The first step towards success on a project using Migrator Pro for Active Directory is to understand the product architecture and how this architecture will operate in your environment.
Migrator Pro for Active Directory consists of the following components:
- A directory synchronization engine
- A REST based web service
- A management interface
- A lightweight agent for workstations and member servers
- A database running on Microsoft SQL Server
The directory synchronization engine, the web service, and the management interface will all access the same SQL database. In most scenarios, these components will be installed on the same system. In larger or more complex network environments, the components can be distributed across multiple systems. If the directory synchronization engine, the web service or the management interface is installed on a separate system, it is important to ensure that all three components retain access to the same SQL database.
The directory synchronization engine is provided by Directory Sync Pro for Active Directory. Directory Sync Pro for Active Directory is included as part of Migrator Pro for Active Directory. Directory Sync Pro for Active Directory is responsible for synchronizing users and groups between source and target Active Directory domains. Directory Sync Pro for Active Directory also handles migrating key user properties such as SID History and user passwords.
User workstations and member servers are called computers in Migrator Pro for Active Directory. Computers communicate with the Migrator Pro for Active Directory web service using the Migrator Pro for Active Directory Agent. The Migrator Pro for Active Directory Agent is a lightweight application that installs as a service on Windows computers. Upon installation, the agent has the ability to autodiscover the location of the Migrator Pro for Active Directory web service.
To ensure that no firewall exceptions are required, the web service does not “call” the workstations or servers to be migrated. Instead, the Migrator Pro for Active Directory Agents contact the web service at defined polling intervals, using standard HTTPS or HTTP requests to recover jobs. Jobs include key tasks such as system discovery, updating the operating system, file system, and user profile permissions, and migrating the computer to the new domain.
A typical migration project using Migrator Pro for Active Directory can be broken up into phases.
- Phase 1: Installing and Creating the Synchronization Profile within Directory Sync Pro for Active Directory
- Phase 2: Register Computers (Concurrent with Phase 3)
- Phase 3: Identify Users, Resources, Contacts, and Groups to Migrate (Concurrent with Phase 2)
- Phase 4: ReACL Computers and NAS
- Phase 5: Cutover Computers
-
Phase 6: Cleanup
|
The Cleanup process typically occurs several months after the completion of the project. |
Best practices for each phase of the migration project are presented below:
Phase 1: Installing and Creating the Synchronization Profile within Directory Sync Pro for Active Directory
- Directory Sync Pro for Active Directory is used to synchronize objects and must be installed before installing the Migrator Pro for Active Directory Console and Web Service.
- The AD Migration/Synchronization profile should be set up to include every computer. However, not every computer needs to be migrated immediately. This process ensures they are in the database, ready to install the Migrator Pro for Active Directory Agent and register themselves. Computers can be blacklisted if you do not want to immediately migrate them.
- Carefully consider the Group Collision option (Merge, Skip, Rename). It is recommended that this option is not changed once migrations have been started. Additionally, it is strongly recommended to not select the Skip option. The Merge and Rename options are better in most cases.
- Synchronizing SID History is recommended.
Phase 2: Register Computers (Concurrent with Phase 3)
- The Migrator Pro for Active Directory Agent should be pushed out to computers via Group Policy (GPO) or third party tool.
- Sufficient time should be allowed to address any issues with computer registration with the server. Correcting registration issues can take more time than expected. A typical large company with a large number of computers may need a couple of weeks of off and on work to resolve registration issues with all computers.
- Resolving computer registration issues can be accomplished concurrently with identifying users, rooms, contacts, and groups to Migrate in Phase 3.
Phase 3: Identify Users, Rooms, Contacts, and Groups to Migrate (Concurrent with Phase 2)
- Before migrating users and groups, do some planning and analysis to see what users, rooms, contacts, and groups should be migrated, what groups need to be consolidated, how duplicates will be handled, etc.
- More than one synchronization profile can be used to control the target destinations of users, rooms, contacts, and groups.
- User Accounts should be disabled in the target.
- Identifying users, rooms, contacts, and groups to Migrate can be accomplished concurrently with resolving computer registration issues in Phase 2.
Phase 4: ReACL Computers and NAS
- Run a ReACL on as many computers as possible early in the process.
- ReACL is a non-destructive process that can be repeated as often as necessary up until Cutover in Phase 5.
- Troubleshoot any computers that did not successfully complete ReACL.
- Run a ReACL again close to the actual cutover date. This will allow you to complete most of the ReACL process early and provide time to resolve any issues with things such as anti-virus software and Group Policies.
Phase 5: Cutover Computers
- Create some test users, groups, and computers to verify a successful user and group migration and computer cutover.
- Create any custom jobs that may be required to run against users, rooms, groups, contacts or computers.
- Typically, a final ReACL would be run the weekend before the cutover to ensure any new users and other changes are processed.
- A workstation reboot is required after the target account is enabled, the source account is disabled, and the workstation cutover is complete. This is usually completed in the evening when fewer users are affected. The affected users should be alerted that this reboot is necessary.
Phase 6: Cleanup