Converse agora com nosso suporte
Chat com o suporte

Preparing Migration 8.15 - System Requirements and Access Rights

Migration Manager Console Migration to Microsoft Office 365 License Server Migration Manager Database Servers Migration Manager Agent Servers Statistics Portal Server Resource Updating Manager Resource Updating Wizards Processed Platforms Additional Environment Security Configuration Ports Used by General Migration Manager Components Ports Used by Migration Manager for Exchange Components Ports Used by Migration Manager for Active Directory Components Ports Used by Resource Updating Manager Accounts Required for Migration Manager Operation Accounts Used by the Directory Synchronization Agent Source Accounts Used by Migration Manager for Exchange Agents Target Accounts Used by Migration Manager for Exchange Agents Agent Host Account Used by Legacy Migration Manager for Exchange Agents Agent Host Account Used by Migration Agent for Exchange (MAgE) Accounts Used for Migrating to Microsoft Office 365 Accounts Used by RUM Agent Service Accounts Used by RUM Controller Service Account Used by Statistics Collection Agent Service Accounts Used by Statistics Portal Accounts Accounts and Rights Required for Active Directory Migration Tasks Accounts and Rights Required for Exchange Migration Tasks Using the Exchange Processing Wizard with Exchange 2010 or later Appendix. How to Set the Required Permissions for Active Directory Migration

Accounts Used by RUM Controller Service

Migration Manager RUM Controller service account

Used To (By) Where Specified Rights and Permissions
  • Run the Migration Manager RUM Controller Service on the console computer
  • Access a computer to install or uninstall the Resource Updating Agent (only if no other account is explicitly specified for domain using the Project | Manage Domains Credentials option in the Resource Updating Manager console menu)
Project | Manage Controller Credentials option in the Resource Updating Manager console menu.
  • Must be a member of the local Administrators group on the computer running the Resource Updating Manager.
  • Must have Full Admin access rights on ADAM/AD LDS database.

Local account

Used To (By) Where Specified Rights and Permissions
This account must be created only if computer running Migration Manager RUM Controller Service (in fact, computer running Migration Manager console) and computers running Migration Manager RUM Agent Service (workstations and servers to be processed) are located in different domains of different forests without trusts established between them.

On computer running Migration Manager RUM Controller Service.

Create local account with the same name and password as Migration Manager RUM Agent service account has.

 Must be a member of the local Administrators group on the computer running the Resource Updating Manager.

Account Used by Statistics Collection Agent Service

Statistics Collection Agent service account

Description Where Specified Rights and Permissions

Used to start and run the Statistics Collection Agent service on the server where the agent is installed

During Statistics Collection Agent setup
  • Member of the local Administrators group on the server where the agent is installed
  • Log on as a service right enabled on the server on which the agent is installed.

To verify that this right is granted, do the following:

  1. Start the Local Security Settings snap-in.
  2. In the left pane, select User Rights Assignment under the Local Policies node.
  3. Double-click the Log on as a service right in the right pane. Verify that the Statistics Collection Agent service account is in the list of accounts that are granted the right. If it is not, add it.

NOTE: The Statistics Collection Agent service account can be changed on the Server page of the Statistics Collection Agent Properties dialog box.

Accounts Used by Statistics Portal Accounts

The account used to configure the Statistics Portal from the Open Project Wizard must be a member of local Administrators group on the IIS server on which the portal is installed.

Statistics Portal account to connect to ADAM/AD LDS project partition

Description Where Specified Rights and Permissions

Used to connect to ADAM/AD LDS

 When you configure Statistics Portal (create a new portal configuration)

Requires Full Control rights in the project.

Statistics Portal account to connect to the SQL configuration database

Description Where Specified Rights and Permissions
Used to connect to the SQL configuration database to read the statistical information When you configure Statistics Portal (create a new portal configuration)

At least the db_datareader role on the configuration database.

Important: Only SQL Server authentication is supported for this operation by the Statistics Portal Server. AD-integrated authentication (Windows authentication) is not supported.

IMPORTANT: To see statistical information on a particular directory or Exchange synchronization job or on a resource processing task, a user must be delegated at least the Reader role at the Migration Project, Directory Migration, or domain pair node in the migration project, regardless of whether a delegated migration task for that user has been created. For more information on Migration Manager delegation model, refer to the Delegating Migration Tasks section of the Migration Manager for Active Directory User Guide.

Accounts and Rights Required for Active Directory Migration Tasks

Migration Manager for Active Directory requires administrative access for the source and target domains, processed servers, and workstations.

Migration Manager for Active Directory allows you to use different administrative accounts to access domains and computers involved in migration. For directory migration and synchronization Migration Manager uses the source and the target Active Directory accounts to access the source and the target domains, respectively.

The table below shows what privileges each account must have. To learn how to set these permissions, please see Appendix. How to Set the Required Permissions for Active Directory Migration and Exchange environment preparation documents.

Directory migration

Accounts Involved Requirements How To Grant

Source and target Active Directory accounts

 Administrative access to each source and target domain involved in Active Directory migration

We recommend that you to create a new user account for the migration activities in each source and target domain instead of using an existing one. Add these accounts to the domain’s local Administrators group in the corresponding domains. For details, see Appendix. How to Set the Required Permissions for Active Directory Migrationand dedicated Exchange environment preparation documents..

Note: If you have established two-way trusts between each source and target domain or forest trust, you can grant this single account administrative access to each source and target domain.

Important: This powerful account must be maintained closely and should be deleted after the project is complete. It is recommended that this account be owned by one individual and one backup individual (or as few individuals as possible).

Distributed resource update

Accounts Involved Requirements
The account used to update a computer

Member of the computer’s local Administrators group

Migration Manager RUM Controller Service account
  • Member of the local Administrators group on the computer running the Resource Updating Manager
  • Full Admin access rights on the ADAM/AD LDS database access rights on the ADAM/AD LDS database

Exchange update

Full Exchange Administrator role for the Exchange organization

Intraforest mailbox reconnection

Accounts Involved Requirements
The account that the DSA uses to connect to the source domain Full Control for the Exchange store where the reconnected mailboxes reside

SMS update

Accounts Involved Requirements
The account used to process the SMS server Administrative rights to all SMS classes

SQL update

Accounts Involved Requirements
Account used to process SQL server Member of the sysadmin role

SharePoint permissions processing

Accounts Involved Requirements How To Grant
The account used to reassign SharePoint permissions after migration

For SharePoint versions prior to 2010:

  • Member of the SharePoint administration group on SharePoint server
  • Member of the local Administrators group on the computer running the SharePoint permissions processing

For SharePoint 2010:

  • Member of the Farm Administrators group on SharePoint server
  • Full Control permission on User Profile Service Application
  • Member of the local Administrators group on the computer running the SharePoint permissions processing

How to specify the SharePoint administration group:

  1. On the server that is running SharePoint Products, click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  2. Under Security Configuration, click Set SharePoint administration group.
  3. In the Group account name box, type the domain group you want to allow to administer.
  4. Click OK.

For more information about Central Administrator group for SharePoint, see the following Microsoft KB article: Managing the SharePoint Administration Group.

How to add user account to the Farm Administrators group:

  1. On the server that is running SharePoint Products, click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  2. Under Security click Manage the farm administrators group.
  3. Expand the New menu, and then click Add Users.
  4. On the Add Users page, in the Add Users section, specify user accounts which should be added to the Farm Administrators group.
  5. Click OK.

How to grant user account the Full Control permission on User Profile Service Application:

  1. On the server that is running SharePoint Products, click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  2. Click Application Management.
  3. Then click Manage service applications.
  4. Select User Profile Service Application.
  5. Click Permission and grant the Full Control permission to desired user account.
  6. After that, click Administrators and grant the Full Control permission to the user account.
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação