After accounts are migrated, the ACLs of all resources need to be processed to refer to the new SIDs. Migration Manager provides a set of tools to ensure that the newly created users and groups in the target domain retain their level of access to network resources, such as file system objects, network shares, and shared printers. Additionally, user profiles, service account credentials, and system registries on remote computers are processed to ensure a consistent desktop user experience, network security, and uninterrupted operations.
Migration Manager processes all objects and updates all properties of network resources, regardless of the object’s permissions or ownership. To facilitate resource updating, Migration Manager allows you to automate and schedule updating tasks. You can also view statistics on the progress of resource updates and access log files to view errors and events.
Figure 2. Migration Manager updates all resources in your network.
Resources (such as file system objects, network shares, and shared printers) that are scattered across the network present a challenge during migration. In a large network, the centralized processing of resources from the Migration Manager console would not satisfy scalability requirements.
To address these challenges, Migration Manager can update resources using agents and parallel processing to preserve performance regardless of network size. All selected computers are updated simultaneously. Since resources are updated locally, the time required to update 1,000 resource servers is the same as the time required to update 10 servers.
In highly distributed networks, Migration Manager allows you to delegate resource updating tasks to designated site administrators. This can be either for security reasons (to delegate processing to administrators of the resources) or for performance reasons in large networks (so that resources are updated locally). You can delegate tasks to the remote site or to other domain administrators who have the required level of access and are located within an area of good connectivity to the resource servers to be updated.
Figure 3. Migration Manager efficiently updates resources widely distributed across your network.
Important: For information on supported product versions, refer to Processed Platforms section of the System Requirements and Access Rights document.
When user accounts are migrated, you must update your Exchange messaging system to reflect changes to these accounts.
For Exchange, Migration Manager for Active Directory provides tools that update Exchange permissions to ensure that the permissions assigned to the migrated accounts in the target domain match the permissions assigned to the source accounts.
Migration Manager for Active Directory updates client permissions on public folders and mailbox folders, as well as administrative and directory permissions on mailboxes and all other Exchange objects.
Migration Manager for Active Directory can update Microsoft SQL Server permissions to reflect changes made during migration.
Migration Manager for Active Directory retrieves migration information from its database and substitutes the old accounts on the processed SQL Server with the corresponding new accounts. You should update SQL Servers after migrating accounts to a new domain.
During the distributed resource update, Migration Manager for Active Directory can process permissions set in IIS so that target accounts are assigned the rights previously associated with source accounts.
Migration Manager for Active Directory can update Microsoft SMS and SCCM permissions to reflect changes made during migration.
Migration Manager for Active Directory retrieves account migration information from its database and substitutes the old accounts on the processed SMS/SCCM server with the corresponding new accounts. You should update SMS/SCCM servers after migrating accounts to a new domain.
Migration Manager for Active Directory ensures that target user accounts retain the same local and roaming profiles as the corresponding source accounts. Throughout every phase of the migration, users retain access to their personal profiles and settings. Migration Manager for Active Directory can even update a profile that is locked by a service running under the account.
There are multiple options for updating user profiles to easily fit your migration plan. For example, the Migration Manager Resource Kit provides utilities that can be distributed through user logon scripts and update profiles as appropriate.
After migrating users and groups, source computers can be moved to the target domain. Migration Manager for Active Directory provides tools for moving workstations from the source domain to the target domain without requiring a reboot.
After being migrated, workstations may need additional updates (default domain, computer name, registry settings, etc.). Resource Updating Manager helps update and rename workstations.
Depending on your specific needs or requirements, you might need to perform several activities as part of switching users from the source domain to the target domain. For example, you might need to change the default logon domain for user workstations or transfer mail attributes from source to target users.
During the time between the creation of new accounts and the enabling of those accounts, passwords, group membership, and other properties might be changed. To avoid such conflicts, Migration Manager for Active Directory can perform automated synchronization for all the migrated accounts.
You do not need to re-migrate the accounts to make sure they are in sync.
After user profiles are updated, you need to switch users to their new accounts. Old and new user accounts can exist in parallel, but only one set of accounts should be active at a time. Migration Manager for Active Directory allows users to return to their old accounts at any time, as long as the old accounts have not been deleted.
When the migration process is complete and the network operates properly with the new configuration, the system should be cleared of old, decommissioned elements. These elements could negatively affect security, stability, serviceability, and other aspects of the network.
Migration Manager for Active Directory provides custom options and specialized tools to remove unwanted or unneeded elements.
After users have started to log on under their new accounts in the target domain and are not experiencing any problems with access to resources, Migration Manager for Active Directory can remove references to the original source accounts in groups, user rights, and object security descriptors.
After migration, Migration Manager for Active Directory reassigns permissions for Exchange configuration, mailboxes, and public folders.
If the source and target domains belong to the same forest (that is, intra-forest migration was performed), Exchange mailboxes continue to belong to the accounts from the source domain. These mailboxes need to be reassigned to the target accounts before the source accounts are decommissioned. Migration Manager for Active Directory provides tools that allow you to re-home Exchange mailboxes and reassign them to the target accounts.
Once all resources have been successfully processed, Migration Manager for Active Directory can remove the SIDHistory entries of all directory objects. Removing the SIDHistory entries is important to ensure better performance, as well as the security and integrity of your Active Directory environment.
Once the source accounts are no longer needed, Migration Manager for Active Directory can be used to disable or delete the old accounts. This allows you to decommission the source domain once all the objects have been removed.