For information about SID filtering, refer to Configuring SID Filtering.
It is essential to have a solid understanding of your infrastructure and know your bandwidth at every location. Site topology diagrams with inter-site connections speeds, Active Directory design, OU hierarchy, domain controller placement, Flexible Single Master Operation (FSMO) role placement, and BackOffice server location, along with other infrastructure diagrams, help you see the whole picture and make good decisions.
Site topology diagrams and information about the number of users in each site help you decide, for example, whether to perform the migration centrally or to divide the migration into parts and allow some remote sites to be migrated locally (in other words, to delegate the migration activities).
Information about the locations of BackOffice servers can help you plan resource processing tasks and delegate these tasks to other administrators. Use the Location of BackOffice Servers report to find the computers that have the BackOffice service installed.
Site topology information also helps you decide which domain controllers to use for migration. You should choose the source and target domain controllers located in the same site as the Directory Synchronization Agent that will process migration and synchronization jobs between these domains to avoid traffic span across slow WAN links.
We recommend that the diagrams be created using visual tools (for example, Microsoft Visio) and printed out for convenience.
Also, if you want to migrate a large number of accounts (more than 500) to the target domain in one session, it is recommended that you select a target domain controller that owns the RID master role. Otherwise, the target domain controller may experience delays getting the next set of RIDs from the RID master when creating objects in Active Directory.
How RID Allocation Works
When a domain controller creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal object created in a domain.
Each Windows domain controller in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a domain controller's allocated RID pool falls below a threshold, that domain controller issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting domain controller. There is one RID master per domain in a forest.
Use Reporter's FSMO Roles report to help you determine FSMO placement.
Since the Migration Manager agents are installed and updated from the console over RPC and the agents transfer data directly between source and target servers over RPC as well, RPC traffic must be allowed over the routers separating the subnets.
Make sure that the following ports are open on workstations, servers, routers, and firewalls: 135 and 137–139.
For more detailed information on what ports and protocols Microsoft operating systems and programs require for network connectivity, refer to Microsoft Knowledge Base article 832017, “Service overview and network port requirements for the Windows Server system,” at http://support.microsoft.com/kb/832017.
You can use the DCDiag and NetDiag utilities from Windows Support Tools to test network connectivity. To install Windows Support Tools, run Setup.exe from the \SUPPORT\TOOLS folder of Windows distributive CD. For more information about the utilities, refer to their online help and other documentation.
In Windows XP Service Pack 2, Microsoft introduced the Security Center, which includes a client-side firewall application. The firewall is turned on by default and configured to filter the packets sent to the ports 137–139, and 445. These ports are used by the File and Printer Sharing service, which must be installed and running on the computer to be updated.
To make sure Resource Updating Manager correctly updates computers running workstation Windows versions, add the File and Printer Sharing service to the firewall Exceptions list and unblock ports 137–139 and 445. Alternatively, consider deploying Resource Updating Manager agents using group policy or similar methods. For more information on resource processing requirements, refer to the Step 3. Process Distributed Resources topic.
When granting the required permissions to the administrative accounts in Active Directory, you should also make sure that permissions inherited from the parent are not blocked at any level in your Active Directory.
An Exchange topology diagram helps you plan directory, public folder, and mailbox synchronization jobs. This diagram should display Active Directory sites, Exchange administrative and routing groups, Exchange servers, bridgehead servers, and the number of public folders and mailboxes and their sizes on each Exchange server.
You can use this diagram when planning for directory, public folder, and mailbox synchronization to help you choose source and target Exchange servers that are in the same physical location, thus preventing large amounts of data from being transferred across slow WAN links.
We recommend that the diagrams be created using visual tools (for example, Microsoft Visio) and printed out for convenience.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center