Chat now with support
Chat with Support

Migration Manager for AD 8.15 - Resource Processing Guide

Introduction to Resource Update Distributed Updates in Resource Updating Manager Common Resource Update Workflows Active Directory Processing Exchange Server Processing SMS Processing SQL Server Processing Cluster Server Migration Command-Line Resource Update SharePoint Processing

Configure Processing Settings

You can configure the following using the Create Processing Task wizard:

Task Action

On the Task Action step, select the action you want to perform:

  • Reassign local group membership, user rights, and object permissions to target users
    This will update resources to conform to the domain reconfiguration.

    NOTE: The Leave source accounts' permissions check box allows you to add newly created users and groups from the target domain to object DACLs and SACLs, rather than replace the entries with the current source account SIDs.

  • Clean up legacy local group membership, user rights, and permissions of migrated users
    Remove references to the original source accounts after migration. See the Resource Cleanup topic.
  • Revert to the original local group membership, user rights, and object permissions
    Select this option to undo the update.

    NOTE: If two source users were merged to one target user, and if only one of them had permissions on some objects, then, after resource update and reverting the permissions, both users would have common permissions on these objects.

If you select the Reassign local group membership, user rights, and object permissions to target users option, the next step will be Account Matching. On this step, you have the following options:

  • Use only the matching information from the project configuration
  • Match accounts by analyzing the SID history in the target domain in addition to existing matches

If you select to match accounts by SID history data, the Vmover.exe utility will be used automatically for that. You only need to specify the target domain where to examine SID history data.

For access to the domain, the utility will use the credentials configured for the project (Project | Manage Domain Credentials in the main menu) or for the particular collection or category (the Manage Domain Credentials button in the toolbar when the collection or category is selected). Make sure that valid credentials are specified.

Notes: If you use the Create Processing Task wizard for the purpose, SID history matching behaves as follows:

  • After resource processing, the “clean up” and “revert” actions are possible only for those accounts that have been migrated by Migration Manager.
  • The domain credentials must be specified before you run the Create Processing Task wizard.

If you need different behavior, consider using Vmover.exe manually, as described in SIDHistory Mapping.

Also note that the password for domain access is stored in plain text in the ldapPsw parameter of the configuration file for Vmover.exe. Because of this, it is recommended that you run the task remotely—that is, the Perform the task remotely (without agents) option is enabled on the Advanced Options step.

Handling Rights and Resources

On the Handling Rights and Resources step, select what accounts should be updated:

  • Local Group Membership
    Adds target accounts to the local groups that contained the corresponding source accounts. If the Leave source accounts' permissions check box is not selected, the source accounts will be removed from the groups.
  • User Rights
    Grants target accounts the user rights which belonged to the corresponding source accounts. If the Leave source accounts' permissions check box is not selected, the source accounts will be denied the rights they had.
  • Service Accounts
    The Service Accounts check box allows you to update service accounts and permissions affected by the migration. For example, if a service runs as SOURCE\User1 and User1 is moved to the target domain, the service account credentials will be changed to those of TARGET\User1.

NOTE:

  • Service accounts are replaced whether or not the Leave source accounts' permissions option was selected.
  • If the processing service is running under a source account while a user logs in under a new corresponding target account, duplicate profiles can be created.
  • Scheduled Tasks
    The Scheduled Tasks check box allows you to update scheduled task accounts and permissions affected by the migration. For example, if a task runs as SOURCE\User1 and User1 is moved to the target domain, the task account credentials will be changed to those of TARGET\User1.

NOTE:

  • Scheduled task accounts are replaced whether or not the Leave source accounts' permissions option was selected.
  • For a successful scheduled task update, the account should have the Read and Write permissions on the scheduled task file.
  • If the scheduled task is running under a source account while a user logs in under a new corresponding target account, duplicate profiles can be created.

Then select the check boxes next to the objects whose permissions should be re-assigned to target users. Permissions on the following objects can be updated:

  • Registry
  • Local profiles
  • Roaming profiles
  • Shares
  • Printers
  • File system
  • IIS
  • DCOM
  • COM+
  • File ownership

If you select the IIS check box, Resource Updating Manager will update the permissions of the Internet Information Services (IIS) if it is installed on the selected computers. The following IIS properties are processed by default:

  • Microsoft Windows discretionary access control list (DACL) (the AdminACL property)
  • Name of the registered local user that is used for anonymous users (the AnonymousUserName property)

For the full list of processed IIS properties, see the IIS section of Vmover Processing Options.

NOTE: To process any other IIS properties, you need to use the Vmover utility in manual mode. First, prepare the configuration file, Vmover.ini. The properties you need should be included in the [IIS Identifiers] section of the file as follows:

[IIS Identifiers]

UNCUserName=yes;1

The number at the end of the string specifies the property type:

  • 0—security descriptor
  • 1—user name
  • 2—domain name

If the property type is not specified, the property will be skipped during processing.

Next, run Vmover remotely on the IIS servers you need to process using the edited configuration file, as follows:

  • Vmover.exe /c /system=<IIS_server_name> /ini=<updated_INI_file>

 

Caution: After processing printers, if some of them were processed via the registry (this can be verified by scanning the log file), the spooler should be restarted.

Advanced Options

On the Advanced Options step, you can configure additional options for the task:

  • Select the Process resources remotely (without agents) check box to force Resource Processing Manager to process only remote resources.

    NOTE: In this case only several types of objects will be processed, for example, shares. This option is needed for NAS processing.

  • Whether any script should be run on the processed machines before or after processing. Click Browse to specify the script file (the following file types are supported: *.vbs, *.js, *.bat, *.cmd, *.ps1).

    NOTE: Resource Updating Manager agent is a 32-bit application. So, when Resource Updating Manager agent runs scripts on a processed computer running a 64-bit operating system, all scripts will be launched in 32-bit mode.

Moving Computers to Another Domain

IMPORTANT: Before you begin:

For executing Move tasks remotely and if you have NetBIOS protocol disabled in your network (see Working in a Network Configuration with NetBIOS Protocol Disabled section), make sure you have the SCMApiConnectionParam value combined in with the mask value 0x80000000 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control registry key of machine, where the Migration Manager or Resource Updating Manager console are installed, otherwise changing RUM agent service account during move task execution may cause an “Access denied” error (see https://docs.microsoft.com/en-us/windows/win32/services/services-and-rpc-tcp for more detailed information). The change takes effect after restarting the QsRUMController service.

Once you have completed the migration of users and collections, you can choose to move the source computers to another target domain. Actions that must be performed in these cases are described in the related topics:

Start Moving Computers

Follow these steps to move computers to another domain in Resource Updating Manager:

  1. In the Resource Updating Manager console management tree right-click the computer you want to move.
  2. Select Create Task | Move in the shortcut menu.
  3. On the Move Options step, specify where and how to move computers. For more details, see Configure Move Computers to Domain Settings.
  4. On the Grant Local Administrator Privileges step, select the accounts that will be added to the local Administrators group on the computers you are going to move.
  5. On the next step, specify when the computer will be restarted to complete the move operation. For more details, see Configure Move Computers to Domain Settings.
  6. On the Advanced Options step, you can use the Perform the task remotely (without agents) option to specify whether you want to use Resource Updating Manager agents for this task. Selecting this option will make sure that agents are not used on the computers where they are installed; instead, the task will be performed directly from the computer where this instance of Resource Updating Manager is installed. If the option is cleared, agents will be used; they will be installed on computers that do not have them.
    If you use agents, you also have the option of running custom scripts locally on the computers before and after the task.
  7. On the next step you can specify when the task starts. You can start the task immediately by selecting the Start now option or select the Start at option to specify the date and time to start the operation.

    NOTE: If you are not using agents (the Perform the task remotely (without agents) option is selected on the Advanced Options step), the same step lets you specify the pending timeout for the task operation in case some computers are not accessible at the task start time (some computers may be turned off, or behind the firewall, or you just deploy an agent to the host via Group Policy, Systems Management Server or manually). If the task is not able to start before the deadline you set, then Resource Updating Manager will cancel this task and all subsequent queued tasks for the inaccessible computers.

  8. On the Task Description step you can specify an optional task description.
  9. Click Finish to start processing.

You can review and edit the schedule and other settings for any task that has not started. For that, right-click the task and select Edit Properties. In addition, you can run any task immediately, regardless of its schedule (see the Running Tasks Immediately topic).

If there are any shared folders or printers published in Active Directory on the computer being moved to the target domain, they should first be migrated to the target domain along with the computer account they are pointing to using Migration Manager. This will allow Resource Updating Manager to automatically update the resources that reside in the source and target domains after moving the computer to point to the target computer account.

NOTES:

  • If there are only printers located under the computer account, there is no need to migrate them before moving the computer to the target domain. In this case, computer account will be created automatically, the spooler will be restarted and printers will be created pointing to the new account.
  • If a computer account in the source Active Directory has child objects with the Windows BitLocker Drive Encryption recovery information, then identical objects will be created for the corresponding computer account in the target Active Directory.

  • Resource Updating Manager cannot move domain controllers, cluster servers, non-Windows computers, and unknown computers between domains.
  • If you click Cancel during a computer move or stop the service, further processing will be stopped. In this case and in the case when processing is stopped due to an error, computers that have not been moved by that moment will be left intact.
  • See the Moving Exchange Servers to Another Domain topic for information on how to move Exchange Servers.
  • For information on how to move SMS servers to another domain, see the Moving SMS Servers Between Domains technical paper by Microsoft.

Configure Move Computers to Domain Settings

On the Move Options page, select the target domain from the list and the target organizational unit (optional). In addition, you have the following options:

  • Change last logged-in domain to the target domain
    If you want the last logged-in domain in the logon window to be changed to the target domain after moving the computer, select this check box.
  • Preserve computer account in source domain
    To ensure that valid accounts are available for logon in case of problems, select this check box. This option will cause the source accounts to be kept, but disabled.

NOTE: If you do not use the Resource Updating Manager console when moving computers with the Resource Updating agent installed between domains, please consider the following:

  • The Migration Manager RUM Agent service account must be a member of the local Administrators group on the computers running the Migration Manager RUM Agent both in the source and target domains.
  • The Migration Manager RUM Agent service account must have the Logon As Service right in target domain

On the Computer Restart Options page, the following additional settings are available:

  • The message to show to the currently logged-on user when the computer is about to restart.
  • The delay between the message and the actual restart (that is, how much time users have for saving their work).
  • Whether to forcibly close applications with unsaved data during restart.

If you select not to restart the computers after they join a different domain, you will need to tell the users to restart manually.

Related Documents