Chat now with support
Chat with Support

Migration Manager for AD 8.14 - Resource Processing Guide

Introduction to Resource Update Distributed Updates in Resource Updating Manager Common Resource Update Workflows Active Directory Processing Exchange Server Processing SMS Processing SQL Server Processing Cluster Server Migration Command-Line Resource Update SharePoint Processing

Sorting Computers

This step is not required, but before you start resource processing you may want to revise your collections, depending on the statistics collected during computer discovery.

Create new collections if necessary, as described in the Specifying the Processing Scope topic, and use drag-and-drop to reorganize computers.

Processing Resources

After migrating the Active Directory data of the selected users and groups, you must update resources in Resource Updating Manager for the new users and groups so that they have the same permissions as the corresponding users and groups in the source domain.

NOTE: For a successful resource update you must have administrative rights over the computers involved in the process. See Obtaining Administrative Rights over the Computers for details.

In Resource Updating Manager, updates usually involve the followings steps:

  1. Process the security settings.
  2. Move the computer to the target domain.
  3. Remove the old security settings.

This is done by applying tasks to computer collections. Tasks can be either scheduled or queued directly one after another. If you want to run an uninterrupted series of tasks on a collection, create these tasks for it in the order you want them to run, and use the Start now option as the schedule for each task. Alternatively, schedule these tasks in the correct order with very short intervals between them. This will queue the tasks individually for each computer in the collection.

Caution: There is a separate task queue for each instance of Resource Updating Manager. Your Resource Updating Manager console displays tasks created in other console instances, but cannot queue additional tasks after them.

Note that a queued task will wait for the preceding task to end, but if one of the tasks fails, then subsequent queued tasks will be cancelled.

Start Processing

Follow these steps to process the resources in Resource Updating Manager:

  1. In the Resource Updating Manager console management tree right-click the node of the collection you want to process.
  2. Select Create Task | Processing in the shortcut menu. The Create Processing Task wizard starts.
  3. On the Task Action step, select the action you want to perform.
  4. On the Handling Rights and Resources step, select the types of rights and resources to process.
  5. On the Advanced Options step, you can use the Perform the task remotely (without agents) option to specify whether you want to use Resource Updating Manager agents for this task. Selecting this option will make sure that agents are not used on the computers where they are installed; instead, the task will be performed directly from the computer where this instance of Resource Updating Manager is installed. If the option is cleared, agents will be used; they will be installed on computers that do not have them.
    If you use agents, you also have the option of running custom scripts locally on the computers before and after the task.
    On the same step, the Show processing progress for individual computers option lets you enable the display of basic task progress information next to each computer list entry. Note that enabling this option increases network traffic, so using it for a large number of computers may be undesirable.
  6. On the next step you can specify when the task starts. You can start the task immediately by selecting the Start now option or select the Start at option to specify the date and time to start the operation.

    NOTE: If you are not using agents (the Perform the task remotely (without agents) option is selected on the Advanced Options step), the same step lets you specify the pending timeout for the task operation in case some computers are not accessible at the task start time (some computers may be turned off, or behind the firewall, or you just deploy an agent to the host via Group Policy, Systems Management Server or manually). If the task is not able to start before the deadline you set, then Resource Updating Manager will cancel this task and all subsequent queued tasks for the inaccessible computers.

  7. On the Task Description step you can specify an optional task description.
  8. Click Finish to start processing.

You can review and edit the schedule and other settings for any task that has not started. For that, right-click the task and select Edit Properties. In addition, you can run any task immediately, regardless of its schedule (see the Running Tasks Immediately topic.

For more details, see Configure Processing Settings.

While the resource update is in progress, you can safely quit Resource Updating Manager, because the tasks are performed on the remote computers. As soon as all the agents have finished performing the specified tasks, Resource Updating Manager will collect the logs from the processed computers.

Specifying Objects for Processing

By default, Resource Updating Manager will perform the updates for accounts (also referred to as security principals or objects) that were migrated by Migration Manager for Active Directory.

However, you can manually define the accounts you want to update the resources for. You have two options how to do that:

  • Manually select the accounts from the list of all migrated accounts
  • Specify the external file that contains list of accounts
Selecting Accounts Manually

To manually select accounts to process resources for, right-click the collection or category node in the console management tree and click Operate with Selected Accounts. After that select the specific set of accounts to process.

Specifying Accounts from File

To specify an account matching file with accounts to process resources for, right-click the collection or category node in the console management tree and click Operate with Accounts from File. In the opened dialog box click Browse and select an account matching file.

The account matching file must contain a list of migration pairs in the following format, one pair per line:

SourceNetBIOSDomainName\SourceUserName,SourceUserSID,SourceUPN,SourceDomainDNSName,TargetNetBIOSDomainName\TargetUserName,TargetUserSID,TargetUPN,TargetDomainDNSName

The following is an example of possible account matching file:

SOURCE1\user1.name,S-1-5-21-sourceUser1SID,user1@source1.principal.name,source1.com,TARGET1\user1.name,S-1-5-21-targetUser1SID,user1@target1.principal.name,target1.com
SOURCE2\user2.name,S-1-5-21-sourceUser2SID,user2@source2.principal.name,source2.local,TARGET2\user2.name,S-1-5-21-targetUser2SID,user2@target2.principal.name,target2.local

NOTE: To select all accounts migrated by Migration Manager for Active Directory for updating resources for, you need to right-click the collection or category node in the console management tree and click Update for All Migrated Accounts. Note that current account selection will be lost.

Configure Processing Settings

You can configure the following using the Create Processing Task wizard:

Task Action

On the Task Action step, select the action you want to perform:

  • Reassign local group membership, user rights, and object permissions to target users
    This will update resources to conform to the domain reconfiguration.

    NOTE: The Leave source accounts' permissions check box allows you to add newly created users and groups from the target domain to object DACLs and SACLs, rather than replace the entries with the current source account SIDs.

  • Clean up legacy local group membership, user rights, and permissions of migrated users
    Remove references to the original source accounts after migration. See the Resource Cleanup topic.
  • Revert to the original local group membership, user rights, and object permissions
    Select this option to undo the update.

    NOTE: If two source users were merged to one target user, and if only one of them had permissions on some objects, then, after resource update and reverting the permissions, both users would have common permissions on these objects.

If you select the Reassign local group membership, user rights, and object permissions to target users option, the next step will be Account Matching. On this step, you have the following options:

  • Use only the matching information from the project configuration
  • Match accounts by analyzing the SID history in the target domain in addition to existing matches

If you select to match accounts by SID history data, the Vmover.exe utility will be used automatically for that. You only need to specify the target domain where to examine SID history data.

For access to the domain, the utility will use the credentials configured for the project (Project | Manage Domain Credentials in the main menu) or for the particular collection or category (the Manage Domain Credentials button in the toolbar when the collection or category is selected). Make sure that valid credentials are specified.

Notes: If you use the Create Processing Task wizard for the purpose, SID history matching behaves as follows:

  • After resource processing, the “clean up” and “revert” actions are possible only for those accounts that have been migrated by Migration Manager.
  • The domain credentials must be specified before you run the Create Processing Task wizard.

If you need different behavior, consider using Vmover.exe manually, as described in SIDHistory Mapping.

Also note that the password for domain access is stored in plain text in the ldapPsw parameter of the configuration file for Vmover.exe. Because of this, it is recommended that you run the task remotely—that is, the Perform the task remotely (without agents) option is enabled on the Advanced Options step.

Handling Rights and Resources

On the Handling Rights and Resources step, select what accounts should be updated:

  • Local Group Membership
    Adds target accounts to the local groups that contained the corresponding source accounts. If the Leave source accounts' permissions check box is not selected, the source accounts will be removed from the groups.
  • User Rights
    Grants target accounts the user rights which belonged to the corresponding source accounts. If the Leave source accounts' permissions check box is not selected, the source accounts will be denied the rights they had.
  • Service Accounts
    The Service Accounts check box allows you to update service accounts and permissions affected by the migration. For example, if a service runs as SOURCE\User1 and User1 is moved to the target domain, the service account credentials will be changed to those of TARGET\User1.

NOTE:

  • Service accounts are replaced whether or not the Leave source accounts' permissions option was selected.
  • If the processing service is running under a source account while a user logs in under a new corresponding target account, duplicate profiles can be created.
  • Scheduled Tasks
    The Scheduled Tasks check box allows you to update scheduled task accounts and permissions affected by the migration. For example, if a task runs as SOURCE\User1 and User1 is moved to the target domain, the task account credentials will be changed to those of TARGET\User1.

NOTE:

  • Scheduled task accounts are replaced whether or not the Leave source accounts' permissions option was selected.
  • For a successful scheduled task update, the account should have the Read and Write permissions on the scheduled task file.
  • If the scheduled task is running under a source account while a user logs in under a new corresponding target account, duplicate profiles can be created.

Then select the check boxes next to the objects whose permissions should be re-assigned to target users. Permissions on the following objects can be updated:

  • Registry
  • Local profiles
  • Roaming profiles
  • Shares
  • Printers
  • File system
  • IIS
  • DCOM
  • COM+
  • File ownership

If you select the IIS check box, Resource Updating Manager will update the permissions of the Internet Information Services (IIS) if it is installed on the selected computers. The following IIS properties are processed by default:

  • Microsoft Windows discretionary access control list (DACL) (the AdminACL property)
  • Name of the registered local user that is used for anonymous users (the AnonymousUserName property)

For the full lsit of processed IIS properties, see the IIS section of Vmover Processing Options.

NOTE: To process any other IIS properties, you need to use the Vmover utility in manual mode. First, prepare the configuration file, Vmover.ini. The properties you need should be included in the [IIS Identifiers] section of the file as follows:

[IIS Identifiers]

UNCUserName=yes;1

The number at the end of the string specifies the property type:

  • 0—security descriptor
  • 1—user name
  • 2—domain name

If the property type is not specified, the property will be skipped during processing.

Next, run Vmover remotely on the IIS servers you need to process using the edited configuration file, as follows:

  • Vmover.exe /c /system=<IIS_server_name> /ini=<updated_INI_file>

 

Caution: After processing printers, if some of them were processed via the registry (this can be verified by scanning the log file), the spooler should be restarted.

Advanced Options

On the Advanced Options step, you can configure additional options for the task:

  • Select the Process resources remotely (without agents) check box to force Resource Processing Manager to process only remote resources.

    NOTE: In this case only several types of objects will be processed, for example, shares. This option is needed for NAS processing.

  • Whether any script should be run on the processed machines before or after processing. Click Browse to specify the script file (the following file types are supported: *.vbs, *.js, *.bat, *.cmd, *.ps1).

    NOTE: Resource Updating Manager agent is a 32-bit application. So, when Resource Updating Manager agent runs scripts on a processed computer running a 64-bit operating system, all scripts will be launched in 32-bit mode.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating