Post-Migration Cleanup
Migration Manager for Active Directory provides several options and tools to ensure maximum security, integrity, and performance of your restructured environment. To make sure that resources are accessed properly after restructuring, Migration Manager for Active Directory allows you to delete SIDHistory entries for migrated accounts and remove references to source accounts from ACLs.
Migration Manager for Active Directory also provides options to disable or delete source accounts and clean your network of any unused objects that could affect the security and stability of your environment.
Migration Process Overview
Migration Manager for Active Directory provides tools and features to assist administrators throughout the entire migration process. Migration involves migrating Active Directory objects (such as users, groups and resources) from the source domain to the target domain.
A migration in an enterprise network consists of five major stages:
- Account migration. Selected accounts are copied from selected source domains to the target domains.
- Ongoing directory synchronization. For all or selected migrated accounts, synchronization is established so the account properties (including passwords and group membership) are kept in sync for the coexistence period.
- Resource processing. Access permissions to files, shares, printers, and other securable objects are updated.
- Switching to the new domain. Source accounts are disabled, target accounts are enabled, and users start logging into the new domain.
- Post-migration cleanup. Source accounts are cleaned up and deleted, and SIDHistory is removed for all target accounts to ensure maximum security, integrity, and performance of the target environment.
|
|
Notes:
|
These steps are described in more detail in the related topics:
1. Account Migration
Account Migration
Account migration is the core step of the migration process. During this step you select a group of accounts (users, groups, and computers) and migrate them to the target domain.
Migration Session
A migration session is basically a group of accounts to be migrated. The following are important features of account migration:
- Migration sessions. Migration Manager for Active Directory makes it easy to set up sessions. You can manually select accounts to migrate within a session, or you can import a list of accounts from a tab-separated text file. You can also change, in bulk, any of the accounts’ attributes by specifying the new attribute values in the import file.
- Directory Synchronization Agents. All migration and synchronization activities are configured through the Migration Manager console, but they are executed by Directory Synchronization Agents (DSAs). One or more Directory Synchronization Agents can be used, depending on the size and complexity of the environment.
- Test mode. A migration session can be executed in test mode. In test mode, Migration Manager for Active Directory does not perform the actual migration of objects; no changes are made to either the source or the target environment. The test enables Migration Manager for Active Directory to detect most of the possible issues in the migration, including lack of permissions, matching conflicts, and missing linked objects (such as group members). This lets you safely experiment and resolve any issues so they do not arise during the actual migration.
Once you resolve the issues, you can re-run the session without test mode and actually migrate of objects. If additional issues arise, you need to resolve them and then re-run the session. - Delegated migrations. You can limit the migration scope to a certain set of OUs in the source and target domains, and specify the users who have the rights to do the actual migrations within a specified scope.
The delegated administrators will do the actual migration. The results and status information will be added to the project, so no matter how many delegated administrators are involved, you can keep track of the overall project.
Because delegated administrators get access only to the tasks to which you grant them the access, you can be sure that they don’t interfere with other tasks.
2. Ongoing Synchronization
Ongoing Synchronization
Most migration projects last longer than a weekend. This means there is a period when source and target environments have to coexist, and it is important that the environments be kept in sync. For example, a phone number changed in one directory should also change in the other. Synchronization of security-related attributes, such as passwords or group membership, is even more important.
Migration Manager for Active Directory can continuously and efficiently synchronize the source and target accounts and groups. The tool detects all changes in Active Directory that occurred since the objects were last synchronized and brings them over to the other side. Synchronization can be scheduled through Migration Manager for Active Directory; no command prompts or Windows Scheduled Tasks are required.
With this functionality, you don’t need to worry about keeping the environments in sync during the transition period. Coexistence is maintained automatically until you are ready to switch completely to the new directory.
|
|
NOTE: During migrations that include Microsoft Exchange, synchronization is normally set to create any objects for which no match can be found. Such objects are created in a specified staging OU and later are moved to the appropriate OU by migration sessions. This allows you to maintain a unified global address list (GAL) for both organizations. See the Migration Manager for Exchange documentation for details. |