Chat now with support
Chat with Support

Migration Manager for AD 8.14 - Resource Processing Guide

Introduction to Resource Update Distributed Updates in Resource Updating Manager Common Resource Update Workflows Active Directory Processing Exchange Server Processing SMS Processing SQL Server Processing Cluster Server Migration Command-Line Resource Update SharePoint Processing

Option 1 (Cluster Server Migration)

  1. In the Resource Updating Manager console, add all cluster nodes to a new collection. Make sure you select only the actual nodes and not the virtual servers.

  2. Right-click on the collection and choose Create Task | Processing. In the Create Processing Task wizard, specify the processing settings. This task will process all resources except the cluster shares, cluster database, and cluster printers.

  3. Click on the Tasks tab in the right pane.

  4. Right-click on the newly created task and select Export Settings to File.

  5. Save the INI file in the desired location.

  6. Open the INI file in Notepad and verify that the settings are accurate and the file contains the desired objects only.

  7. Run the following command remotely from the console machine against each virtual server, and run it run from the location where the Vmover.exe file and the Vmover.ini files reside:
    Vmover.exe /c /system=<Virtual_Server_Name> /ini=Vmover.ini
  8. Using Resource Updating Manager, move the nodes to the target domain (without rebooting). After a couple of minutes all nodes and the virtual server will appear in the target domain.

    NOTE: Always move all cluster nodes to the new domain simultaneously. Do not move a virtual server to the new domain. The Cluster Service account is not changed when a cluster server is moved to another domain.

  9. Reboot the passive node. Verify that the Cluster Service account on this node is changed to the target account.
  10. Restart the Cluster Service on the active node. Verify that the Cluster Service account on this node is changed to the target account.

    NOTE: During the restart of the service the resources will not be available.

  11. After a successful start of the Cluster Service on the active node, start the cluster service on the passive node.
  12. Move the resources to the passive node and reboot the active node.
  13. After the node restarts move the resources back.

Option 2 (Cluster Server Migration)

Follow steps 1–8 above. Then, instead of taking steps 9–13, reboot both nodes at the same time.

Whether you choose Option 1 or Option 2, the resources will be unavailable for a period of time, because the cluster service cannot run using two accounts (source and target). Both of the nodes should be running using the same account (either source or target), as Microsoft documentation states:

"The Cluster service on all nodes must be stopped and restarted during this procedure (changing the account under which the Cluster service runs). The Cluster service must use the same account and password at all times on all nodes within the cluster."

Refer to knowledge article 13599 on the Quest Support site for more details.

NOTE: Please pay attention when specifying the name of a cluster. Use the virtual cluster name, not the name of a node; otherwise, Vmover cannot verify that the computer is part of a cluster and will not process it.

Command-Line Resource Update

The command-line tool Vmover.exe, located in the %ProgramFiles(x86)%\Common Files\Aelita Shared\Migration Tools\Resource Updating\Agent folder (on 64-bit Windows) or %ProgramFiles%\Common Files\Aelita Shared\Migration Tools\Resource Updating\Agent folder (on 32-bit Windows) by default, can be used to update resources without installing an agent. The update can be performed directly from the command-line interface or via a logon script.

NOTE: On 64-bit Windows, an additional native 64-bit version of Vmover.exe is located in the %ProgramFiles(x86)%\Common Files\Aelita Shared\Migration Tools\Resource Updating\Agent\x64 folder.

Among the main applications of Vmover are the following tasks:

  • Updating remote resources
  • Processing roaming profiles
  • Processing file system permissions on non-Windows systems with Common Internet File System (CIFS)

To perform the updates, Vmover retrieves the source-target account pairs from the INI file or target accounts’ SIDHistory. The INI file also contains the required parameters. Some parameters can be set from the command line.

Processed Rights and Resources

This section describes which resources or rights can be processed by Vmover.

Parameters that define processing options for Vmover are specified under the [Options] section of the Vmover INI file. For example of Vmover INI file, see the What do the parameters and data stored in the vmover.ini mean KB article.

TIP: For more details on using the Vmover, see the Command-Line Resource Update article.

The following table lists resources and rights that can be processed by Vmover on local and remote computers:

Parameter in Vmover INI Processed rights/resources
LocalGroups=Yes/No Local group membership
UserPrivileges=Yes/No User rights
Services=Yes/No Service accounts
ScheduledTasks=Yes/No Scheduled tasks
Profiles=Yes/No Local profiles
RoamingProfiles=Yes/No Roaming profiles
Registry=Yes/No Registry
FileSystem=Yes/No File system
ProcessFileSystemOwner=Yes/No File ownership
Shares=Yes/No Shares
Printers=Yes/No Printers
COMPlus=Yes/No COM+
DCOM=Yes/No DCOM
IIS=Yes/No IIS
Local group membership

Vmover adds target accounts to the local groups that contain the corresponding source accounts.

User rights

Vmover assigns target accounts exactly the same user rights as the corresponding source accounts have.

Service accounts

For each Windows service Vmover updates the account that the service uses to log on. For example, if a service runs under SOURCE\User1 and User1 is migrated to the target domain, the account will be changed to TARGET\User1.

NOTE:

  • Account passwords are not updated in the service’s properties. Therefore, if source and target passwords of a service account are not the same, the corresponding service may not start after resource update.
  • If the service being processed at the moment is running under a source account while a user logs on under a new corresponding target account, duplicate profiles can be created.
  • Source account is replaced with the corresponding target account in the service’s properties whether or not the Leave source accounts' permissions option is turned on.
Scheduled tasks

Vmover processes scheduled task accounts and permissions. For example, if a task runs as SOURCE\User1 and User1 is migrated to the target domain, the task account will be changed to TARGET\User1.

Objects processed

For each scheduled task Vmover performs the following:

  • Updates scheduled task account (account under which task runs)
  • Duplicates entry for the updated scheduled task account in the Credential Manager if original account is presented there.
  • Processes accounts specified in the task’s triggers (if any)
  • Updates the permissions for the task file

NOTE:

  • If a scheduled task is running under a source account while a user logs in under a new corresponding target account, duplicate profiles can be created.
  • Source scheduled task accounts are replaced with the corresponding target accounts in the task’s properties whether or not the Leave source accounts' permissions option is turned on.
Local profiles

Vmover processes local profiles of source users.

Objects processed

For each local profile, Vmover performs the following steps:

  1. Vmover creates a new user profile for the corresponding target user that is linked to the same local profile file as the source user.

    NOTE:The paths to user profile files are stored in the ProfileImagePath values of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList sub-keys.

  2. Vmover processes the registry hive from each local profile file (ntuser.dat or ntuser.man) and also registry hive from the UsrClass.dat file. For details on objects processed, see the Registry section.
Roaming profiles

Vmover updates roaming user profiles.

Objects processed

For each roaming profile found on a computer, Vmover performs the following steps:

  1. Vmover processes the registry hive from the roaming user profile file (ntuser.dat or ntuser.man) and also registry hive from the UsrClass.dat file. For details on objects processed, see the Registry section.
  2. Vmover processes permissions for ntuser.dat and ntuser.man files. For details on permissions processed, see the File system and File ownership sections.
Registry

Vmover processes permissions for all keys in the HKEY_LOCAL_MACHINE subtree of Windows Registry. If processed computer is not a Windows cluster, keys from the HKEY_USERS subtree are processed as well.

Objects processed

Vmover grants target account exactly the same permissions as the corresponding source account has. The following properties are updated:

  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)
  • Owner
  • Primary group

NOTE: Owner and primary group are replaced whether or not the Leave source accounts' permissions option is turned on.

File system

Vmover updates permissions for files and folders located on local hard disk drives with NTFS or ReFS format.

Objects processed

Vmover grants target account exactly the same permissions on files and folders as the corresponding source account has. The following properties are updated for files and folders:

  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)
  • Primary group

NOTE:

  • Files and folders on CD/DVD disks, USB flash drives, RAM disks, network drives and so on are not processed.
  • The recycler, $recycle.bin, and System Volume Information folders are skipped during processing.
  • The drives of Windows clusters are supported.
  • Primary group is replaced whether or not the Leave source accounts' permissions option is turned on.
File ownership

The ownership of the files and folders in the file system is changed from the source account to the corresponding target account. For example, if a file owner is SOURCE\User1 and User1 is migrated to the target domain, the file owner will be changed to TARGET\User1.

The file owner is specified on the Owner tab of Advanced Security Settings dialog in the file or folder Properties.

NOTE: File ownership is replaced whether or not the Leave source accounts' permissions option is turned on.

Shares

Vmover updates share permissions.

NOTE: Local file system permissions for shares are not processed.

Printers

Vmover processes permissions for local printers and for network printer connections.

Objects processed

Vmover grants target account exactly the same permissions as the corresponding source account has.

The following properties are updated:

  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)
  • Owner
  • Primary group

NOTE:

  • Owner and primary group are replaced whether or not the Leave source accounts' permissions option is turned on.
  • Network printer connections permissions are processed only on computers running Windows Vista or later, and Windows Server 2008 or later.
  • Network printer connections permissions are not processed for clusters.
COM+

Vmover processes settings for all COM+ application installed on a computer.

Objects Processed

For each installed COM+ application the following items are processed:

  • Account under which the application runs
  • Accounts assigned to roles

NOTE: Account under which the application runs is replaced in the application properties whether or not the Leave source accounts' permissions option is turned on.

DCOM

Vmover processes the DCOM security settings.

Objects Processed

The following computer-wide settings are processed:

  • Launch and Activation Permissions (both Limits and Defaults)
  • Access Permissions (both Limits and Defaults)

The following settings are processed for each DCOM application:

  • Launch and Activation Permissions
  • Access Permissions
  • Configuration Permissions
  • User account that is used to run the application

Corresponding registry entries processed by Vmover are

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry values:
    1. DefaultAccessPermission
    2. DefaultLaunchPermission
    3. MachineAccessRestriction
    4. MachineLaunchRestriction
  • For each sub-key in HKEY_CLASSES_ROOT\AppId:
    1. Key security (see Registry section for details)
    2. RunAs value
    3. AccessPermission value
    4. LaunchPermission value
    5. AccessPermissions value
    6. LaunchPermissions value

NOTE: User account (RunAs registry value) is replaced whether or not the Leave source accounts' permissions option is turned on.

IIS

Vmover processes IIS 6.0 metabase properties and IIS 7.x/8.x/10.0 settings.

Objects processed

IIS 6.0 metabase properties

The following IIS metabase properties are processed:

  • AdminAcl
  • AnonymousUserName
  • WAMUserName
  • UNCUserName
  • All properties that are explicitly specified in the Vmover INI file under [IIS Identifiers] (see product documentation for details).

NOTE: All properties except AdminAcl are replaced whether or not the Leave source accounts' permissions option is turned on.

IIS 7 or higher settings

For IIS version 7.0 or higher the following settings are updated:

  • Site or server settings:
    • ASP.NET– .Net Authorization Rules
    • ASP.NET–Providers (user name in connection strings)
    • ASP.NET–Session State (user name in connection strings)
    • ASP.NET–SMTP E-Mail
    • FTP–FTP Authentication
      • Anonymous Authentication (user name)
      • Basic Authentication (domain)
    • FTP–FTP Authorization Rules
    • FTP-FTP User Isolation (IIS 8 and higher)
    • IIS–Authentication
      • Anonymous Authentication (user name)
      • ASP.NET Impersonation (user name)
      • Basic Authentication (domain)
    • IIS–Authorization Rules
    • IIS–Logging–ODBC Logging
    • IIS–WebDAV Authoring Rules
    • Site Basic Settings (user name in Connect As)
    • Site Advanced Settings (user name in Physical Path Credentials)
  • Application pool settings:
    • Identity
    • Application Pools Default Identity
  • Management
    • IIS Manager Permissions

    • Shared Configuration

    • Centralized Certificates

IMPORTANT: If IIS Metabase Compatibility component is installed for IIS 7 or higher, properties listed in the IIS 6.0 metabase properties above will be processed as well.

 

NOTE: All settings except rules (such as .Net Authorization Rules, etc.) are replaced whether or not the Leave source accounts' permissions option is turned on.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating