Dell Migration Manager for Active Directory 8.11 User Guide © 2015 Dell Inc.

ALL
RIGHTS RESERVED. This guide contains proprietary information protected by
copyright. The software described in this guide is furnished under a software
license or nondisclosure agreement. This software may be used or copied only in
accordance with the terms of the applicable agreement. No part of this guide
may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording for any purpose other than
the purchaser’s personal use without the written permission of Dell Inc. The
information in this document is provided in connection with Dell products. No
license, express or implied, by estoppel or otherwise, to any intellectual property
right is granted by this document or in connection with the sale of Dell products.
EXCEPT AS SET FORTH IN DELL TERMS AND CONDITIONS AS SPECIFIED IN THE
LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY
WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY
RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT,
INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES
(INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR
INABILITY TO USE THIS DOCUMENT, EVEN IF DELL SOFTWARE HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or
warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product
descriptions at any time without notice. Dell does not make any commitment to
update the information contained in this document. If you have any questions
regarding your potential use of this material, contact: Dell Inc. Attn: LEGAL Dept
5 Polaris Way Aliso Viejo, CA 92656 Refer to our web site
(www.software.dell.com) for regional and international office information.
Trademarks Dell and the Dell logo are trademarks of Dell Inc.and/or its affiliates.
Other trademarks and trade names may be used in this document to refer to
either the entities claiming the marks and names or their products. Dell disclaims
any proprietary interest in the marks and names of others. Legend CAUTION: A
CAUTION icon indicates potential damage to hardware or loss of data if
instructions are not followed. WARNING: A WARNING icon indicates a potential for
property damage, personal injury, or death. IMPORTANT NOTE, NOTE, TIP,
MOBILE, or VIDEO: An information icon indicates supporting information.
Contents Introduction to Migration Manager for Active Directory 6 About
Migration Manager for Active Directory 6 Initial Configuration of Migration Project
6 Managing the Migration Project 7 Delegating Migration Tasks 8 Pre-migration
Activities 11 Exchange Migration Considerations 11 Domain Pairs 12 Creating a
Domain Pair 12 Step 1. Select Source Domain 12 13 Step 2. Select Target Domain
13 13 Step 3. Complete the New Domain Pair Wizard 13 Configuring a Domain
Pair 14 Skip Objects 14 Specify Conflict Resolution Rules 14 Configure Object
Matching 16 Service Attributes 17 Account Migration 19 Migration Session 19
Considerations for Migration Sessions 19 Creating a Migration Session 20 Step 1.
New Migration Session 20 Step 2. Select Source Objects 20 Step 3. Select Target
Container 23 Step 4. Set Security Settings 24 Step 5. Specify Object Processing
Options 27 Step 6. Select Migration Agent 29 Step 7. Summary 30 Step 8.
Migrating Active Directory Objects 31 Step 9. Complete the Wizard 31 Viewing
Migration Session Details 32 Using a Completed Session as a Template 32
Configuring User and Group Renaming 32 Migration Manager for Active Directory
8.11 User Guide 3 Delegating Account Migration 33 Step 1. New Delegated
Migration 34 Step 2. Restrict Source Migration Scope 34 Step 3. Restrict Target
Migration Scope 35 Step 4. Select Migration Agent 35 Step 5. Specify the Object
Processing Custom Add-in File 35 Step 6. Delegate the Migration 36 Step 7.
Complete the Wizard 37 Undo Account Migration 37 Step 1. Select Objects to
Revert the Changes for 38 Step 2. Reverting Migration Changes 39 Directory
Synchronization 40 Considerations for Directory Synchronization 40 Directory
Synchronization Agent 40 Agent Manager 41 Installing the Directory
Synchronization Agent 41 Configuring the Directory Synchronization Agent 42
Changing the Directory Synchronization Agent Credentials 44 Configuring the
Synchronization Job 44 Step 1. Select Synchronization Agent 44 Step 2. Select
Source Objects to Synchronize 45 Step 3. Set Security Settings 47 Step 4. Select
Target Objects to Synchronize 48 Step 5. Specify Advanced Options 48 Step 6.
Specify Exchange Options 50 Starting and Stopping Directory Synchronization 53
Viewing Directory Synchronization Statistics 55 Synchronization Statistics 55
Uncommon: Trust and Site Migration 57 Trust Migration 57 Step 1. Select
Domains 57 Step 2. Analyzing Trusts 58 Step 3. Analyzing the Source Domain
Trusts 58 Step 4. Select Trusts 58 Step 5. Applying Trusts 58 Step 6. Complete
the Wizard 59 Site Migration 59 Step 1. Select Source Domain Controller 59 Step
2. Select Target Domain Controller 59 Migration Manager for Active Directory
8.11 User Guide 4 Step 3. Select Objects to Migrate 60 Step 4. Processing
Options 60 Step 5. Handle Duplicate Object Names 61 Step 6. Migrate Sites and
Subnets 61 Step 7. Migrating Selected Objects 62 Step 8. Select License Servers
62 About Dell 63 Contacting Dell 63 Technical support resources 63 Migration
Manager for Active Directory 8.11 User Guide 5 Introduction to Migration
Manager for Active Directory We assume that you are familiar with Migration
Manager concepts described in the Migration Manager Installation Guide, and
that you have already installed the product, following the instructions provided in
that guide. It is also recommended that you read the release notes for the
current version of Migration Manager. The release notes contain information
about specific product behavior, limitations, known issues, and workarounds that
may be useful for planning and performing your migration. About Migration
Manager for Active Directory Migration Manager for Active Directory is an
efficient, flexible, and comprehensive solution for restructuring your Active
Directory. The restructuring is performed by migrating objects between forests or
domains. Migration involves moving Active Directory objects (users, groups, and
resources) from a source domain to a target domain. Depending on the
environment and the goals of the migration, the migration scenario may vary.
The Migration Manager Tips and Tricks document contains common migration
scenarios and considerations for choosing the one that best fits your
requirements. While the migration is underway (and some large-scale migrations
can last for years), the source and target domains must coexist and stay in
synch. Migration Manager eases the administrative burden during this period by
providing synchronization capabilities, such as synchronization of account
properties, group membership, and passwords: administrators simply make
necessary changes in one environment and those changes are automatically
replicated to the other environment. Migration Manager also allows delegation of
migration tasks to other people. Delegated administrators are able to migrate
and process only the resources you specify. This guide describes most of the
migration process, including pre-migration activities, the migration itself,
directory synchronization, and delegation. The final step, resource update, is
described in the dedicated Resource Processing document. Initial Configuration
of Migration Project The Open Project Wizard is the central place for configuring
the migration project and all its components: the ADAM/AD LDS database, the
SQL/MSDE database (for Exchange migrations only), and Statistics Portal. The
wizard can be used to start a new project, connect to an existing project, or
change any settings of the current project. Migration Manager for Active
Directory 8.11 User Guide 6 CAUTION: In most cases you need just one Migration
Manager project for your whole migration, no matter how many domains you
have. Normally, you would use a separate project only for lab testing before you
start migration in the production environment. We assume that you became
familiar with the Open Project Wizard while carrying out the procedures
described in the Opening a Migration Project topic of the Migration Manager
Installation Guide. Refer to that document for a full description of the wizard
steps. To briefly review, the Open Project Wizard steps are as follows: 1. On the
Configure ADAM/ADLDS Project step, you specify the server where ADAM or AD
LDS is installed, specify the port number used by ADAM (the default is 389; it
might be different if ADAM or AD LDS is installed on a domain controller or this is
not the first ADAM or AD LDS instance on the server), and select a project to
connect to (you can choose to create a new one). 2. Next, on the Set Auxiliary
Account step, you supply the user name and password that program components
will use to access the ADAM or AD LDS database. 3. The Configure SQL/MSDE
Database step is displayed if you installed Migration Manager for Exchange. On
that step, you configure the database that will be used to store information
related to your Exchange migration. 4. On the Configure Statistics Portal step,
you can optionally specify the portal's URL and connection settings. 5. On the
final step, review the settings and finish the wizard. For detailed description,
refer to the Opening a Migration Project topic of the Migration Manager
Installation Guide. CAUTION: We recommend that you avoid managing the
Properties setting of the same objects within the same migration project from
several Migration Manager Console computers simultaneously. Note also that
having several parallel Remote Desktop connections to the same console
computer is not supported. Managing the Migration Project Migration of simple
environments where accounts and resources are centralized in one major
location can be accomplished from that location using a single Migration
Manager console. However, this method is not appropriate when you need to
migrate a large distributed environment where accounts and resources reside in
different geographic locations (sites), particularly if the sites are connected by
slow links that limit the amount of data that can be transferred effectively. In this
case, the migration must be performed in each site locally. Migration Manager
provides for effective project implementation and management when migrating
large distributed environments. Migration Manager for Active Directory 8.11 User
Guide 7 Figure 1: Figure 1. Managing a migration project in a distributed
environment If a number of administrators from multiple locations are going to
perform migration, it is recommended to have local ADAM/AD LDS installations in
each major location with a replica of the project partition. To avoid excessive
traffic over slow links, administrators should work with the nearest ADAM or AD
LDS server that contains a replica of the project. In this case, you will need to
delegate responsibility for migration tasks, as explained in the Delegating
Migration Tasks topic. Delegating Migration Tasks Migration Manager allows
administrators to delegate specific tasks to trusted persons responsible for
particular stages of migration. For example, you can delegate the rights to
manage the migration within a specified pair of domains to the administrators of
those domains, or you can delegate the rights to process a specific server to the
server administrator. The trusted person will have the appropriate access to the
objects that he or she is granted rights to only and will not have the opportunity
to perform any actions with other objects. The delegation is performed by
assigning a role that defines a level of permissions to a person within a migration
project. Only accounts that have Full Admin role over an object can delegate the
rights over that object to another account. Table 1: Table 1. Roles that can be
assigned to a trusted person within a migration project. Tree Node Object
Available Roles Migration project Full Admin—Can create and configure any
objects (domain pairs, directory synchronization jobs, migration sessions,
delegated migrations, resource processing tasks, etc.) and perform any task
within the project. Migration Manager for Active Directory 8.11 User Guide 8 Tree
Node Object Available Roles Reader—Can view objects within the project and
their settings, except domain pairs and Exchange stores in the synchronization
settings, but cannot perform any migration tasks or change the configuration.
Directory migration Domain Pair Creator—Can create domain pairs. This person
automatically gets the Full Admin role over the domain pairs he or she creates
and therefore is able to change settings of the domain pairs later. Domain pair
Full Admin—Can change any settings on a domain pair (such as credentials used
to connect to each domain), and can also configure the directory synchronization
between the domains, create and run migration sessions, and delegate the
migration to other trusted persons. Reader—Cannot view or change settings of
the domain pair, and cannot perform any migration tasks. Delegated migration
Migration Admin—Can run migration sessions within the delegated migration job.
This person can migrate objects from and to only those containers specified in
the delegated migration job. He or she cannot see the credentials used to
connect to the source and target domain or change the object processing custom
add-in or the migration agent, but can see which custom add-in and agent are
used. Tasks Task Creator—Can create resource processing tasks. This person is
automatically assigned Full Admin role to the tasks he or she creates and
therefore can change the task settings later and run the task. Resource
processing task Resource Admin—Can run the resource processing task and
change its settings. However, this person cannot change the re-permissioning
options or perform undo or cleanup. NOTE: Only a domain pair’s Full Admins are
granted access to the domain pair’s sub-nodes (synchronization, migration, and
other manually created delegated migration jobs) and migration sessions. To
delegate the rights to perform a migration task: 1. In Migration Manager, right-
click the tree node object and select Delegate on the shortcut menu. 2. Specify
the account to which you want to delegate the task. 3. Select the level of
permissions for that account from the Role list. 4. Click Add Account. This will add
the account to the Delegated accounts list. 5. Click OK. Migration Manager for
Active Directory 8.11 User Guide 9 To revoke permissions, complete the following
steps: 1. In Migration Manager, right-click the tree node object and select
Delegate on the shortcut menu. 2. In the Delegated accounts list, select the
account you want to revoke the rights from and click Revoke. NOTE: Refer to the
Delegating Account Migration topic of this guide for more details about
delegating account migration tasks. 3. Click OK. Migration Manager for Active
Directory 8.11 User Guide 10 Pre-migration Activities Before you start directory
migration, analyze the existing directory. This includes identifying required
hardware and software upgrades, possible naming conflicts in the case of
directory merges, and for an interforest migration, comparing and unifying the
source and target forest schemas. You can use Dell Reporter to obtain detailed
information about the existing Active Directory configuration, hardware and
software inventory, etc. You can optionally set up the target Active Directory
forest, administrative accounts, and organizational units before migration. For
more information about environment preparation, refer to the Dell Migration
Manager Installation Guide. NOTE: The Migration Manager for Active Directory
toolset includes tools for the following rarelyencountered use cases: l Copy trusts
that the source domain currently has with other domains to the target domain.
Refer to the Trust Migration topic for more details. l Preserve the physical entities
of the source forest (sites, subnets, site links, and site link bridges) after the user
accounts have been migrated. Refer to the Site Migration topic for more details.
Exchange Migration Considerations The following information is relevant to
migration projects that involve both Active Directory and Exchange migration.
Due to the tight integration of Exchange and Active Directory, some Exchange-
specific decisions need to be made before even starting Active Directory
migration. There are four choices regarding the kind of users that will exist in the
target domain after Active Directory migration: l Users without mail options l
Mail-enabled users l Mail-enabled users for Native Move l Mailbox-enabled users
For Exchange migration, you need to have mail-enabled users, mail-enabled
users for Native Move or mailboxenabled users. For a smooth Exchange
migration experience down the road, decide in advance which option will work
for you. This choice is important for selecting the mailbox migration method.
Mail-enabled users are required if there are plans to include the users in the GAL
without performing fullyfledged Exchange migration for them Mail-enabled users
for Native Move are required if you are plan to move mailboxes using the Native
Move job. Mailbox-enabled users are required if there are plans to: Migration
Manager for Active Directory 8.11 User Guide 11 l Move mailboxes using the
Mailbox Synchronization job l Move mailboxes using the Legacy Mailbox
Synchronization job l Set up calendar coexistence (with or without mailbox
migration) using Calendar Synchronization jobs l Set up calendar coexistence
(with or without mailbox migration) using Legacy Calendar Synchronization jobs
To make an informed decision, discuss this with your Exchange migration
operator. For details and guidelines, refer to the Mailbox Migration Process topic
in the Migration Manager for Exchange User Guide. The relevant Exchange
options are specified during Active Directory Synchronization configuration. For
details, see the Step 5: Specify Exchange Optionssection of the Configuring the
Synchronization Job topic. Domain Pairs All migration activities are performed
between source and target domain pairs. You should configure the pairs of
source and target domains that will be involved in the migration and directory
synchronization processes. The subsequent sections discuss how to create and
configure the domain pairs: l Creating a Domain Pair l Configuring a Domain Pair
Creating a Domain Pair This section explains how to create a new domain pair in
the migration project. NOTE: Before you create a domain pair, at least one
Directory Synchronization Agent should be installed in your environment. Refer
to the Directory Synchronization Agent topic for more details. To create a domain
pair, right-click the Directory Migration node and select New Source and Target
Domain Pair from the shortcut menu. This will start the New Domain Pair Wizard,
which will guide you through the process: Step 1. Select Source Domain Specify
or browse to the domain controller of the domain that you want to make a source
of information for the migration. Specify the credentials for accessing the domain
controller. NOTE: Please note that the account you specify will be used by the
Directory Synchronization Agent to access the source domain objects and to
perform directory migration. Therefore, the account must have domain
administrator rights in the source domain. Migration Manager for Active Directory
8.11 User Guide 12 Step 2. Select Target Domain Specify or browse to the
domain controller of the domain that you want to make a target of migration.
Specify the credentials for accessing the domain controller. NOTE: Please note
that the account you specify on this page will be used by the Directory
Synchronization Agent for accessing the target domain objects and to perform
directory migration. Therefore, the account must have domain administrator
rights in the target domain. Step 3. Complete the New Domain Pair Wizard The
wizard displays the names of the source and target domains and the accounts
you specified for connecting to domains. As soon as a domain pair is created, it
will be displayed in the Migration Manager console management tree as a node
having two sub-nodes, Migration and Synchronization. Migration Manager for
Active Directory 8.11 User Guide 13 Configuring a Domain Pair After you have
created a domain pair, you can specify configuration parameters for the domain
pair. To do this, right-click the domain pair and select Properties. The parameters
you can specify are described in the related topics. NOTE: Modifying these
parameters requires full directory resynchronization. You must stop the
synchronization job for the domain pair and then restart it using the Start and
Re-sync option. Skip Objects This step allows you to specify the categories of
objects that will be skipped during processing for all migration and
synchronization tasks. You can select to skip the following types of objects: l
Active Directory default objects (objects present in Active Directory by default,
such as built-in accounts and accounts like Domain Admins and Domain Users) l
Disabled accounts l Expired accounts If you select to skip any of these objects,
you will not see them and therefore will not be able to select them when you
browse the source or target domain of the domain pair. Specify Conflict
Resolution Rules You can specify the attributes that are to be unique within the
given scope (forest, domain, or container) on source and target, and the action
to be performed if these attributes are not unique (i.e., two or more objects exist
with the same value for a specified attribute). This is done by setting conflict
resolution rules. NOTE: The conflict resolution rules you specify affect both
migration and synchronization. Migration Manager for Active Directory 8.11 User
Guide 14 Click Add to set a new rule for automatic conflict resolution and make
the appropriate settings in the New Conflict Resolution Rule dialog box, described
below. Click Edit to edit an existing conflict resolution rule. Click Remove to
remove the selected conflict resolution rule from the list. The rule consists of the
following settings: l Source domain—Specifies that the current conflict resolution
rule will be applied on source. l Target domain—Specifies that the current conflict
resolution rule will be applied on target. l By attribute—Select the attribute that
you want to resolve the conflicts by. l Queue for manual resolution—If this option
is selected, conflicts in the selected attribute will not be resolved automatically
but instead will be queued for later manual resolution. If directory
synchronization is established between the domains in a domain pair, you will
see objects that were Migration Manager for Active Directory 8.11 User Guide 15
queued for manual conflict resolution in the Conflicts queue of the directory
synchronization job for the domain pair. Refer to the Directory Synchronization
topic for more details. In the case of migration, you can see the conflicting
objects by inspecting the migration log. Refer to the Viewing Migration Session
Details topic for more details. l Add prefix—If this option is selected, the specified
prefix will be added to the attribute value if the attribute is not unique within the
specified scope. l Add suffix—If this option is selected, the specified suffix will be
added to the attribute value if the attribute is not unique within the specified
scope. l Forest—Specifies that conflicts should be resolved within the whole
forest. l Domain—Specifies that conflicts should be resolved within the whole
domain. l Container—Specifies that conflicts should be resolved within each
container. Configure Object Matching This step allows you to specify attributes
for object matching during migration and synchronization. The Directory
Synchronization Agent will match the source and target objects according to the
attributes selected for object matching. If the agent cannot find a matching
object in the target directory, a new object is created in this directory and its
attributes are populated with the values of the corresponding source object.
NOTE: The object matching rules you specify affect both migration and
synchronization. Migration Manager for Active Directory 8.11 User Guide 16