Chat now with support
Chat with Support

Migration Manager for AD 8.15 - User Guide

Viewing Directory Synchronization Statistics

When you select the Synchronization node under the domain pair in the migration project tree, you can see synchronization state, progress, and statistics for the selected pair of domains on the screen in the right-hand pane.

Synchronization Statistics

The following information is provided on the Synchronization Statistics screen:

Job status:
  • Initial synchronization—Indicates that initial synchronization (full re-sync) is going on. Either this is the first synchronization session for the Directory Synchronization Agent or synchronization was re-started with Start and Re-sync option.
  • Delta synchronization—Indicates that the initial synchronization is completed and only delta changes are synchronized.
  • Sleeping—Indicates that the Directory Synchronization Agent is in an idle state, either because it is in a sleep interval between synchronization sessions or due to its schedule restrictions. Refer to the Configuring the Directory Synchronization Agent section in theAgent Manager topic for more details.
Job direction:
  • Source to target—Indicates that synchronization job is configured to synchronize objects from source to target only (only the source scope is set).
  • Target to source—Indicates that synchronization job is configured to synchronize objects from target to source only (only the target scope is set).
  • Two-way—Indicates that both source and target objects will be synchronized (both source and target scopes are set).

Synchronized objects—Displays the number of object pairs that were matched and synchronized.

Source objects per minute—Shows the approximate speed of the source-to-target synchronization process

Target objects per minute—Shows the approximate speed of the target-to-source synchronization process

Directory errors—Shows the number of errors that occurred during synchronization, such as connection errors, invalid credentials errors, and server unavailability errors. Click View next to the counter to see the list of errors.

NOTE: The Directory errors queue is not dynamic and errors put in this queue are not removed from the queue even after they are resolved.

You also can view the queues of conflicts found during synchronization, failed objects, and unresolved objects. Click the corresponding View link for detailed information.

Conflicts—This queue contains the object-matching conflicts.

Failed objects—This queue contains issues that occurred to the synchronized objects and their attributes, such as if an object could not be created due to insufficient rights.

Unresolved objects—All unresolved linked attributes, such as unresolved membership, are put in this queue.

NOTE: The Conflicts, Failed objects and Unresolved objects queues are dynamic, so if, for example, a conflict is resolved, it is thrown out of the queue.

Agent Statistics

Name—The name of the server running the agent.

Last operation—The last operation description the agent was instructed to perform (such as start or stop).

Last operation progress—The last operation’s progress (in percent).

Last operation error code—If the last operation completed successfully, this field is blank. If the operation failed, the error code is displayed.

Keeping Existing Lync Infrustructure

Migration Manager for Active Directory supports migration scenarios where Microsoft Lync Server is installed in either source or target domain and you want to provide users access to existing Lync infrastructure.

Pre-requisites

Before implementing any of the below scenarios, check the following pre-requisites:

  • In case of Inter-forest migration when source and target domains reside in different forests, trusts must be established between the source and target domains.
  • Active Directory schema must be extended in both source and target domains.
  • Lync users' computers must trust certificate installed on the Lync Server.
Lync Server in Source Domain

If you use Lync Server in the source domain for communicating, users can still communicate with other users through that Lync Server even after they are migrated to the target domain.

To achieve that, when configuring migration session or directory synchronization job, change settings in the wizard as follows:

  • Migration Session: On the Specify Object Processing Options step select Use custom add-in and specify add-in located at <Migration Manager installation folder>\Active Directory\SourceLyncSupport.xml.

  • Directory Synchronization: On the Specify Advanced Options step, select Use custom add-in and specify add-in located at <Migration Manager installation folder>\Active Directory\SourceLyncSupport.xml.

After migration session or initial synchronization completes, migrated user may log on to his or her target account and start communicating with other users through the source Lync Server.

Caution: Corresponding source user must not be removed. Otherwise, target user will lose access to the source Lync Server.

Lync Server in Target Domain

If you have Lync Server deployed in the target domain, you may want to provide users that have been previously migrated ability to communicate with other users through that Lync Server.

For that you need to take the following steps:

  1. Enable target user account for using Lync Server. For information how to do that, refer to this TechNet article.
  2. Configure a new migration session from the source domain to the target domain according to Creating a Migration Session with the following specific settings:
    1. On the Select Source Objects step specify source user accounts that correspond to the target accounts you Lync-enabled on step 1.
    2. On the Specify Object Processing Options step, select Use custom add-in and specify add-in located at <Migration Manager installation folder>\Active Directory\TargetLyncSupport.xml.

After migration session completes, migrated user may log on to the source account and start communicating with other users through the target Lync Server.

Caution: Corresponding target user must not be removed. Otherwise, source user will lose access to the target Lync Server.

Adding SID History

SID History adding allows target accounts to access source domain resources during the coexistence period.

To add SID History, select Add SIDHistory option at Set Security Settings step when configuring account migration or directory synchronization.

Migration Manager for Active Directory offers two methods of SID History adding:

Both methods have their own benefits and require different permissions and preparation steps.

TIP: To take advantage of SID history, ensure that trusts are established and that SID filtering is turned off between the source and target domains.

Adding with SIDHistory Agent

The easiest adding method that requires no preparation steps or special configuration. SIDHistory Agent is automatically installed on the target domain controller and then controlled by the Directory Synchronization Agent.

This method requires the following:

  • Target DSA account must be a member of the Administrators group in the target domain. If you consent to grant such permissions for the target DSA account, agent-based adding is a recommended scenario. In case you do not want to grant such permissions to the target DSA account in accordance with the least privilege principle a Preinstalled Service feature should be configured and enabled.

TIP: This adding method is the easiest way to go if you want to synchronize passwords.

Agentless Adding

This adding method doesn’t require an agent to be installed on the domain controller and doesn’t require target DSA account to be a member of the Administrators group in the target domain. SID history is added with native DsAddSidHistory function.

This method requires the following:

 

NOTE: Agentless adding requires both source and target domains to run at Windows Server 2003 domain functional level or higher.

Configuring the environment for agentless adding:

  • Ensure the Source DSA Account is a member of the Administrators group in the source domain
  • Grant Migrate SID history permission to Target DSA Account on the target domain object.

NOTE: This permission must be applied to This object only.

  • Create a local group in the source domain to support auditing. The group should be named <source_domain_name>$$$, where source_domain_name is the NetBIOS name of the source domain.

 

Important: Do not add members to this group or adding SID history will fail.

  • Enable account management auditing in the source and target domains. For SID history adding between forests under Windows Server 2008 and later, also enable directory service access auditing.

You should turn on auditing of Success and Failure attempts for Audit account management and Success attempts for Audit directory service access. This can be done in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy on the source and target domain controllers (Windows Server 2008 or later.)

TIP: For immediately applying the policy changes, open an elevated command prompt on the domain controller and execute gpupdate /force.

 

Enabling / reverting agentless SID history adding for the project

The agentless SID history adding is manually enabled for the project with UseAgentlessSIDHistoryMigration.ps1 script provided on the Migration Manager for Active Directory installation disk. Open 32-bit (x86) version of the PowerShell prompt on the computer where Migration Manager is installed and execute the following commands:

cd "<Drive with product CD>:\QMM ResKit\Scripts"
.\UseAgentlessSIDHistoryMigration.ps1 $true

To revert to SIDHistory Agent, execute the following command:

.\UseAgentlessSIDHistoryMigration.ps1 $false
Related Documents