Step Three: Set up Active Directory Profiles and Configurations
Now that Directory Sync is configured and the Active Directory agent is installed on the device that you want to migrate, you can proceed with configuring the profiles and configurations.
Profiles
Profiles are groups of related settings and options related to the device migration. There are six kinds of profiles in Active Directory: Migration, Network, Device ReACL, File Share ReACL, Credentials, and Credential Cache.
For the minimum purposes of this guide we will not need to set up a File Share ReACL profile, Credentials profile, or a Credential Cache profile.
- Migration Profile - Migration Profiles contain common device cutover settings used to manage the domain join process.
- Network Profile - Network Profiles contain common network adapter settings that need to be updated during the device’s migration to the new domain.
- Device ReACL Profile - Device ReACL Profiles contain common settings to manage updating permissions of Windows workstations and servers prior to migration.
The Migration, Network, and Device ReACL profiles have a default profile available. Review the settings on the default profiles and determine if you need to create your own new profiles which have different settings.
Configurations
New in Active Directory are the Configurations page and sections.
Downloads
You should already have seen the Downloads page when downloading the agent. This is the only Configuration section which will apply to this simple guide. Also, on the Downloads page is the setting for the agent auto-upgrade feature for your whole project. This is one of the best new features which will ensure that if a new version of the agent is released, your agents will be updated automatically. If necessary, you can also disable this setting.
Repositories
This page defines storage locations for certain migration jobs which require local storage of files. These job types are ‘Upload Logs’, ‘Download File’, and ‘Offline Domain Join’. For the purposes of this guide none of these locations must be defined, but they will be very important should you proceed to using their related jobs.
Custom Tasks and Actions
Custom migration Actions and their constituent Tasks are organized in a similar system to the Active Directory Pro product. Click Show System to view the standard Actions which come with the product and then copy them if you want to edit them or create your own. For this guide we are only using the system actions, but here is where you would customize your own as needed.
Variables
This section is where you define global variables for the scripts running as part of Custom Tasks and Actions.
If you have proceeded this far in setting up Profiles and Configurations while waiting for initial agent registration, you will need to pause here until that step is completed. Otherwise you are ready to proceed to performing migration activities.
Step Four: Performing migration activities ReACL and Cutover of Devices
Once Profiles and Configuration have been set up you can proceed to migration activities.
Before or while performing migration activities it may be helpful to organize and partition the list of devices to be migrated by using the Migration Waves feature. To assign devices to a migration wave for grouping select devices in the Ready Devices tab and then select the ‘Add to Migration Wave’ action from the drop down and click the Apply Action button. You can also manage Migration Waves by going directly to the Waves page from the left menu. A powerful tool for tracking devices and statuses throughout the migration is combining the defined migration waves with the Ready Devices table filters.
The simplest migration activities flow consists of applying a ReACL action followed by a Cutover action. This is the flow we will follow in this guide.
Before working with the devices, ensure that the users related to the device you are going to migrate have already been matched in the target in Directory Sync. This will allow the ACLs to be updated correctly for use in the target by the ReACL process. Remember that if those users were created by your Workflow you will need to run the workflow a second time in order to read them back into the database and finish the matching.
From the Active Directory Devices + Servers page on the Ready Devices tab select a device on which to perform a migration action. There are several useful actions in the Select Action dropdown which you can apply to that device. For this guide the first action we need to use is ReACL. Device ReACL is non-destructive and can be performed multiple times prior to the cutover event. After clicking to apply the action the ReACL Job Options dialog is displayed and you can enable ‘Do Not Start Before’ and choose a time in the future to start the job. Otherwise, it will be queued when you click Apply. Do not enable the option for now and click Apply.
Wait for the ReACL job to be picked up by the agent and for the job to complete. You can track the status as it updates in the Ready Devices table or from the product dashboard.
If you want to see what jobs are currently queued for a device or review the outcome of previous jobs for that device select the device from the Ready Devices table and then select and apply the ‘View Jobs’ action. For planning which User objects need to be migrated to the target prior to migrating the devices they are using, the ‘Show Profiles’ action is a helpful one to see which user profiles have logged into the device in question.
After the ReACL process has been completed successfully it is time to queue a Cutover action.
From the Ready Devices table select the device you just ReACLed on which to perform a cutover action. Select the Cutover action from the dropdown and click the Apply Action button. After clicking to apply the action the Cutover Job Options dialog is shown. You can select here to ignore the ReACL status of that device. The cutover action will error out and fail to queue it if the ReACL status of the device is not ‘Completed’ or chosen to be ignored. On this dialog you can also enable ‘Do Not Start Before’ and choose a time in the future to start the job. Otherwise, it will be queued when you click Apply. Choose that option for now.
Wait for the Cutover job to be picked up by the agent and for the job to complete. You can track the status as it updates in the Ready Devices table or from the main Product dashboard.
When the Cutover is completed inspect the workstation or server and ensure that things went as expected. When the entire project is completed the Cleanup action can also be run. Congratulations on
For more information about other topics visit the online help center.
What’s Next?
Now that the first device(s) have been configured and migrated in Active Directory you are ready to progress to more planning and more involved migration scenarios. For instance, further information is available on Offline Domain Join and the related Credential Cache jobs should they meet the needs of your project scenario.
For more information, see the On Demand Migration Active Directory User Guide.
FAQs
- What ports does the agent use to connect?
The Active Directory Agent uses three outbound ports:
- I’ve installed the agent and the device isn’t ready, what do I do?
On startup the Active Directory agent will phone home sometime in the first four hours. This communication offset time is an agent specific random and evenly distributed offset so the initial communications of a large number of devices set up at once will be spaced out and not overload the servers. If your device has the agent installed but you haven’t waited up to four hours yet, wait up to four hours and then re-check the Ready Devices list to see if your device shows up before proceeding to other network troubleshooting operations.
- How do I adjust the agent polling interval?
In Active Directory, unlike in Active Directory Pro, the agent polling interval is not end user adjustable. The polling interval is every two minutes over UDP and every four hours over TCP. Should this amount of network traffic be an issue contact Support to investigate reducing the polling interval. Note that reducing the polling interval will cause queued migration actions to take longer to be picked up by the agents.
- How many migration actions can I queue at once?
In Active Directory you can queue as many migration actions at once as you would like. There is a hard limit of 600 agents per each two minutes who will be notified by the job availability cache that they have a job waiting for them. Therefore, the minimum amount of time which could be required for those queued migration actions to be picked up will be the number of queued migration actions divided by 600 and multiplied by two minutes.
- Agent last contact time isn’t updating every two minutes, is something wrong?
In Active Directory the Agent last contact time is updated based on the TCP connection with the back end. This will occur if a job is retrieved or every 4 hours as a fall back. It is not expected that the agent last contact time will update every two minutes even if the UDP requests to the job availability cache are functioning correctly.
- The machine name was changed during the migration project, will it keep working?
Changing the machine name during a migration project may have unexpected implications. We recommend that you avoid doing so if possible. If not, you will need to delete the device from Active Directory and reinstall the agent. Use the Status Resets action to reset the registration status of the device, then set the Directory Sync Workflow to reconcile on next run and run it. This will delete the old device from the database. Finally, reinstall the Active Directory Agent on that device and run the Workflow again to read it in.
