11.3 Perform an AD to AD Cross-Empire Data Migration

11.3.1 Establish a Forest Trust Configuration in SMAdmin

  1. Launch SMAdmin and click the Home tab.

  2. Click Forest Trusts and select the check box next to the displayed source forest.

  3. Close out of SMAdmin.

  4. Launch SMAdmin and log in.

  5. Click Forest Trusts and verify that the status for forest trust reads:

    Trust is fully configured and usable.

11.3.2 Assign Administrative Rights to the SMProxyRights Group

Follow these procedures to add the SMProxyRights group of the target forest as a member of the local administrators group on the server or appliance in the source forest.

  1. On the source server, launch Active Directory Users and Computers.

  2. From the Builtin directory of the forest, double-click Administrators.

  3. Click the Members tab.

  4. Click Add.

    This opens the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.

  5. Click Locations.

    This opens the Locations dialog box.

  6. Select the target forest and click OK.

  7. In the Enter the object names to select field of the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type smp and click check names.

    This opens the Multiple Names Found dialog box.

  8. Select SMProxyRights and click OK.

  9. Click OK to close the Select Users, Contact, Computers, Service Accounts, or Groups dialog box.

    SMProxyRights is added to the list of members in the Administrators dialog box.

  10. Click OK to close the Administrators dialog box.

11.3.3 Assign Permissions to the SMProxyRights Group

Follow these procedures to assign the SMProxyRights group of the target server, FULL Share Permissions to shares that Storage Manager will be migrating from the source forest.

  1. Using Windows Explorer on the source server, right-click the shares you plan to migrate and select Properties.

    This opens the Properties dialog box.

  2. Click the Sharing tab and click Advanced Sharing.

    This opens the Advanced Sharing dialog box.

  3. Click Permissions.

    This opens the Permissions dialog box.

  4. Click Add.

    This opens the Select Users, Computers, Service Accounts, or Groups dialog box.

  5. Click Locations.

    This opens the Locations dialog box.

  6. Select the target forest and click OK.

  7. In the Enter the object names to select field of the Select Users, Computers, Service Accounts, or Groups dialog box, type smp and click Check names.

    This opens the Multiple Names Found dialog box.

  8. Select SMProxyRights and click OK.

  9. In the Permissions dialog box pertaining to the share you selected previously, assign SMProxyRights Full Control.

  10. Click OK to save the setting and close the Permission dialog box.

  11. Repeat these steps for all other shares you plan to migrate.

  12. Close the Advanced Sharing and Properties dialog boxes.

11.3.4 Verify that SMAdmin Can See Shares on the Source Server

Follow these procedures to verify that SMAdmin can see the shares that you plan to migrate.

  1. Launch SMAdmin and click the Home tab.

  2. Click Storage Resources.

  3. Verify that the shares you want to migrate are listed.

    If the shares are not listed click Rebuild.

11.3.5 Create an Identity Map

Storage Manager for Active Directory uses an identity map to specify associations between the users and groups of the source forest with the users and groups of the target forest.

As specified in Section 11.2, Prerequisite Tasks, you must create the associated target server users, groups, and shares before you migrate as the AD to AD Cross-Empire Data Migration Solution Pack does not create these associated objects on the target server.

IMPORTANT:If you are creating an identity map of more than 25,000 objects, we recommend 8GB to 12GB of memory for the workstation or server running SMAdmin.

  1. Launch SMAdmin and click the Home tab.

  2. Click Cross-Empire Data Migrations > Active Directory to Active Directory.

  3. Click Edit Identity Map.

  4. Click Identity Map Entry Wizard.

  5. Select both the User to User and Group to Group check boxes.

  6. From the Match Attribute drop-down menu, select on of the following options:

    SAM-Account-Name: This attribute can be used when you want to populate the identity map with objects in the source and target forest that have the same corresponding attribute value. By choosing SAM-Account-Name (SAM) as the Match Attribute, (depending on your Source and Target Scopes) the engine will search the source and target forests for objects whose SAM are the same value.

    Common-Name: This attribute selection functions in the same manner as the SAM-Account Name, but for Common-Names(CN).

    Object-SID: This option is only applicable in the case where accounts have been migrated from the source to the target using a tool such as Active Directory Migration Tool (ADMT). When ADMT is used, you can opt to copy the Object-Sid. This results in the target object containing the Object-Sid of the originating source object in the SID-History attribute.

    For more information, refer to these Microsoft documents:

    When this Match Attribute is chosen, the engine will enumerate objects in the source and then search for objects whose SID-History attribute contains the source object's Object-Sid. If objects have not been migrated such that the source's Object-Sid is in the target's SID-History, you must use either SAM-Account-Name or Common-Name to populate the identity map.

    Well-known SIDS: This option should be used when you want to populate the identity map with well-known SIDs whose relative identifiers (RIDs) are relative to each domain (e.g. chronicle\administrator) and whose domain identifier is not "Builtin" (32).

    For more information, refer to this Microsoft document: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx

    Builtin well-known SIDs can be added and mapped manually in the Identity Map editor by selecting an object from the Well-known SIDs tab, right-clicking and selecting Add Identity Map Entry.

  7. Verify that the source forest and target forest in the Source Scope and Target Scope regions respectively, are correct and click Next.

  8. Observe the matching results of source and target groups and users.

  9. Click Next.

  10. In the Import Map Entries page, leave the Auto-save Identity Map updates to Engine check box selected and click Finish.

    The users and groups on the source and target forests are now matched.

11.3.6 Preview the Source Paths for the Migration

Follow these procedures to preview the migration source paths as well as add and match any missing objects to the identity map.

  1. In the Identity Map interface, click Source Paths > Generate Preview Report.

  2. In the Preview Migration Source Paths dialog box, in the upper left-hand pane, navigate to the desired share and double-click it to add it to the Path window to the right.

  3. From the Path Scan Options drop-down menu, select from the following options:

    Scan Folders Only: Scans only the folder permissions in the specified paths.

    Scan File Owners: Scans the folder permissions and the file owners in the specified paths.

    Scan File Owners and Permissions: Scans the folder permissions, file owners, and file permissions in the specified paths.

  4. Click Preview Paths.

    For ease in identifying all unmapped (orphaned) SIDs, use the sort arrow which is located on the first column heading in the lower portion of the interface.

  5. Click the Owner Entries tab and view the orphaned SIDs, meaning all of the folders and files without owners.

  6. Click the Unique IDs tab and view the unmatched objects.

    These are objects that you will need to add to the identity map.

11.3.7 Add Unmapped Objects to the Identity Map

Follow these procedures to add any unmapped objects listed in the Unique IDs tab to the identity map.

  1. In the identity map, click the Target Account column heading to sort unmapped objects so they are all listed as a group at the top of the list.

  2. From the Browser Target tab on the right pane, locate an object you want to indicate as an owner for an unmapped object and drag the object up to the unmapped object’s corresponding Target Account column entry.

    This changes the unmapped object’s Target Account listing from [Do Not Translate] to the new owner object.

  3. When you are finished specifying owners for your unmapped objects, click Apply.

11.3.8 Generating a Preview Report Before Migrating

You can easily generate a preview report as a CSV file before you migrate. This might be useful if you needed to provide a report to a CIP or other members of the migration team.

  1. Launch SMAdmin and click the Reports tab.

  2. Click Preview Source Path.

  3. Double-click the top entry in the list.

  4. From the View Report page, click the CSV icon to save the report as a CSV file.

11.3.9 Determine If You Are Going to Migrate the Data in Two Phases or One

Before you migrate data from the source to the target forest, you must determine if you will be migrating in two phases or one.

Two-Phase Migration

In the first phase, you migrate all unopened files while skipping all opened files. In the second phase, you get all of your users to log off of the network (assuring that they have no files opened), then you migrate all of the skipped files, then all of the new and modified files.

A two-phased migration is more suitable to organizations with data sets to large to migrate over a weekend.

Single-Phase Migration

This approach lets you migrate all of the data in one phase. You must have all users logged off of the network and be able to migrate the data before the users return to work.

11.3.10 Migrate Group Data

HINT:To view the status of the migration, we recommend that you install and run a Tail program and use it to tail the Agent log path located at: "%programdata%\Micro Focus\Storage Manager\Agent\log\smagent.log”

Follow these procedures to migrate group data from the source forest to the target forest.

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migration > Active Directory to Active Directory.

  3. Select Migration Wizards > Data and Security.

    This launches the Folder to Folder Migration wizard.

  4. Do one of the following:

    • If you plan to do a two-phase migration by skipping open files, leave the Generate Automatic Mappings check box deselected and click Next. Browse to specify the source and target folders and click Next.

      This method will create a single source path and single target path, which alleviates potential problems that can surface when skipping open files during a migration.

    • If you plan to do a single-phase migration, you can select the Generate Automatic Mappings check box to create any needed subfolders on the target that do not already exist. Browse to specify the source and target folders and click Next.

  5. In the Define Mappings page of the wizard, observe the migration events that are now queued up.

  6. Click Next.

  7. (Conditional) If you are doing a two-phase migration, in the Data Copy Options page, select the Skip Open Files check box.

    1. Click the Browse button that corresponds to the Delta File field and through the path browser, select the folder where you want to store the delta file.

    2. Right-click and select New Folder and click OK.

      The delta file name is created and displayed in the Delta File field.

  8. Click Next.

  9. In the Security and Ownership page, select the Use the Identity Map check box.

  10. Select either the Merge Security or Overwrite Security option.

    Merge Security: This option merges the permissions of the source folder with those of the target folder.

    Overwrite Security: This option overwrites the permissions of the target folder with those of the source folder.

  11. From the Owner for Target Folder drop-down menu, select your preferred option.

    1. If you select either Default Owner if not in Identity Map or Set Explicit Owner, browse to assign an owner.

  12. From the Owner for Target Folder Contents drop-down menu, select your preferred option.

    1. If you select either Default Owner if not in Identity Map or Set Explicit Owner, browse to assign an owner.

  13. Click Next.

  14. Click Migrate.

    The queued migration events are listed.

  15. Click Finish.

  16. In SMAdmin, from the Home tab, click Events to view the status of the migration.

  17. (Optional) If you have a Tail program, you can view the status of the migration.

11.3.11 Migrate User Data

Use these procedures to migrate user home folders from the source forest to the target forest.

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migration > Active Directory to Active Directory.

  3. Select Migration Wizards > Data and Security.

    This launches the Folder to Folder Migration wizard.

  4. Do one of the following:

    • If you plan to do a two-phase migration by skipping open files, leave the Generate Automatic Mappings check box deselected and click Next. Browse to specify the source and target folders and click Next.

      This method will create a single source path and single target path, which alleviates potential problems that can surface when skipping open files during a migration.

    • If you plan to do a single-phase migration, you can select the Generate Automatic Mappings check box to create any needed subfolders on the target that do not already exist. Browse to specify the source and target folders and click Next.

  5. In the Define Mappings page of the wizard, observe the migration events that are now queued up.

  6. Click Next.

  7. (Conditional) If you are doing a two-phase migration, in the Data Copy Options page, select the Skip Open Files check box.

    1. Click the Browse button that corresponds to the Delta File field and through the path browser, select the folder of the delta file that you created previously for your group data.

  8. Click Next.

  9. In the Security and Ownership page, select the Use the Identity Map check box.

  10. Select either the Merge Security or Overwrite Security option.

  11. From the Owner for Target Folder and Owner for Target Contents drop-down menus, select Copy Existing Source Owner.

    As a best practice, each user should be established as the owner of their files and folders. For those instances where folders and files that aren’t owned by the users, we will address them later once we create a policy and then perform Management Actions following the migration.

  12. Click Next.

  13. In the Copy Filter page, select the User Copy Filter check box.

  14. Click Add to create a copy filter of those files you do not want to copy to the target forest.

    For example, you probably want to avoid copying .TMP files.

  15. Click Validate and observe what will be migrated.

    If you observe any potential problems, you will want to correct them at this time.

  16. Click Migrate.

    The queued migration events are listed.

  17. Click Finish.

  18. In SMAdmin, from the Home tab, click Events to view the status of the migration.

  19. (Optional) If you have a Tail program, you can view the status of the migration.

11.3.12 Determine If Any Files Were Skipped

Follow these procedures to see if the Delta file lists any skipped files.

  1. From the location where you saved the Delta file, open it to see if any files are listed.

    If any are listed, those are all of the files that were skipped during the first phase of the migration.

  2. (Conditional) If files are listed, you must have the owners of these files close the files before proceeding with Section 11.3.13, Migrate Skipped, Modified and New Files

11.3.13 Migrate Skipped, Modified and New Files

Follow these procedures to migrate any files that were skipped, modified or that were created since the first phase of the migration.

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migration > Active Directory to Active Directory.

  3. Select Migration Wizards > Data and Security.

  4. In the Select Migration Type Options page, click Next.

  5. In the Define Mappings page, specify the same source and target paths that you specified in Section 11.3.11, Migrate User Data and click Next.

  6. In the Data Copy Options page, from the Overwrite Options drop-down menu, select Overwrite if Newer, select the Skip Open Files check box, and browse to the location where you stored your original Delta file to create a new Delta file.

  7. Click Next.

  8. In the Security and Ownership page, select the Use Identity Map check box, and specify the same Owner for Target Folder, Owner for Target Folder Contents, and related paths as you did in Section 11.3.11, Migrate User Data.

  9. Click Next.

  10. Click Validate and observe what will be migrated.

    If you observe any potential problems, you will want to correct them at this time.

  11. Click Migrate.

    The queued migration events are listed.

  12. Click Finish.

  13. In SMAdmin, from the Home tab, click Events to view the status of the migration.

  14. (Optional) If you have a Tail program, you can view the status of the migration.

11.3.14 Using CEDMScanCompare.exe to Compare Folders and Files Between the Source and Target

With the skipped, modified, and new files and folders migrated, you are now ready to compare the folders and files between the source and target forests to verify that everything migrated properly.

  1. Launch the CEDMScanCompare utility that you copied earlier.

    The following message appears:

  2. Click OK.

  3. Browse to a folder where you want to store the comparison data and click Select Folder.

    The CEDMScanCompare utility interface is launched.

    The selected folder location is specified in the Working Directory field.

  4. In the Source region, for the Path to Scan field, browse to specify the UNC path to the folder in the source forest you want to scan.

    For example: \\WIN-2012-A1ForestB.ORG\NYCvol1\DeptShares

  5. In the Target region, for the Path to Scan field, browse to specify the UNC path to the folder in the target forest you want to scan.

    For example: \\WIN-2012-R2.CCTEC.COM\NYC\Departments

  6. In the Source region, click Scan.

  7. In the Scan Result region, note the findings in the Folders and Files fields.

  8. In the Target region, click Scan.

  9. In the Scan Result region, note the findings in the Folders and Files fields.

  10. In the Compare / Analyze region, from the FileName drop-down menu, select Cross-Empire Data Migration-AD.

  11. Click Compare.

  12. Do one of the following:

  13. Click Open Full Differences File.

    A spreadsheet appears listing:

    • All files on the source that are newer than the same named files on the target, along with the source and target path of each file.

    • All files on the source that are missing from the target.

  14. View the files that are newer on the source server as well as those files on the source server that were not migrated.

  15. Have all of your network users close any open files in the source area, and once again, follow the procedures in Section 11.3.13, Migrate Skipped, Modified and New Files.

  16. Run the CEDMScanCompare utility again. When the you have verified that all of the folders and files have migrated, proceed with Section 11.3.15, Manage the Migrated User Folders through a Storage Manager Home Folder Policy.

11.3.15 Manage the Migrated User Folders through a Storage Manager Home Folder Policy

Once you have migrated all of the user data, you will want to manage it through Storage Manager. Follow these procedures to create a Home Folder policy and then enforce the policies settings through Management Actions.

Prerequisite

If the container where you migrated the user home folders does not already have a Storage Manager policy, create a Home Folder policy by following the procedures in Section 6.5, Creating a User Home Folder Policy.

Enforcing the Policy through Management Actions

Perform the following tasks and Management Actions to enforce the policy settings on the migrated home folders.

  1. Run a Consistency Check.

    For more information, see Section 5.3, Running Consistency Check Reports on Existing Storage.

  2. Preform the following Management Actions: