Chat now with support
Chat with Support

Migration Manager for AD 8.15 - User Guide

Considerations for Migration Sessions

When splitting up domain migration into sessions you should consider the way that linked attributes (such as group membership) get resolved:

  • Linked attributes always get resolved in the scope of the session. For example, if you migrate a group and its members within the same session, the membership will get migrated.
  • Linked attributes are also resolved for previously migrated objects. For example, if you first migrate users and then migrate a group, the group will be migrated with its membership.
  • Backlinks (such as "member of") are not updated across sessions. For example, if you first migrate a group and then in other sessions migrate its members, the newly migrated accounts will not get added to the target group. If you have to migrate a group before its members, you can restore the membership by either re-migrating the group or doing full re-synchronization.

See the Migration Manager Tips and Tricks document for additional considerations and recommendations for setting up migration sessions.

Creating a Migration Session

To create a new migration session, right-click the Migration node under the appropriate domain pair and select New Session from the shortcut menu. This will start the Migration Wizard.

Step 1. New Migration Session

Specify a name for the migration session and optionally provide a comment for it.

Step 2. Select Source Objects

This step allows you to select objects for migration. The list of objects contains the objects currently selected for migration.

Click Select to add to or modify the selection. In the Browse Source Domain window, select the containers and/or individual objects you want to migrate.

When you select or clear a container, all its sub-objects are displayed in the right-hand pane and are automatically selected or cleared. If you want to select or clear individual objects, perform the selection in the list of objects in the right-hand pane.

To select or deselect containers, right-click the container and click Select or Deselect. Depending on your selection, the checkboxes will be marked as follows:

  • A blue check mark indicates that the container and all objects and sub-containers within the container will be migrated.
  • A white check mark indicates that the container will be created on the target and some objects and sub-containers within the container will be migrated as well.
  • A grey check box without any check mark indicates that the container will not be created on the target but some objects or sub-containers within the container will be migrated.

Clicking the Select by group membership button offers you two options:

  • Select groups for selected objects—Select the groups in which the selected objects are members. You can also specify the scope (global, local, or universal) and type (security or distribution) of groups for which to perform the select operation.

  • Select objects within selected groups—Select objects that are members of the selected groups. You can also specify the object class (users, contacts, or groups) for which to perform the select operation.

After the selection is made, click OK to save it and close the window.

To remove an object from the list of selected objects, select the object and click Remove.

You can also export the current selection to an external text file for later use. The external list of objects is usually used for mass object renaming and populating target object attributes with different values.

To create an export file, click Export. In the Export Selection to File window, select the attributes you want to export for the selected users. This creates a tab-delimited list: the first column is the source object's DN, and the remaining columns are the selected attributes. The administrator can later modify the attribute values in this file and import it back by clicking Import. The modified attribute values will be applied to the target objects during migration.

One common use for such import files is to make Migration Manager rename user accounts and groups as part of the migration. For details about how to edit the import files in this scenario, see the Configuring User and Group Renaming topic.

Step 3. Select Target Container

This step allows you to select the container where migrated objects will be created. Click Browse to select the container where the migrated objects should be placed during migration.

You also can specify whether the OU hierarchy will be migrated and whether the accounts should be merged with the existing target accounts.

In the OU hierarchy migration section, choose one of the following:

  • Migrate selected objects with their OUs to the selected target OU—If this option is selected, all selected objects and containers will be created on the target.
  • Migrate objects without OUs as a flat list—If this option is selected, only selected objects (not containers) will be created on the target in the specified target OU.

In the When merging with existing account on target section, choose one of the following:

  • Merge and move the objects to the new OU—If this option is selected, matched objects will be merged and moved to the specified target OU.
  • Merge and leave the account where it was before the migration—If this option is selected, matched objects will be merged and left in the original target OU (not moved to the specified target OU).
  • Never merge: skip accounts that match any accounts on target—If this option is selected, matched objects will be skipped from migration.

Step 4. Set Security Settings

This step allows you to specify the security settings for the migration.

Security Descriptor migration rule—Select the way security descriptors of the matched source and target objects will be handled.

All objects in Active Directory are securable objects. Each securable object has a security descriptor (SD) that identifies the object’s owner and can also contain the following access control lists:

An ACL contains a list of access control entries (ACEs). Each ACE in an ACL identifies a trustee (a user account or group account) by its SID and specifies the access rights allowed, denied, or audited for that trustee.

You have the opportunity to Merge, Replace, or Skip the security descriptors:

  • Merge—The security descriptor entries of the source object will be added to the security descriptor of the target object.
  • Skip—The security descriptor of the target object will be left intact.
  • Replace—All entries of the target object’s security descriptor will be deleted. The entries of the source object’ security descriptor will be copied to the target object’s security descriptor.

The DACL and SACL security descriptor entries of the source objects are assigned to the newly-created target objects during migration.

Regardless of the option you select to migrate security descriptors (Merge, Skip, or Replace) for each newly created target object, the default security descriptor defined for that object class will also be applied.

NOTE:Only ACEs explicitly added to the source security descriptor are migrated.

The inheritance flag (the Allow inheritable permissions from parent to propagate to this object option on the Security tab of the object Properties) is migrated as well. That is, if the inheritance flag is set for the source object, it will be set for the corresponding target object; if the inheritance flag is not set for the source object, it will be cleared from the corresponding target object.

During migration, the ACEs of the source security descriptor referencing the source objects (source SIDs) are not translated to the target objects (target SIDs). To translate or clean up the source objects’ SIDs migrated to the target object’s security descriptor, use the Active Directory Processing Wizard.

Add SIDHistory—Select this checkbox if you want to allow the target accounts to access the source domain resources using the SIDHistory mechanism during the coexistence period. For more information on SIDHistory adding, see Adding SID History.

When you migrate accounts and groups, target group membership is automatically updated for the target users. In other words, the target group will have target user accounts as members corresponding to the source user accounts (members of the source group) migrated by that time. If you also want to add source accounts (the members of the source groups) to the corresponding target groups, select the Add source members to the corresponding target groups check box.

The User Principal Name handling section allows you specify how the User Principal Name (UPN) will be formed for each target user:

  • Copy—If this option is selected, UPNs of source users will be assigned to the target users. This option is available only if the source and target domains belong to different forests.
  • Switch— If this option is selected, the UPN is switched from the source user to the target user. This option is available only if the source and target domains belong to the same forest.
  • Skip—If this option is selected, the target user UPN will be left intact.
  • Set the domain suffix of the UPNs to—This option allows you to set the domain suffix of the UPNs of the target users to the value you specify.

The Password handling option allows you to also specify how user passwords will be handled:

  • Copy account password—Passwords will be copied from the source to the target accounts.
  • Skip account password—Passwords will not be copied for merged objects. The newly-created target accounts will get blank passwords.
  • Set password to username with—Sets the target user password to its username with the specified prefix and/or suffix. To set the prefix or suffix, click Configure.
  • Set password to—Sets the target user password to the specified value. To specify the common password value, click Configure.
  • Set random password—Sets the password to a random value generated by some criteria. The passwords are stored in ADAM or AD LDS. You can select to generate strong or custom passwords. For custom passwords, you can set the range for the password length and the allowed characters.
    To configure the complexity of the random password, click Configure and use the Random length between and Allow characters controls:

  • Passwords must be at least six (6) characters long. You can set the password length limit by editing the Random length between boxes.
  • Passwords must contain characters from at least three (3) of the following four (4) classes:
    • English uppercase letters (A, B, C, ... Z)
    • English lowercase letters (a, b, c, ... z)
    • Westernized Arabic numerals (0, 1, 2, ... 9)
    • Non-alphanumeric or ‘special characters’, such as punctuation symbols
    • Passwords may not contain a user name or any part of a full name.

NOTE: To let users know their temporary passwords so that they can change them, you first need to retrieve the passwords from ADAM or AD LDS. For that, use the utility provided by Quest Support in solution 32124, available at https://support.quest.com/kb/SOL32124.

Step 5. Specify Object Processing Options

Specify whether the target objects should be enabled after the migration session is completed. This setting makes sense if the users start using their target accounts immediately after the migration is completed. You may also want to disable source accounts after migration has been completed. Use the Enable target accounts and Disable source accounts options.

For intra-forest migrations, you can select to reconnect the source Exchange mailboxes to the target users so that users logged on to the target environment can use their source mailboxes until the Exchange migration is performed. Selecting the Reconnect Exchange mailbox check box will reconnect the source user mailboxes to the corresponding target users.

If you are planning to use a custom add-in to process the selected objects after they have been retrieved from the source domain and before they are copied to the target domain, select the Use custom add-in checkbox and browse for the .xml custom add-in file.

Attributes to Skip

If you want to skip particular attributes, click the Attributes to Skip button. Then select the check boxes next to the attributes you do not want to migrate to the target domain.

Use the Save Settings button if you want to use the same settings when you create another migration session. Click Load Settings to apply a set of attribute skipping options you saved earlier.

Select the Show advanced attributes check box to choose from the complete list of attributes you can skip.

Caution: The Directory Synchronization Agent service attributes used by Migration Manager should never be skipped. Otherwise, Migration Manager will not be able to migrate and synchronize objects.

Step 6. Select Migration Agent

This step allows you to select the migration agent to perform the migration.

NOTE: If you have only one agent installed in your environment, you will not be presented with this step.

Step 7. Summary

The wizard allows you to view the settings you made for the session. You can click Back to modify the settings if needed.

Select the Test mode check box if you want to run the migration in test mode, which does not apply any changes to the real target environment. Running a migration session in test mode allows you to check how the settings you made for the session will be applied to the target directory and decide whether these settings suit your needs. You can review the results by clicking View log after the migration is completed.

NOTE: You can click Back and clear the Test mode check box to perform the actual migration only if you did not close the Migration Wizard dialog after the migration completed. You cannot clear the Test mode check box when you open the properties of the already-completed session. However, you can use this session as a template when you create a new session to perform the account migration. Refer to the Viewing Migration Session Details topic for more details.

Step 8. Migrating Active Directory Objects

The wizard now migrates the selected objects to the target domain. All the activity takes place in the target domain only. The wizard displays the target domain directory update progress. Please wait while the wizard completes.

Step 9. Complete the Wizard

The migration session has been completed. The completed session configuration is now stored in the project database. Click the View log button to see if any errors or conflicts occurred during migration.

You can view the completed session configuration and use it later as a template for other migration sessions. For more information about migration session details, refer to the Viewing Migration Session Details topic.

All changes made to the target environment during a migration session can be rolled back. For more information about undoing a migration, refer to the Undo Account Migration topic.

Viewing Migration Session Details

To view the migration session details, select the Migration node in the Migration Manager console management tree. The list of completed sessions is displayed in the right-hand pane. Right-click the session whose details you want to view and select Properties from the shortcut menu.

You can view the log of a completed session to see the results of migration by selecting the Summary tab and clicking View log.

Using a Completed Session as a Template

You can use a completed session as a template to create a new session with the same or similar configuration settings or similar objects to be migrated. For example, you might want to select a session that was previously run in test mode and perform the actual migration of objects using the settings specified in that session.

To use a completed session as a template, select the Migration node in the Migration Manager console management tree. The list of completed sessions will be displayed in the right-hand pane. Right-click the session you want to use as a template and select New Session from the shortcut menu. This will start the Migration Wizard. All the settings you made for the completed session, including objects selected for migration, are preserved and you do not need to specify these settings again.

Related Documents