has no network card with a default gateway or more than one network card with a default gateway.

Result codes are additive. There are likely multiple errors if the result code is not represented in the table.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택