Chat now with support
Chat with Support

Migrator Pro for Active Directory 20.11.1 - User Guide

Migration Options and Profile Settings

Migration Options

To add migration options:

  1. On the Migration Options page, click the Add button. The Migration Options window appears.

  2. Enter values in the following fields:
    • Profile Name - The name to identify the options (for example, "10 Second Reboot Delay").
    • Domain Join Delay - The delay before joining the domain.
    • Reboot Delay - The delay before rebooting.

      If set to any value other than zero (0), the user will receive a pop-up notification informing them that the workstation will be rebooted when the cutover is performed. If set to zero, no notification will appear.

    • Empty Recycle Bin? - How to handle the Recycle Bin during cutover, either Empty or Don't Empty

      Users may get an error message that their Recycle Bin has been corrupted after migration if the Recycle Bin is not empty. See Troubleshooting for more information about this issue.

    • Specify Target OU - The target OU where the Computers will be created. If this field is left blank, the computers will default to the Computers container.
  3. Join to Existing Computer Account - Select Yes to join the Computer to the existing target Computer during cutover.
  4. Click Save Profile. The new migration options profile is added to the list.

Network Profiles

To add network profiles:

  1. On the Network Profiles page, click the Add button. The Network Profiles window appears.

  2. Enter values in the following fields:
    • Profile Name - The name to identify this Network Profile
    • Set DNS Servers For the Computer? - Options include: Don't Change This Setting, Use DHCP For DNS Server, or Manually Assign DNS Servers.

      If you manually assign DNS settings, be sure that the DNS server(s) that you include here can resolve the Migrator Pro for Active Directory Agent SRV record.

    • Primary DNS Server - The preferred DNS server.
    • Secondary DNS Server - The alternate DNS server.
    • DNS Suffix For the Network Adapter - The primary DNS suffix that will be set on the network adapter.
    • Append DNS Suffixes to the Network Adapter - Options include Don't Change This Setting, Preserve Current DNS Suffixes From the Network Adapter, or Set the Following DNS Suffixes.
    • DNS Suffixes - Enabled if Set the Following DNS Suffixes is selected from the "Append DNS Suffixes to the Network Adapter" option. Enter each suffix and then press Enter.
    • Register the Network Adapter's Addresses in DNS - Options include Don't Change This Setting, No, or Yes.
    • if Yes is selected to the "Register the Network Adapter's Addresses in DNS" option, select Don't Change This Setting, Include The Manual DNS Suffix, or Don't Include the Manual Suffix.
    • Primary WINS Server - The preferred WINS server.
    • Secondary Wins Server - The alternate WINS server.
  3. Click Save Profile. The new network profile is added to the list.

Device ReACL Profiles

The default Device ReACL profile is used if a different profile is not defined and set on the computers. The default Device ReACL profile can be edited.

To add Device ReACL profiles:

  1. On the Device ReACL Profiles page, click the Add button. The Device ReACL Profile window appears.

  2. In the Profile Name field, enter a name to identify this Device ReACL Profile.
  3. Select a Logging Level, either Informational (default) or Debugging.
  4. Select the components to process.

    Local Files/Folders: Selected by default.

    Registry Permissions: Selected by default.

    User Profiles: Selected by default.

    Local Group Memberships: Selected by default.

    Local Printer Permissions: Selected by default.

    Network Share Permissions: Selected by default.

    Printer Share Permissions: Selected by default.

    Roaming Profiles: Unselected by default.

    If you select Roaming Profiles, users must be logged out of their roaming profiles during the ReACL process.

    Windows Services: Selected by default. The Windows Services option will ensure that any source domain accounts that were given permission to a service will include the corresponding matched target domain account after a ReACL process.

    Windows Service Accounts: Unselected by default. We recommend that the Windows Service Accounts box is left UNCHECKED. A change in the ACL of the services accounts of the target may have an impact on the applications currently running. Although the ReACL process can usually be rolled back in case of issues, there could be a temporary disruption in service until that can be resolved. Selecting the Windows Service Accounts box will switch the domain account that Windows services are running under to the corresponding matched target domain account after a completed ReACL process.

    User Rights Assignments: Selected by default.

    System ACLs: Selected by default. The System ACLs option allows for the proper translation of accounts within the security audit logs.

    Preserve the "Archive" Bit: Unselected by default. If the Preserve the "Archive" Bit box is left unchecked, the archive bit will be reset. If checked, the archive bit will not be reset.

  5. Click Next.

  6. Normally all files and folders are included in the ReACL process. If it is preferred to provide a specific list, enter the list in the Only Process the Following and Their Subfolders box. Separate each entry by pressing Enter. You may use just a file path using backslashes, or provide an exact drive letter. If a drive letter is provided, the ReACL is limited to that exact path.

    Note that if you choose to list folders here, these are the ONLY folders that will be included in the ReACL process. (The exception is if you check the User Profiles box: those Profiles will always be included automatically in addition to your list.) 

  7. In the Exclude These Paths From Processing box, enter folder paths that will not be included in the ReACL process. Wild card characters (* and ?) can be used when specifying exclusion list folders. Separate the paths by pressing Enter. By default, the following folders are exclusion listed:

    • \Windows
    • \WINNT
    • \I386
    • \Windows\I386
    • \Program Files
    • \PROGRAM FILES (x86)
    • \MSOCACHE
    • \System Volume Information
    • \Recycler
    • \$RECYCLE.BIN
    • \CONFIG.MSI
    • \RECOVERY
    • \OEM
    • \Quarantine
    • \BOOT
    • \ProgramData\Microsoft\Windows Defender
  8. In the Exclude These Registry Keys From Processing box, enter registry keys that will not be included in the ReACL process. A leading '\' is not necessary. Separate the paths by pressing Enter. The following wild card characters are permitted when specifying registry keys:

    • * matches zero or more characters in a key name, but not the '\' path delimiter.
    • ? matches any single character.
    • ** matches zero or more parent keys.

    Examples:

    • HKEY_LOCAL_MACHINE\SOFTWARE\XYZ – a single key
    • HKEY_LOCAL_MACHINE\SOFTWARE\XY* – all keys starting with "XY" in HKEY_LOCAL_MACHINE\SOFTWARE
    • HKEY_LOCAL_MACHINE\SOFTWARE\?YZ – all 3-character keys ending with "YZ" in HKEY_LOCAL_MACHINE\SOFTWARE
    • HKEY_LOCAL_MACHINE\**\XYZ – all keys named "XYZ" anywhere under HKEY_LOCAL_MACHINE
    • **\XYZ – all keys named "XYZ" in any registry hive
  9. Click Next.
  10. The Reparse Point Processing Rules page appears. Reparse Points like Symbolic Links, Mount Points, and OneDrive folders will be processed by ReACL. Additional Reparse Tags can be added to the rules list in the Advanced view to change how ReACL will process those items. Click the Show Advanced button to edit the rules list.

    When Show Advanced is clicked the rules list is displayed. Additional Reparse Points can added to the list in the "ReparseTag:Action" format. Skip, Recurse, Update, and Full are the available actions. Separate rules by pressing Enter.

  11. Click Next.
  12. Select an option from the Elevated Permissions Failure Action drop-down list to choose the action that should be taken if any part of the ReACL process encounters errors.

    In order to successfully adjust permissions, Migrator Pro for Active Directory must create a process with a security token that has been assigned additional permissions. The token is said to have elevated rights/permissions. If this process fails, it is likely that the ReACL will be largely unsuccessful in updating the operating system for use by target user accounts.

    • The default is Terminate processing with fatal error, meaning the ReACL process for that computer is stopped as soon as an error occurs. This is a time-saving option. The ReACL process is reported as Failed in the Computers View. A computer cannot be Cutover if the ReACL process reports as Failed. This is the recommended setting.
    • If you choose Log error entry, the entire process will attempt to complete when an Elevate Failure error is encountered, but the process will still be reported as Failed. This selection may take significantly more time than Terminate processing with fatal error" because the entire process will attempt to finish before reporting as Failed.
    • If you choose Log warning entry, a warning entry will be logged, however the process will be reported as Successful. This choice allows experienced migration architects to analyze the logs and choose to Cutover anyway based on their analysis of the results.
    • If you choose Log informational entry, an info entry will be logged, however the process will be reported as Successful. This choice allows experienced migration architects to analyze the logs and choose to Cutover anyway based on their analysis of the results. We suggest choosing Warning over Info as that will make the entries easier to locate in the log.
  13. Select an option from the Profile Failure Action drop-down list to choose the action that should be taken when an invalid or duplicate profile exists in the target.
    • The default is Terminate processing with fatal error, meaning the ReACL process for that computer is stopped as soon as an error occurs. This is a time-saving option. The ReACL process is reported as Failed in the Computers View. A computer cannot be Cutover if the ReACL process reports as Failed. This is the recommended setting.
    • If you choose Log error entry, the entire process will attempt to complete when a Profile Failure error is encountered, but the process will still be reported as Failed. This selection may take significantly more time than "Terminate processing with fatal error" because the entire process will attempt to finish before reporting as Failed.
    • If you choose Log warning entry, a warning entry will be logged, however the process will be reported as Successful. This choice allows experienced migration architects to analyze the logs and choose to Cutover anyway based on their analysis of the results.
    • If you choose Log informational entry, an info entry will be logged, however the process will be reported as Successful. This choice allows experienced migration architects to analyze the logs and choose to Cutover anyway based on their analysis of the results. We suggest choosing Warning over Info as that will make the entries easier to locate in the log.
  14. Select an option from the Preserve Rollback Metadata in ACLs drop-down list.

    Migrator Pro for Active Directory inserts a "breadcrumb” during the ReACL process to allow seamless rollback of the ReACL process if needed. You can control the insertion of these breadcrumbs (which are removed during the Cleanup process) if desired, here.

    • The default is Always and does not affect performance. We recommend this setting. This is the only setting where the changes performed by the ReACL process can be rolled back, or undone, in all scenarios.

    • If you choose Only If Ambiguous, metadata will only be included when the rollback settings would be ambiguous. Only If Ambiguous results in the addition of fewer breadcrumbs, preserving usage for times when it may be impossible to determine the original file or folder permissions. For example, when users have accounts in multiple domains that will be consolidated into a single domain.

      Note that Only If Ambiguous guarantees a ReACL can be rolled back to the original state only when the file system permissions remained unchanged. Modification of ACLs on the file system could create a state where a rollback cannot complete with 100% success. To ensure the ability for a ReACL Rollback in all scenarios, Always should be selected.

    • If you are an experienced migration architect, you may choose Never to never include metadata.

      If Never is selected, a complete rollback may not be possible.

  15. Select Yes under Run Processing in Simulation Mode to simulate the results of the ReACL process without actually making any changes to the ACL. Visit the logs/reports to determine any potential issues and correct them before running an actual ReACL process. You might use this setting to create a Device ReACL Profile specifically for testing purposes.
  16. Click Save Profile. The new Device ReACL Profile is added to the list.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating