Prior to any migration of an Active Directory computer there are a few Power365 Directory Sync requirements to inventory your devices (computers). The first of which is your local on-premises environments or endpoints. To gain access to your devices from your on-premises Active Directory you must create and securely connect your Environments.
For complete details on how to add an environment, click here.
The next required configuration for Power365 Directory Sync is to create a workflow that will inventory (read) your local on-premises Active Directory computers.
The final component required is to deploy at least one (1) Directory Sync agents that will be used to secure communicate and execute jobs against your Local Active Directory such a read or write.
For complete details on how to install an agent, click here.
By default, each computer being migrated will require outbound access to the public Internet to securely communicate with the Power365 services.
Important Tip: If your organization requires computers communicate externally using a web proxy see our web proxy configuration requirements.
Each computer being migrated will require the Power365 Migration for Active Directory device agent and this agent will communicate to the Power365 services, outbound over ports:
Active Directory migrations also require a variety of Microsoft defined ports for communication between domain controllers. For a complete list of required ports, click here.
Important Tip: For complete port information, review the Service overview and network port requirements for Windows documentation from Microsoft Support.
The following is required for any Active Directory Computer(s) (devices) that will be migrated.
Each Active Directory Computer that will be migrated must have an agent installed on the workstation to orchestrate local jobs that must occur to prepare and execute the workstation’s domain move.
All computers or servers being migrated to the new domain must run one of the following operating systems:
- Windows 7 SP1
- Windows 10
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- All client operating systems must have at least PowerShell 2.0 installed.
- All Devices must have .NET Framework 4.5.2 or newer installed. This will appear as ".NET 4.5.2 Extended" in the add/remove programs list.
- If not present, an appropriate version of .NET Framework will be installed during agent installation if an internet connection is available.
To successfully migrate a remote employee’s remote device using the Offline Domain Join (ODJ) feature the Cache Credential action must be run to collect the user’s target credentials, so later you may cutover the device, while it is disconnected from the network.
The following is required:
- One-way external trust must be configured from the source domain to the target domain when the Cache Credential activity is processed
For more information about AD Trusts, check out this MS Press article about configuring trusts.
• Network connectivity to both the source and target environments (Active Directory Domain Controllers) when the Cache Credential activity is processed
Important Tip: Offline domain join files must be created prior to running the Offline Domain Join process. A full explanation of Microsoft’s Djoin.exe utility and how to create these files can be found here.
For complete details on how to set up ODJ, click here.
Some organizations may require all computers communicating externally direct their traffic through a web proxy to centralize communications. Power365 Migration for Active Directory agents can be configured to use a web proxy for communication to the Power365 cloud services.
- At least one (1) standard web proxy that supports http/TCP traffic.
- The associated web proxy URL must be defined during configuration of the device agent.
- If accessing the web proxy requires an additional username and password this will be required during configuration of the device agent.
All agents configured to use a web proxy will utilize the following outbound TCP ports:
Important Tip: Additional bandwidth overhead may occur when a web proxy is utilized to centralize all traffic.
The following three Device Actions, when used, will require a defined storage share accessible from the source and target AD Forests/Domains:
- Upload Logs
- Device Download
- Offline Domain Join
For complete details on how to configure repositories, click here.
To begin set up of Power365 Migration for Active Directory you must first configure an environment. Environments are managed in Power365 Directory Sync.
Please visit the Environments topic for more information.
Important Tip: There are two key settings which pertain to Device objects that you must enable when configuring Source and Target Environments for Device migrations.
Define Scope: Under the Environment Settings, Organizational Units section, be sure you have included the OUs which contain the Device (computer) Objects you want discovered for migration.
Include Devices: Under the Environment Settings, in the Filters section be sure to check the checkbox next to Devices under the Include Objects header.
Please Note: Only Local Environment Device (computer) migrations are supported with Power365 Migration for Active Directory.
A workflow is a series of steps that ultimately lead to the migration of objects. Workflows are manged in Power365 Directory Sync. Please see the Workflows topic for more information.
For Power365 Directory Sync Workflows which will be used for Device migrations in Power365 Migration for Active Directory most of the settings will be similar to the settings for other kinds of migrations. There are two key settings which pertain to Device objects that you must enable when configuring for Device migrations: Workflow steps and Template Object settings.
For a Device migration to be successful the users and groups which have permissions to files on that machine must be in the Power365 Directory Sync database and have matching objects defined in the target. Otherwise, the Device ReACL process will not be able to correctly update the file access permissions on the device in preparation for moving to the new domain. It is not necessary to include User or Group objects in the same Workflow as Devices. Users and Groups will require Read In, Match, Stage Data, and Write Out Workflow steps. Device objects themselves at minimum require only the Reading and Matching steps.
A key part of Workflow settings which will apply to Device migrations are the Objects settings for the Template you use. In the Devices section of those Template Objects settings you can configure options to control how creation and updates of objects are handled.