User Guide - NetIQ

User GuideNetIQ Domain MigrationAdministratorTMMay 2012

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARESUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT ASEXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQCORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DONOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE,THIS STATEMENT MAY NOT APPLY TO YOU.This document and the software described in this document may not be lent, sold, or given away without the prior writtenpermission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement ornon-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in aretrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consentof NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not representreal companies, individuals, or data.This document could include technical inaccuracies or typographical errors. Changes are periodically made to the informationherein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in orchanges to the software described in this document at any time. 2012 NetIQ Corporation and its affiliates. All Rights Reserved.U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Governmentor by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Departmentof Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the softwareand documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software ordocumentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd.ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design,Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, ExchangeAdministrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy,Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure ConfigurationManager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registeredtrademarks of NetIQ Corporation or its subsidiaries in the USA. All other company and product names mentioned are used onlyfor identification purposes and may be trademarks or registered trademarks of their respective companies.For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of theEnd User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with,and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End UserLicense Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module andcontact NetIQ for further instructions.

ContentsAbout This Book and the Library .xiiiConventions . xivAbout NetIQ Corporation . xvChapter 1Introduction1What Is Domain Migration Administrator? .1Premigration Modeling and Impact Analysis .2Custom Migrations Using ActiveScript Triggers .2Support for Multiple Operating Systems .2Support for NetApp Filers .3Scheduling Domain Migration through the CLI .3What Is Server Consolidator? .3Server Consolidation Analysis and Testing .4Scheduling Server Consolidation through the CLI .4How These Products Help Your Company .4Reduces Total Cost of Migration .4Models and Simulates Migrations .5Open and Customizable .5How These Products Help You .6Simplifies Assessment and Preparation .6Eases the Transition .6Project-Based, Controlled Migration .7Contentsiii

Chapter 2Planning and Performing Your Migration9Identifying Your Migration Scenario . 10Migration Checklist . 11Understanding Access and Security Issues . 18Translating Security to Reflect the New SID . 19Using SID History to Maintain Permissions . 19Migrating Well-Known Accounts . 20Understanding Built-in Accounts . 21Copying Local Group Memberships and Domain Controller Security Policy . 22Assessing Your Existing Environment . 22Designing Your New Environment . 23Preparing Your Environment . 24Considering Enterprise Environment Issues . 25Getting Production Data into Your Test Lab . 27Preparing for Recovery and Fault Tolerance . 28Preparing Your Source Domains . 29Preparing to Migrate with SID History . 30Setting Up a Clean Domain . 34Preparing an Existing Target Domain . 36Verifying Name Resolution Services . 37Testing Secure Channel Communication . 38Establishing a Two-Way Trust . 38Establishing Migration Credentials . 39Reviewing Password Policies . 42Considering Other Applications . 45Developing a Migration Plan . 45Determining the Scope of Your Migration . 46Developing a Migration Workflow . 48Planning for Microsoft Exchange . 57Running Migration Tests and Verifying Results . 57Establishing a Migration Time Line . 58ivUser Guide

Using the Product Most Effectively .59Using Individual Tasks or Projects .59Customizing Your Migration Results .61Notifying Users about Migrating .62Migrating Objects and Verifying Results .64Using the Migration Logs .65Adjusting Agent Error Logging Levels .67Adjusting Server Consolidator Logging Levels .68Chapter 3Installing Domain Migration Administrator and Server Consolidator69Domain Migration Administrator Requirements .69Computers Running Domain Migration Administrator .70Database Requirements .71Computers Running Agents .72General Requirements .73Target-Specific Requirements .74Using SID History Features .74Permission Requirements for Domain Migration Administrator .74Firewall Considerations for Domain Migration Administrator .76Objects that Domain Migration Administrator Migrates .76Understanding Naming Limitations .77Server Consolidator Requirements .78Hardware Requirements for Server Consolidator .78Software Requirements for Server Consolidator .79Permission Requirements for Server Consolidator .79Licensing Considerations .79Using a Trial License .80Viewing Your License Information .80Upgrading Your License .80Contentsv

Upgrading Domain Migration Administrator and Server Consolidator . 81Installing Domain Migration Administrator and Server Consolidator . 81Installing Agents Separately . 83Chapter 4Consolidating Servers85Best Practices for a Smooth Consolidation . 86Starting Server Consolidator . 86Understanding the Server Consolidator Interface . 86Server Consolidator Task Pad . 86Server Consolidator Wizards . 87Performing Consolidation Tasks .87Consolidating Files, Folders, and Shares . 88Preparing for NetApp Filer Consolidation . 88Disk Mirroring Using Server Consolidator . 89Copying Files, Folders, and Shares to Cluster Servers . 90Consolidating Printers . 91Consolidating Local Groups . 92Translating Security and Access Settings . 93Generating Server Consolidator Reports . 93Using the CLI for Server Consolidator . 94Chapter 5Migrating with Projects95Starting Domain Migration Administrator . 96Understanding the Domain Migration Administrator Interface . 96Domain Migration Administrator Task Pads . 96Project Task Pad . 97Domain Migration Administrator Wizards . 98viUser Guide

Customizing the Project-Based Interface .98Modifying How Wizards Display Accounts .99Modifying which Accounts Wizards Display .99Modifying Advanced Domain Migration Administrator Options .100Performing Project Tasks .101Selecting Objects by Importing a CSV File .101Defining a Migration Project .102Modifying a Migration Project .105Refreshing Project Data .105Performing the Migration Defined in a Project .106Synchronizing Migrated Objects .107Deleting a Migration Project .107Undoing User Account Migrations in Projects .108Using Reports .108Chapter 6Delegating Migration Tasks111Understanding the Delegation Interface .111Delegation Task Pad .112Delegation Wizards .113Understanding Project Delegation .113Performing Delegation Tasks .114Creating Delegated Migration Projects .114Exporting a Migration Project .116Importing a Migration Project .117Chapter 7Performing Individual Migration Tasks119Understanding the Task-Based Interface .119Task-Based Task Pad .119Individual Task Wizards .120Customizing the Task-Based Interface .120Contentsvii

Performing Individual Tasks .121Generating and Viewing Reports .121Migrating Trusts .121Setting Service Account Migration Options .122Mapping and Merging Groups .122Migrating User Accounts .123Migrating Groups .124Renaming Computers .124Migrating Computer Accounts .125Importing Objects for Post-Migration Tasks .125Translating Security Access and Profiles .127Synchronizing Passwords in Two Domains .127Translating Security for Accounts with SID History .128Removing SID History Values .129Translating Security for NetApp Filers .129Updating ADC Accounts .130Retrying Failed Migration Tasks .132Undoing Individual Migration Tasks .132Chapter 8Understanding Reporting133Special Reports .134Understanding the Reporting Interface .135Global and Project-Focused Reports .135Generating and Viewing One Report .137No Data to Report .138Performing Reporting Tasks .138Generating and Updating Reports .138Viewing Reports .139Navigating Reports .140viiiUser Guide

Chapter 9Customizing the Migration Process141Using Scripting .141Scripting Objects .142Event Triggers .142Example Script: Populating Active Directory from a Data Source .143Using Data Modeling .144Understanding the Data Modeling Interface .145Importing the Domain Migration Administrator Data .146Changing the Properties of a Target Account .147Changing the Target OU for an Account .148Scheduling Your Migration with the CLI .149Appendix AUsing the Command-Line Interface151Using the Domain Migration Administrator Command-Line Interface .151Using the Server Consolidator CLI .154Appendix BDetailed Permission Requirements157Domain Migration Administrator Minimum Permissions .157Understanding Agent Permissions .158Permission Requirements for Specific Tasks .159Server Consolidator Minimum Permissions .173Copying Files, Folders, and Shares .174Copying Printers .174Migrating Local Groups .175Translating Security for Local Groups .175Contentsix