SMART Active Directory Migrator 9 0 Comprehensive User Guide

April 2015

SMART Active Directory Migrator 9.0.0.2 Comprehensive User Guide

SMART ACTIVE DIRECTORY MIGRATOR 9.0.0.2 COMPREHENSIVE USER GUIDE 2

Table of Contents Section 1. Introduction ................................................................................................................. 6

1.1 About SMART Active Directory Migrator ............................................................................................. 6

SMART AD Migrator ............................................................................................................................................. 6 Key Features ......................................................................................................................................................... 6

1.2 Audience for SMART Active Directory Migrator .................................................................................. 7

1.3 Getting More Information ................................................................................................................... 7

Section 2. Migration Project Management .................................................................................... 8

2.1 SMART Active Directory Migrator Architecture ................................................................................... 8

2.2 Planning the Migration Project ........................................................................................................... 8

2.3 Best Practices ...................................................................................................................................... 9

Phase 1: Installing and Creating the Synchronization Profile within SMART Directory Sync .................................. 9 Phase 2: Register Devices (Concurrent with Phase 3) ............................................................................................ 9 Phase 3: Identify Users, Rooms, Contacts, and Groups to Migrate (Concurrent with Phase 2) ............................... 9 Phase 4: ReACL Devices and NAS ......................................................................................................................... 9 Phase 5: Cutover Devices ..................................................................................................................................... 10 Phase 6: Cleanup ................................................................................................................................................. 10

Section 3. Requirements .............................................................................................................. 11

SMART Active Directory Migrator Basic Installation Requirements ...................................................................... 11 Workstation and Member Server System Requirements ...................................................................................... 13 Networking Requirements ................................................................................................................................... 13 SSL Certificate Requirements .............................................................................................................................. 14 Service Account Requirements ............................................................................................................................ 14 DNS SRV Record Requirement ............................................................................................................................ 15 SID History Migration Requirements .................................................................................................................... 15 Password Requirements ...................................................................................................................................... 17

Section 4. SMART Active Directory Migrator Installation .............................................................. 18

4.1 Installation Overview ......................................................................................................................... 18

4.2 Installing SMART Directory Sync ....................................................................................................... 18

4.3 Installing the SMART AD Migrator Console UI and Web Service ........................................................ 23

Section 5. Configuring the Active Directory Migrator Profile ........................................................ 29

5.1 Launching SMART Directory Sync ..................................................................................................... 29

5.2 Adding an Active Directory Migrator Synchronization Profile ........................................................... 29

5.3 Active Directory Migrator Sync Report .............................................................................................. 47

Overview ............................................................................................................................................................. 47


Running a Sync Report ......................................................................................................................................... 47 Objects tab ......................................................................................................................................................... 48 Members tab ...................................................................................................................................................... 49 Object Summary tab ........................................................................................................................................... 49 Members Summary tab ...................................................................................................................................... 49 Profile tab ........................................................................................................................................................... 50 Source DCs tab ................................................................................................................................................... 50 Target DCs tab .................................................................................................................................................... 50

Section 6. SMART Active Directory Migrator Agent Installation .................................................... 51

6.1 Installing the SMART AD Migrator Agent on Devices ........................................................................ 51

Agent Installation ................................................................................................................................................ 51

Creating SRV Records ......................................................................................................................................... 54

Section 7. Using the SMART Active Directory Migrator Console .................................................... 56

7.1 Launching the Active Directory Migrator Console ............................................................................. 56

7.2 Refreshing Data ................................................................................................................................. 56

7.3 Creating Mapping Files ...................................................................................................................... 56

7.4 Migration Groups .............................................................................................................................. 57

7.5 Using Blacklists .................................................................................................................................. 58

7.6 Grouping, Sorting, and Filtering Tables ............................................................................................. 58

Grouping ............................................................................................................................................................ 58

Sorting................................................................................................................................................................ 58 Filtering .............................................................................................................................................................. 59

7.7 Customizing Columns ........................................................................................................................ 60

7.8 Selecting Multiple Table Rows ........................................................................................................... 61

7.9 Triggering a Sync............................................................................................................................... 61

Section 8. Migrating Users ........................................................................................................... 63

Sync Users ...........................................................................................................................................................63 Enable and Disable Users .....................................................................................................................................63 Set as Migrated ................................................................................................................................................... 64 User Columns ..................................................................................................................................................... 64

Section 9. Migrating Rooms ......................................................................................................... 66

Sync Rooms ........................................................................................................................................................ 66 Room Columns ................................................................................................................................................... 66

Section 10. Migrating Contacts .................................................................................................... 68

Sync Contacts ..................................................................................................................................................... 68 Contact Columns ................................................................................................................................................ 68


Section 11. Migrating Groups ...................................................................................................... 70

Sync Groups ........................................................................................................................................................ 70 Group Columns .................................................................................................................................................... 70

Section 12. Migrating Devices ...................................................................................................... 72

12.1 Settings ........................................................................................................................................... 72

Migration Options ............................................................................................................................................... 72 Cutover Credentials ............................................................................................................................................. 73 Network Profiles .................................................................................................................................................. 74

12.2 Migrating Devices ............................................................................................................................ 75

Polling Interval ..................................................................................................................................................... 75 Discovery ............................................................................................................................................................. 76 ReACL ................................................................................................................................................................. 76 Cutover ................................................................................................................................................................ 77 Cleanup ............................................................................................................................................................... 77 View Jobs ............................................................................................................................................................. 78 Device Columns ................................................................................................................................................... 78

Section 13. Migrating NAS ........................................................................................................... 80

Add a NAS .......................................................................................................................................................... 80 Edit a NAS ........................................................................................................................................................... 81 Delete a NAS ....................................................................................................................................................... 81 ReACL ................................................................................................................................................................. 81 Cleanup ............................................................................................................................................................... 81 View Jobs ............................................................................................................................................................ 82 NAS Columns ..................................................................................................................................................... 82

Section 14. Troubleshooting ........................................................................................................ 83

Password Sync Troubleshooting ......................................................................................................................... 84 AD Migrator Agent Installation Troubleshooting ................................................................................................ 84

Appendix A. Upgrading SMART AD Migrator ................................................................................ 86

Appendix B. Modifying, Repairing and Uninstalling SMART AD Migrator ...................................... 87

Appendix C. AD Source – AD Target Default Mapping .................................................................. 88

Appendix D. Customizing Overrides ............................................................................................. 99

Appendix E. Cutover Job Result Codes ....................................................................................... 102

Appendix F. Updating Remote Profiles ...................................................................................... 103

Requirements .................................................................................................................................................... 103 Roaming Profile ReACL Process ......................................................................................................................... 103


Citrix Profile ReACL Process .............................................................................................................................. 104

Appendix G. SMART Active Directory Reporter .......................................................................... 106

Overview ........................................................................................................................................................... 106 Installing AD Reporter ....................................................................................................................................... 106 Uninstalling AD Migrator ................................................................................................................................... 108 Opening AD Reporter ........................................................................................................................................ 110 Configuring AD Reporter ................................................................................................................................... 110 Searching .......................................................................................................................................................... 111 Results ............................................................................................................................................................... 112 Advanced Options ............................................................................................................................................. 113 AD Report Tools ................................................................................................................................................ 113 Active Directory Reports .................................................................................................................................... 114 AD Reporter Best Practices ................................................................................................................................ 115

Appendix H. Advanced Network Requirements ......................................................................... 117

SMART Active Directory Migrator Port Requirements ....................................................................................... 117 SMART Directory Sync to SQL Server Access .................................................................................................... 117 SMART Directory Sync Profile Specific Scenario Requirements ......................................................................... 117

About Binary Tree ..................................................................................................................... 119


Section 1. Introduction

1.1 About SMART Active Directory Migrator Whether your company is performing an Active Directory Migration as a result of an acquisition, merger, or divestiture, or simply as part of rebuilding an existing Active Directory restructure to meet technical or organizational needs, SMART Active Directory Migrator (SMART AD Migrator) dramatically reduces risks, complexity, time, and costs associated with migrating and synchronizing their Active Directory environment to an existing or new Active Directory environment.

SMART AD Migrator

o Is a comprehensive software solution that seamlessly migrates AD objects, settings and properties

o Has a back-end migration and synchronization engine

o Has a front-end management console providing complete control of the migration

o Ensures security and reliability of the product

o Provides complete migration of relevant objects and properties

o Migrates AD objects even if the source and target servers are not connected and are on isolated networks

o Allows for migrations to occur during business hours with minimal effect on user productivity

o Allows administrators to perform all migration-related tasks during business hours, reducing the administrator’s workload

o Maintains transparent interoperability during the migration

o Provides users access to all network resources, regardless of the migration status

o Includes password-copy and migration of SID History capabilities that provide real-time data

o Provides the ability to reverse the changes after key steps in the migration process

o Can be used for any migration scenario, from consolidation to a restructuring of AD

o Can be customized to meet unique requirements of any organization

o Is highly conducive for migration of workstations in a distributed workforce

Key Features

o Complete migration

o Minimal downtime or interruptions to users

o Provides coexistence

o Synchronization of AD objects

o Safe with ability to recover original state

o Flexible migration

o Highly customizable


o Migrates SID history

o Ability to copy Passwords

o Highly conducive for migration of workstations in a distributed workforce

1.2 Audience for SMART Active Directory Migrator This document assumes the reader has some experience using Active Directory and some basic Administration skills. A fundamental understanding of SIDs (Security Identifiers) is also beneficial.

1.3 Getting More Information For additional resources, refer to Support: www.binarytree.com/support

http://www.binarytree.com/support


Section 2. Migration Project Management

2.1 SMART Active Directory Migrator Architecture The first step towards success on a project using SMART AD Migrator is to understand the product architecture and how this architecture will operate in your environment.

SMART Active Directory Migrator consists of the following components:

o A directory synchronization engine

o A REST based web service

o A management interface

o A lightweight agent for workstations and member servers

o A database running on Microsoft SQL Server

The directory synchronization engine, the web service, and the management interface will all access the same SQL database. In most scenarios, these components will be installed on the same system. In larger or more complex network environments, the components can be distributed across multiple systems. If the directory synchronization engine, the web service or the management interface is installed on a separate system, it is important to ensure that all three components retain access to the same SQL database.

The directory synchronization engine is provided by Binary Tree’s SMART Directory Sync. SMART Directory Sync is included as part of SMART AD Migrator. SMART Directory Sync is responsible for synchronizing users and groups between source and target Active Directory domains. SMART Directory Sync also handles migrating key user properties such as SID History and user passwords.

User workstations and member servers are called devices in SMART AD Migrator. Devices communicate with the SMART Active Directory Migrator web service using the SMART AD Migrator Agent. The SMART AD Migrator Agent is a lightweight application that installs as a service on Windows devices. Upon installation, the agent has the ability to autodiscover the location of the SMART Active Directory Migrator web service.

To ensure that no firewall exceptions are required, the web service does not “call” the workstations or servers to be migrated. Instead, the SMART AD Migrator Agents contact the web service at defined polling intervals, using standard HTTPS or HTTP requests to recovers jobs. Jobs include key tasks such as system discovery, updating the operating system, file system and user profile permissions, and migrating the device to the new domain.

2.2 Planning the Migration Project A typical migration project using SMART AD Migrator can be broken up into phases.

o Phase 1: Installing and Creating the Synchronization Profile within SMART Directory Sync

o Phase 2: Register Devices (Concurrent with Phase 3)

o Phase 3: Identify Users, Rooms, Contacts, and Groups to Migrate (Concurrent with Phase 2)

o Phase 4: ReACL Devices and NAS

o Phase 5: Cutover Devices


o Phase 6: Cleanup

The Cleanup process typically occurs several months after the completion of the project.

2.3 Best Practices Best practices for each phase of the migration project are presented below:

Phase 1: Installing and Creating the Synchronization Profile within SMART Directory Sync

o SMART Directory Sync is used to synchronize objects and must be installed before installing the SMART Active Directory Migrator Console and Web Service.

o The Active Directory Migrator synchronization profile should be set up to include every device. However, not every device needs to be migrated immediately. This process ensures they are in the database, ready to install the SMART AD Migrator agent and register themselves. Devices can be blacklisted if you do not want to immediately migrate them.

o Carefully consider the Group Collision option (Merge, Skip, Rename). It is recommended that this option is not changed once migrations have been started. Additionally, it is strongly recommended to not select the Skip option. The Merge and Rename options are better in most cases.

o Migrating SID History is recommended. Windows has built in processes that use SID History to update internal OS functions including Windows 8.x Modern Apps, Network Printers, and Microsoft Outlook.

Phase 2: Register Devices (Concurrent with Phase 3)

o The Device Agent should be pushed out to devices via Group Policy (GPO) or third party tool and sufficient time should be allowed to address any issues with device registration with the server. Correcting registration issues can take more time than expected. A typical large company with a large number of devices may need a couple of weeks of off and on work to resolve registration issues with all devices.

Phase 3: Identify Users, Rooms, Contacts, and Groups to Migrate (Concurrent with Phase 2)

o Before migrating users and groups, do some planning and analysis to see what users, rooms, contacts, and groups should be migrated, what groups need to be consolidated, how duplicates will be handled, etc.

o More than one synchronization profile can be used to control the target destinations of users, rooms, contacts, and groups.

o User Accounts should be disabled in the target.

o Identifying users, rooms, contacts, and groups to Migrate can be accomplished concurrently with resolving device registration issues in Phase 2.

Phase 4: ReACL Devices and NAS

o Run a ReACL on as many devices as possible early in the process.

o Troubleshoot any devices that did not ReACL.


o ReACL again close to the actual cutover date. This will allow you to complete most of the ReACL process early and provide time to resolve any issues with things such as Anti-Virus software and Group Policies. ReACL is a non-destructive process that can be repeated as often as necessary.

Phase 5: Cutover Devices

o Create some test users, groups, and devices to verify a successful user and group migration and device cutover.

o Typically, a final ReACL would occur the weekend before the cutover to ensure any new users and other changes are processed.

o A workstation reboot is required after the target account is enabled, source account is disabled, and the workstation cutover is complete. This is usually completed in the evening when fewer users are affected. The affected users should be alerted that this reboot is necessary.

Phase 6: Cleanup

o The cleanup phase typically takes place about two months after all device cutover is complete. Cleanup includes removing all permissions from the source domain and removing the SMART AD Migrator Agent from the devices.

o If a trust is in place between the source and target domain, it is recommended to break that trust to verify no issues with application access before completing the cleanup process.


Section 3. Requirements

SMART Active Directory Migrator Basic Installation Requirements

The SMART Active Directory Migrator suite consists of Binary Tree’s SMART Active Directory Migrator, which includes both the console and the Web service, and SMART Directory Sync software packages. Both packages will require access to Microsoft SQL Server. In most environments, all of these components will be installed on the same server.

Single Server Installation Requirements

Supported Operating Systems

o Windows Server 2008 R2


SQL Server Requirements

o SQL 2008 R2 or SQL 2012 SP2

o SQL Express Editions are supported up to 5000 objects

o SQL Management Studio must be installed

o SQL must be configured to permit mixed authentication, and one local SQL authentication account must be created for SMART AD Migrator and SMART Directory Sync to share

Minimum Hardware Requirements

o 2 CPU/vCPU

o 6GB RAM

o 10 GB disk space, inclusive of the SQL install requirements

Additional Components

o If your server is not internet connected, you will be required to install the following components prior to installing SMART Active Directory Migrator:

o .NET Framework (Full) 4.5.2 or newer

o Visual C++ 2013 Redistributable – BOTH the x64 and x86 versions must be installed, regardless of the fact that the Windows Operating system is 64-bit

Multi-Server Installation Requirements

SMART Active Directory Migrator 9.0 is scalable and supports segregating components and can be installed in a multi-server configuration to support larger or complex environments.

If required in larger installations, remote SQL Servers may be used for the primary database and the logging database. Additionally, the primary database and the logging database can be segregated onto separate SQL Server instances.

Each of the following roles/functions may be separated onto different servers as required in advanced configurations:

o AD Migrator Server Web Service

http://www.microsoft.com/en-us/download/details.aspx?id=42642



o AD Migrator Administrator Console

o SMART Directory Sync Software

o Directory Sync Database

o Directory Sync Logging Database

When installed independently, Binary Tree’s components require the following resources:

Supported Operating Systems o Windows Server 2008 R2


AD Migrator Split Role Minimum Hardware Requirements

o 1 CPU/vCPU

o 2GB RAM

o 1 GB disk space

Directory Sync Hardware Requirements

o 2 CPU/vCPU

o 4GB RAM

o 5 GB disk space

SQL Server o SQL 2008 R2 or SQL 2012 SP2

o SQL must be configured to permit mixed authentication, and one local SQL authentication account must be created for SMART AD Migrator and SMART Directory Sync to share.

o SQL Management Studio must be installed

o Express editions of SQL Server are supported as long as the express installation includes SQL Management Studio

Additional Components o If your server is not internet connected, you will be required to install the following components prior to installing SMART Active Directory Migrator:

o .NET Framework (Full) 4.5.2 or newer

o Visual C++ 2013 Redistributable – BOTH the x64 and x86 versions must be installed, regardless of the fact that the Windows Operating system is 64-bit




Workstation and Member Server System Requirements

Supported Operating Systems

o Windows XP SP3

o Windows Vista SP1

o Windows 7 SP1

o Windows 8

o Windows 8.1

o Windows 10 (Preview Release)

o Windows 2003 SP2

o Windows 2008


o Windows Server 2012


PowerShell Requirements

o All client operating systems must have at least PowerShell 2.0 installed.

o Please Note: Windows XP, Windows Vista, Windows 2003, and Windows 2008 do not natively contain PowerShell 2.0. It must be installed/deployed prior to installing the SMART Active Directory Migrator Agent.

.NET Framework Requirements

o All operating systems must have .NET Framework 4.0 (Full Version) or newer installed.

o The “client” installation of the .NET Framework is not sufficient and must be upgraded to the full .NET Framework.

Networking Requirements

Domain Controller Access

For most scenarios, SMART AD Migrator requires access to at least one read/write domain controller running Windows 2003 SP2 or newer in each source and target Active Directory domain. For fault tolerance, Binary Tree recommends at least two domain controllers in each source and target domain.

If SID History will be migrated, SMART Active Directory Migrator will require access to the domain controller holding the PDC Emulator Active Directory FSMO role in all source and target domains.

In limited scenarios, it is possible that SMART AD Migrator will not be responsible for creating or updating any accounts in the source or the target domains. In this scenario, SMART AD Migrator can be configured to communicate with Read Only Domain Controllers (RODCs).


Network/Firewall Requirements

SMART Active Directory Migrator requires the following network ports to enable full functionality:

Source Target Port/Protocol

Workstations and Member Servers

SMART AD Migrator Server 443 (TCP) or

80 (TCP)

SMART AD Migrator Server Source and Target Domain Controllers running Windows 2003

135, 137, 389, 445, 1024-5000 (TCP)

389 (UDP)

SMART AD Migrator Server Source and Target Domain Controllers running Windows 2008 or newer

135, 137, 389, 445, 49152-65535 (TCP)

389 (UDP)

SSL Certificate Requirements

SMART Active Directory Migrator does not require HTTPS (HTTP with SSL), and can operate using HTTP. However, Binary Tree strongly recommends implementing SMART AD Migrator using HTTPS to secure communications between the devices to be migrated and the AD Migrator Server. In order to activate HTTPS on the IIS component in Windows, the SMART AD Migrator system will require that a SSL certificate is present.

Binary Tree does not provide a SSL Certificate as part of the installation. For the most secure installation, Binary Tree recommends purchasing a SSL Certificate from a Windows supported 3rd party provider.

In scenarios where this is not possible, self-signed SSL Certificate can be generated in Windows following these directions: https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx

If using a self-signed certificate, it should be noted that Binary Tree’s agent component would utilize the operating system’s certificate trust list. Due to the security nature of Active Directory migrations, there is no method of implementing an override and forcing the agent to use an untrusted certificate. If a self-signed certificate is used, that certificate will need to be added to the trusted root certificate list for all computer objects to be migrated. This can be accomplished via group policy: https://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx

Service Account Requirements

Binary Tree’s SMART Active Directory Migrator requires the following user account permissions and privileges to support Active Directory Migrations:

o One service account with read/write access to all organizational units (OUs) containing user, group, and computer objects in the source Active Directory to be migrated to the target environment.

o One service account with administrative rights on the target domain(s)

o If administrative rights cannot be granted, the service account requires the following rights:

https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx


o The ability to create and modify user objects in the desired OUs in the target Active Directory environment.

o Read Permissions to the configuration container in Active Directory

o User credentials with the delegated MigratesIDHistory extended right.

o A service account in each source and target domain with the ability to modify computer objects and add computers to the domain.

DNS SRV Record Requirement

In each source domain, a SRV DNS record must be created to enable AutoDiscover for SMART AD Migrator Agents.

o To enable autodiscover when HTTPS is desired

o Record Name: _btadm._https.SourceDomainName.Local

o Weight and Priority 0

o Port Number 443

o To enable autodiscover when HTTP is desired

o Record Name: _btadm._http.SourceDomainName.Local

o Weight and Priority 0

o Port Number 80

SID History Migration Requirements

In order to support migration of SID History from the source to the target domains, Windows requires that a specific domain local group exists and that account auditing is enabled.

Preparing the Source and Target Domains

To prepare each source and target domain for SID History Migration, the following configuration steps must be completed:

o In the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain. For example, if your domain's NetBIOS name is ADM, you must create a domain local group named ADM$$$.

SID History migration will fail if members are added to this local group.

o Enable auditing in the target domain:

o Log on as an administrator to any domain controller in the target domain.

o Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

o Navigate to the following node: Forest | Domains | Domain Name | Domain Controllers | Default Domain Controllers Policy

o Right-click Default Domain Controllers Policy and click Edit.


o In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

o In the details pane, right-click Audit account management, and then click Properties.

o Click Define these policy settings, and then click Success and Failure.

o Click Apply, and then click OK.

o In the details pane, right-click Audit directory service access and then click Properties.

o Click Define these policy settings and then click Success.

o Click Apply, and then click OK.

o If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type gpupdate /force.

o Repeat the above steps in the source domain.

It may also be necessary to reboot the domain controller to have auditing take effect.

Validate Cross-Domain Verification

A trust is not required to migrate SID History in SMART AD Migrator. However, when a trust is present, it is necessary to ensure that the trust is properly configured to permit cross-domain verification. To do so, first identify if the trust between the source and target domain is an external trust or a forest trust. Next, following commands must be run from an administrative command prompt:

If the trust between the source and target is an external trust:

From the source domain:

Netdom trust SourceDomain /domain: TargetDomain /quarantine:No /usero: domainadministratorAcct /passwordo: domainadminpwd

From the target domain:

Netdom trust TargetDomain /domain: SourceDomain /quarantine:No /usero: domainadministratorAcct /passwordo: domainadminpwd

If the trust between the source and target is a forest trust:

From the source domain:

Netdom trust SourceDomain /domain: TargetDomain /enablesIDHistory:Yes /usero: domainadministratorAcct /passwordo: domainadminpwd

From the target domain:

Netdom trust TargetDomain /domain: SourceDomain /enablesIDHistory:Yes /usero: domainadministratorAcct /passwordo: domainadminpwd


Password Requirements

SMART Directory Sync does not validate the password policies present within your domains. Verify that the password entered as the Default Password complies with the password policy of your target environment. Objects will fail to be created if the password violates that policy.


Section 4. SMART Active Directory Migrator

Installation

4.1 Installation Overview Installation of SMART AD Migrator requires the installation of SMART Directory Sync, the SMART AD Migrator Console UI and Web Service, and the SMART Migrator Agent on devices. The installation of these components must be completed in the following order:

1. Installing SMART Directory Sync - Use the SMART Directory Sync installer.

2. Installing the SMART AD Migrator Console UI and Web Service - After installing SMART Directory Sync, use the SMART AD Migrator installer.

3. Installing the SMART AD Migrator Agent on Devices - After installing SMART AD Migrator and creating an Active Directory Migrator synchronization profile in SMART Directory Sync, install the SMART AD Migrator Agent on devices.

4.2 Installing SMART Directory Sync

1. Download the install executable file from the FTP site and save it on the SMART AD Migrator Server. After you have finished downloading, the Desktop icon will appear.

2. Double-click the executable to begin installing Directory Sync.

3. The Install Wizard appears. The wizard displays a list of prerequisites needed on your computer. Click Install to download and install the prerequisites.


4. The Welcome screen appears. Click Next to continue.

5. The License Agreement screen appears. To accept the terms of the license agreement and continue with the install, click Yes.


6. The SMART Directory Sync Installation Options screen appears. Review the options and click Next to continue.

7. The Recommended Components screen appears. The wizard determines the suitable components and displays the available components when installing on a Binary Tree Windows Server. Select the components to install and click Next to continue.


8. The Installation Directory screen appears. Click Browse to choose a different install location. Click Next to continue.

9. The Database Server Login screen appears. Enter the SQL Database Server location for the Directory Sync database and credential information. Connecting using SQL Server authentication is recommended. Click Next to continue.


10. The Database Server Login screen continues to appear. Enter the SQL Database Server location for the logging database and credential information. Click Next to continue.

11. The Ready to Install screen appears. Click Install to begin the installation.


12. When the installation completes, the InstallShield Wizard Complete message appears. Click Finish to close the wizard.

o The Start Menu is updated and SMART Directory Sync icon is added to the desktop.

Start Menu:

Desktop icon:

4.3 Installing the SMART AD Migrator Console UI and Web Service

1. Download the install executable file from the FTP site and save it on the SMART AD Migrator Server. After you have finished downloading, the Desktop icon will appear.

2. Double-click the executable to begin installing SMART AD Migrator.


3. The Install Wizard appears. The wizard displays a list of prerequisites needed on your computer. Click Install to download and install the prerequisites.

4. The Welcome screen appears. Click Next to continue.


5. The License Agreement screen appears. To accept the terms of the license agreement and continue with the install, click Yes.

6. The Select Features screen appears. Select the features to install and click Next to continue.

The Web Service can be installed on a different server than the AD Migrator Console UI. The Web Service and AD Migrator Console UI must share the same database.


7. The Choose Destination Location screen appears. Click Browse to choose a different install location. Click Next to continue.

8. The Database Server Login screen appears. Enter the SQL Database Server location for the Directory Sync database and credential information. Click Next to continue.

The database (BTCodex) and credential information should be the same as when installing SMART Directory Sync as SMART AD Migrator shares the BTCodex database with Directory Sync.


9. A window displaying the installation and configuration of Internet Information Services (IIS) will appear if not already installed.



11. When the installation completes, the InstallShield Wizard Complete message appears. Click Finish to close the wizard.

o The Start Menu is updated and SMART AD Migrator icon is added to the desktop.

Start Menu:

Desktop icon:

SMART AD Migrator Agents call back into the SMART AD Migrator server for jobs. Therefore, the server where the Web Service is installed must have port 80 and/or port 443 open.


Section 5. Configuring the Active Directory Migrator

Profile

5.1 Launching SMART Directory Sync To launch the SMART Directory Sync:

1. Double-click the SMART Directory Sync Console desktop shortcut.

OR

Select SMART Directory Sync Console in the Start menu.

2. The SMART Directory Sync Console screen appears briefly and the application opens.

5.2 Adding an Active Directory Migrator Synchronization Profile To add an Active Directory Migrator synchronization profile:

1. On the Configuration tab, click Add Profile.


2. In the Profile Type Selection window, select Active Directory Migrator and then click OK. The other Profile Types are detailed in the SMART Directory Sync documentation.

3. A new pane appears at the bottom of the console which provides the ability to configure options for synchronization.

4. On the General tab, enter a name to identify the profile in the Name field.

5. Select the status of the profile from the Status drop-down list:

o Active– will synchronize manually or as scheduled as soon as the profile is saved

o Suspended – Not active, will not synchronize


6. Select the logging level of the profile from the Logging drop-down list:

o Low – only errors are logged

o Medium – errors and warnings are logged

o High – all messages (errors, warnings, information, etc.) are logged (should be used for troubleshooting purposes only)

7. For Schedule, select the schedule:

o By frequency – enter the appropriate frequency or the specific time for the synchronization process to run for your environment. Zero (0) is not a valid value for frequency. The minimum interval is 15 minutes.

o At specific times(s) – enter one or more specific times or select times from the drop-down list of times.

o Manual only – the synchronization process will not run until it is manually started.

Active Directory Migrator profiles only push objects to SQL based on the selected schedule option. Objects must be marked in the SMART AD Migrator as "Ready to Sync" to pull the objects to the target with the sync process.

If you choose the By frequency option, SMART Directory Sync will initiate a synchronization when an active profile is saved. Select the At specific time(s) option and select a time in the future or select the Manual only option if you want to save an active profile without it syncing right away. This would be helpful if you wanted to run a Sync Report or inspect items in SQL before pulling them into the target Active Directory.

8. Click the AD Source tab enter credentials that have read/write access to the source Active Directory. The required read access must extend to the Deleted Accounts container, which can require a privileged account.


9. In the User Name field, enter the Active Directory User Name.

Any of the following formats can be entered in the User Name field.

o domain\username - e.g. contoso\jsmith

o username (sAMAccountName) - e.g. jsmith

o user principal name - e.g. [email protected]

10. In the Password field, enter the password assigned to the Active Directory user.

11. In the Global Catalog Server field, enter the IP Address or fully qualified domain name of the server (FQDN) for the Global Catalog Server or a Domain Controller that will be used for all read/write operations.

The entered credentials and Global Catalog Server/Domain Controller must have access to all Domains and subdomains that are required to synchronize.

If SID History will be migrated, SMART Active Directory Migrator will require access to the domain controller holding the PDC Emulator Active Directory FSMO role in all source and target domains.

12. Select an Attribute Change Detection option from the drop-down list:

o Enabled– Only attributes changed on the source object will be synchronized

o Disabled– All attributes on the source object will be synchronized

13. Click Add OU(s) to display a list of OU(s) (organizational units) available to synchronize.

Note that a synchronization profile that includes the OU where the computer objects reside should be created.


14. Select the appropriate source OU’s and click OK. The selected source OUs are displayed in the Source OUs table.

To deselect an OU from the source, select it and then click the Remove OU button and confirm.

Synchronizing both a parent OU and child OU containing the same objects will result in duplicate objects in the SMART AD Migrator Console.

15. The following Source OU fields display at the bottom of the screen used in the above example.

Source OU (not editable) – Reflects the OU selected from the tree view.

Sub OUs – Select this option to synchronize Sub-OUs. The checkbox is selected by default. Clear this option if you do not want to synchronize sub-OUs.

Groups – The checkbox is selected by default. Clear this option to skip groups from being synchronized.

Disabled Users– Select this option to synchronize Disabled Mail-Enabled Users. The checkbox is selected by default. Clear this option to skip Disabled Mail-Enabled Users from being synchronized.

Non-Mail Enabled – Select this option to synchronize Non-mail enabled objects. The checkbox is not selected by default. Clear this option to skip Non-mail enabled objects from being synchronized.

User Filter– This is an LDAP filter and can be used to filter synchronization to specific object types or those objects exhibiting specific attribute properties. See the Using the User and Group LDAP Filter topic in the SMART Directory Sync documentation for more information.

Group Filter– This is a LDAP filter and can be used to filter groups based on the entered criteria. See the Using the User and Group LDAP Filters topic in the SMART Directory Sync documentation for more information.

It is recommended that you test the LDAP filter syntax prior to saving your changes and running a synchronization.

Objects in Active Directory with the msExchHideFromAddressLists attribute set to True are not synchronized.


16. Click the Source DCs tab to define the list of Source Domain Controllers (DCs) used for synchronization.

17. Click Add DC(s) to open the Active Directory DC Selection window. Click Refresh DCs to find all available Domain Controllers. Available options include Ping Servers to test the availability of the selected Domain Controllers and Test Connections to test the connection to the LDAP server. Select one or more Domain Controller and click OK to add the Domain Controllers to the list of Source DCs.

If you have objects, such as group members, in the Source that are in another Domain (than the one specified on the Source tab), add the appropriate DC’s to the Source DC’s tab.


18. The Active Directory DC Selection window closes and the selected Domain Controllers appear in the Source DC’s list. The order the domain controllers are used for each Domain can be selected by entering a number value in the Priority column (lowest number = first). If the highest priority DC is unavailable, Directory Sync will use the next DC.

Domain Controllers with no priority set will be used after those with a priority.

If no priority is set for the servers in a Domain, they will be used in the order listed in the table. A Domain Controller that is the Global Catalog Server selected on the AD Source tab is given top priority regardless of the value in the Priority field.

No two DC’s in a Domain can have the same priority.

19. Click the AD Target tab.


20. In the User Name field, enter the name of the Active Directory user that has the required rights to the Target directory.

Any of the following formats can be entered in the User Name field.

o domain\username - e.g. acmecorp\jsmith

o username (sAMAccountName) - e.g. jsmith

o user principal name - e.g. [email protected]

21. In the Password field, enter the password of the Active Directory user. These credentials should have write access to target OU, as well as any Domains or subdomains that may contain matched users.

22. In the Global Catalog Server field, enter the IP Address or fully qualified domain name of the server (FQDN) of the Global Catalog Server or Domain Controller that will be used for all write operations.

23. In the Target OU, Click Browse to select a target OU. Any newly created objects will be written to this OU.

24. Select an option from the Copy Passwords drop-down list:

o No – (default) Passwords will not be copied to the target

o Yes – Passwords will be copied to the target

Passwords are only copied to the target for accounts in the target created by SMART Directory Sync.

The password policy on the source must meet or exceed the password policy strength on the target.

25. Enter a default password for new users in the Default Password field.

The default password cannot exceed 128 characters in length.

Even if Passwords are being copied, and default password value is still required as the initial account is created with the default password, and then the source password is copied over.


26. Click the AD Target Options tab.

27. Select an option from the Create Mail Enabled Users as drop-down list:

o As Is – (default) Users and contacts are created as they are in the Source:

o Mail-Enabled User in the source will be Mail-Enabled User in the target

o Disabled Mail-Enabled User in the source will be Disabled Mail-Enabled User in the target

o Mailbox-Enabled User in the source will be Mail-Enabled User

o Contacts in the source will be Contacts in the target

o Mail-Enabled User – Contacts, Mailbox Enabled Users, Mail-Enabled Users and Disabled Mail-Enabled Users will be Mail-Enabled Users in the target.

o Disabled Mail-Enabled User – Contacts, Mailbox- Enabled Users, Mail-Enabled-Users and Disabled Mail-Enabled Users in the source will be Disabled Mail-Enabled Users in the target.

o Contact – Contacts, Mailbox-Enabled Users, Mail-Enabled Users and Disabled Mail-Enabled Users will be Contacts. This option does not have logon capabilities, but can be used for maintaining mail flow for existing users, contacts and distribution lists.


The Mail-Enabled User option creates Active Directory users with logon capabilities in the target domain and all properties from the source’s object, including mail addresses.

The Mail-Enabled User option can override the properties found in the Source AD environment. For example, a Disabled Mail-Enabled User or Contact found in the source will be enabled in the target if the Mail-Enabled User option is selected. Conversely, an enabled user or contact found in the source will be disabled in the target if the Disabled Mail-Enabled User option is selected. Directory Sync will not create Mailbox-Enabled Users in the target directory.

Due to a sAMAccountName size limit of 20 characters in Active Directory, user objects with calculated sAMAccountName names greater than 20 characters in length are truncated to 20 characters. Truncated sAMAccountNames will be appended with a random number from 1 to 9999 to ensure uniqueness. This does not apply to group objects.

28. Select an option from the Create Non-Mail Enabled Users as drop-down list:

o As Is – (default) Users and contacts are created as they are in the source.

o Enabled – Non-Mailed Enabled Contacts and Users will be Enabled Users in the target.

o Disabled – Non-Mailed Enabled Contacts and Users will be Disabled Users in the target.

29. Select an option from the Sync Objects drop-down list:

o One-Time – objects are synced once after being marked as "Ready to Sync" in the SMART AD Migrator console. Additional syncs are not performed if there are changes in the source.

Groups are not continuously synced. However, group membership is continuously updated.

o Continuous – (default) objects are continually synced between the source and target after being marked as “Ready to Sync” in the SMART AD Migrator console.

30. Select an option from the Migrate SID History drop-down list:

o Yes – SID history is migrated.

Review the Requirements for more information on Migrating SID History Prerequisites.

o No – (default) SID history is not migrated.

Migrating SID History is recommended. Windows has built in processes that use SID History to update internal OS functions including Windows 8.x Modern Apps, Network Printers, and Microsoft Outlook.

31. Select an option from the Create Domain Local Groups as drop-down list:

Domain Local – (default) Domain Local Groups in the source will be Domain Local Groups in the target.

Universal – Domain Local Groups in the source will be Universal Groups in the target.

Do Not Create – Domain Local Groups in the source will not be created in the target.


32. Select an option from the Create Global Groups as drop-down list:

Global – (default) Global Groups in the source will be Global Groups in the target.

Universal – Global Groups in the source will be Universal Groups in the target.

Do Not Create – Global Groups in the source will not be created in the target.

33. Select an option from the Create Universal Groups as drop-down list:

Universal – (default) Universal Groups in the source will be Universal Groups in the target.

Domain Local – Universal Groups in the source will be Domain Local Groups in the target.

Do Not Create – Universal Groups in the source will not be created in the target.

34. Select an option for handling group collisions when two groups of the same name are found from the Group Collisions drop-down list:

Merge – If a group with the same name is found in the target domain, the members of the source group will be added to the target group. Groups are determined to be the same based on matching sAMAccountName, Internet Address, Common Name, and Name.

Skip – The group will not be synchronized into the target AD and a warning entry will be entered into the log entry stating that the source group will not be synchronized to the target group.

Rename - This allows you to define a prefix or suffix to be added to the name of the group when it is written in the target directory. This option creates a new group using the existing name and the prefix or suffix to bypass the group collision when selected. Prefix is selected by default.

No option is selected by default. An error message will appear if attempting to save the profile without selecting an option.

Directory Sync will attempt to add a group member to the target if it can find the member in the source. If the member in the source is in a different Domain than the group, the member will only be added to the group in the target if it already exists in the target. If Directory Sync cannot find the member in the source, the member will not be added to the group in the target. The Sync Report will explain why a member could or could not be synchronized.


35. Click the Exchange Target Options tab.

36. Select an option from the GAL Visibility drop-down list:

Visible – (default) Users and groups are visible in the GAL.

Hidden – Users and groups are hidden in the GAL.

As Is – Users and groups that are hidden in the GAL in the source are hidden in the GAL in the target. Users and groups that are visible in the GAL in the source are visible in the GAL in the target.

When synchronizing objects into Exchange 2003 (only), the option to hide from the GAL will not function if the Recipient Update Service (RUS) is enabled.

If synchronizing to an Active Directory that does not have Exchange in the environment, select the Hidden option to avoid Active Directory constraint errors.

37. Select an Only Update Mailbox Enabled Objects option. If you select Yes, only mailbox-enabled objects will be updated by the source object based on the mapping table settings. If this is set to No (default), mailbox-enabled objects will be skipped and noted in the sync report. If you intend to update both, you must use two separate profiles.

CAUTION: This is not a commonly occurring preference as the authoritative object is most often where the mailbox is located.

38. The Add x500 Proxy to Source option allows you to add an X500 proxy address to the source mailboxes. This is required if you plan to later migrate mailboxes to your Target forest. If Yes is selected, an x500 proxy address is added to all objects in the AD Source forest. If selecting Yes, you must check the statement of understanding that appears below the option. No is selected by default.


39. The Resource Forest option allows you to define the AD Target as a Resource Forest. This is required if you plan to later migrate mailboxes to your Target forest. If Yes is selected, the Master Account SID will be set on the AD Target objects. No is selected by default.

40. The Allow Enable/Disable of Mailbox Enabled Source Objects option allows you to define if enabling or disabling Mailbox Enabled Source objects is allowed. If Yes is selected, the enabling or disabling of Mailbox Enabled Source objects is allowed. No is selected by default.

41. Select Email Address Policy options for Users, Contacts, and Groups:

Unselected – (default) Directory Sync will not enable the target object attribute to ‘Automatically update email addresses based on email address policy’ in Exchange.

Selected – Directory Sync will enable the target object attribute to ‘Automatically update email addresses based on email address policy’ in Exchange.

Directory Sync will only apply the attribute to ‘Automatically update email addresses based on email address policy’ to the target object. It cannot apply the email address policy.

42. If selected the Email Address Policy option for User, Contacts, or Groups, a drop-down list appears with the following options:

Enable email policy for objects created by DirSync

Enable email policy for objects updated by DirSync

Enable email policy for objects created or updated by DirSync

Disable email policy for objects created by DirSync

Disable email policy for objects updated by DirSync

Disable email policy for objects created or updated by DirSync


43. Click the Target DCs tab to define the list of target Domain Controllers (DC’s) to use when Directory Sync is searching for matched objects.

44. Click Add DC(s) to open the Active Directory DC Selection window. Click Refresh DCs to find all available Domain Controllers. Available options include Ping Servers to test the availability of the selected Domain Controllers and Test Connections to test the connection to the LDAP server. Select one or more Domain Controller (use Ctrl+Click to select more than one) and click OK to add the Domain Controllers to the list of Target DCs.


If you selected Domain level matching in the Target tab, only select Domain Controllers for the target Domain. No other Domains will be searched.

If you have selected Forest level matching in the Target tab, you must add at least one Domain Controller for each Domain that should be searched for matched objects. If you do not select at least one Domain Controller for a Domain, that Domain will not be searched during synchronization. Select more than one Domain Controller in a Domain for failover purposes.

Additionally defined Domain Controllers are only searched for matches if the previous Domain Controller is unavailable.

45. The Active Directory DC Selection window closes and the selected Domain Controllers appear in the Target DC’s list. The order the domain controllers are used can be selected by entering a number value in the Priority column (lowest number = first). Available options include Ping Servers to test the availability of the selected Domain Controllers and Test Connections to test the connection to the LDAP server.

Domain Controllers with no priority set will be used after those with a priority.

If no priority is set for the servers in a Domain, they will be used in the order listed in the table. A Domain Controller that is the Global Catalog Server selected on the AD Target tab is given top priority regardless of the value in the Priority field.

No two DC’s in a Domain can have the same priority.

46. Click the Matching tab.


47. Select an option from the Matching Level drop-down list:

Forest – (default) Matching is done against the target Forest

Domain – Matching is done against the target Domain

48. Select an option from the Matching Action drop-down list:

o Create or Update – (default) Creates objects that do not have matching objects in the Target and updates objects that have matching objects in the Target

o Create only – Creates objects that do not have matching objects in the Target. Objects that have matching objects in the Target are NOT updated.

o Update only – Updates objects that have matching objects in the Target. Objects that do not have matching objects in the Target are NOT created.

o Match only, No Update – Matching objects are updated in SQL, but no updates are done in the Target and no new objects are created in the Target.

During synchronization, if a source object matches to more than one target object, the source object is skipped and a warning is generated in the sync report.

49. The default source to target attribute matching pairs are displayed. This defines what attributes Directory Sync will use to match objects in the Source to objects in the Target, as well as the order in which they will be used. The below table displays the default matching attribute pairs:

Source Target

sAMAccountName sAMAccountName

mail mail

cn cn

To customize the matching, select attributes from the drop-down lists under Source and/or Target or type in the names of attributes in the fields. The matching pairs are “either/or” statements (not “and” statements) with the first match attempted on the top row pair (Default: sAMAccountName -> sAMAccountName) and then proceeding in descending order to the next row pair and so on. A single Source attribute cannot be paired with more than one Target attribute. However, more than one Source attribute can be paired with a single Target attribute. At least one matching pair is required for the profile to be saved.


50. Click the Mapping tab to view the default mapping or to edit how attributes should be translated from the source to the target Active Directory. Review the table and make the appropriate changes for your environment. Double-click a cell in the mapping table select a different field or type from a drop-down list. Click above the first row to create a new entry. Double-click on a cell in the Comments column to enter a comment. Appendix C contains the default mapping.

The default mapping for attributes will be applied unless deleted. When creating custom mapping for an attribute, the default mapping for the attribute should be deleted.

There are two Target Type columns in the table. This allows you to restrict the type of object in the target directory that can be updated. If you set both types to the same value, then this mapping will only apply to that object type. If you set one to person and the other to group, the mapping will apply to user and group objects only. If both are set to any, the mapping is unrestricted and will apply to all object types.

51. Click Save to verify all required fields are populated and save the profile. You can save an incomplete profile as long as it is suspended.


52. Click Overrides to open the table of mapping overrides. These represent default system mappings specifically for the internal SQL fields, and are used to transpose values during creation and synchronization. Overrides are customizable and apply to all profiles. See Appendix D for more information on editing Overrides.

53. Click License to and then Apply License to select the SMART AD Migrator license file.

54. Create additional synchronization profiles as needed. To copy an existing profile, right-click on a profile in the table and select Copy. All profile settings will be copied into a new profile that can then be edited as necessary.

New profiles created by copy are suspended by default. Select the profile in the table and click Activate Profile.


5.3 Active Directory Migrator Sync Report

Overview

The Sync Report has two primary functions. The first is as an analytical tool used prior to synchronizing any objects into a target directory, and the second is as a logging feature to view the details of each synchronization.

Prior to synchronizing any object into the target, the source directory(ies) must be analyzed to identify any objects that could be problematic. This is a critical step to a successful sync and should not be overlooked.

The Sync Report reads the source directory(ies) and writes the data into SQL. This is the same action taken if you were to initiate a Push command. The source data is analyzed to determine the result if you were to Pull the data into the target directory. The Sync report should be run prior to the first sync, as well as prior to running a sync after you have made a change to the profile, to confirm the intended results.

Common issues that must be corrected prior to synchronizing Active Directories.

SMTP Addresses

Duplicate SMTP Addresses - These objects will be skipped with a warning that the SMTP address is already in SQL. Any object you wish to sync must have a valid and unique SMTP Address.

Unique Match Values

SMART Directory Sync allows you to define up to 4 field/attribute pairs to match objects in the source to objects in the target. If the source value matches to more the one target object value, SMART Directory Sync will skip the object. This must be corrected if you intend for this object to synchronize to the target directory. The Sync Report allows you to see the matched objects between the source and target. These should be reviewed to ensure that your match criteria are valid for your environment.

Running a Sync Report

To run a Sync Report:

1. Once you have created a profile, Click the Sync Report button. This opens the Sync Report window. The example in this section is a Domino to Active Directory profile.


2. Click Run Report and Yes to confirm. Click the Refresh button to populate the UI with the most recent data.

A sync report performs a Push into SQL, so it is important that you reset the profile prior to running a sync if you have made any changes to the source data or the profile settings. If you do not clear the profile, the data that is in SQL from the Sync Report will be pulled to the target directory.

Objects tab

This contains all of the objects in the source and the action that would have been taken had the profile been synched to the target. All of the columns can be sorted, filtered or reordered (drag and drop). Review any objects that were skipped (in the Operations column, as well as any warnings in the Status column. You can double click on any entry to open the details for that object. The Details windows displays all of the details for the object, including the attributes and values that would be written to Active Directory. The Internal Fields tab displays the values that are written to SQL. Once corrected, you can run another sync report to validate the changes.


Members tab

The Members tab displays details for group synchronization. Here you can see each member of all of the groups that would be synched to Active Directory. You can filter the Status column for warnings to easily view any issues that should be resolved.

Object Summary tab

The Object Summary tab display a summary of each object type, the operation performed, the status and the object count.

Members Summary tab

The Members Summary tab displays a summary of group membership synchronization. It displays the number of members added to groups, number of skipped members and the total number of errors or warnings.


Profile tab

The Profile tab lists all of the settings for the profile for which the sync was run. This can be easily exported for troubleshooting purposes.

Source DCs tab

The Source DCs tab displays the Domain Controllers listed in the Source AD tab of the profile.

Target DCs tab

The Target DCs tab will display all of the Domain Controllers configured in the Target DC's tab. It also shows the priority in which they will be used. The default will always be used unless it is unreachable.


Section 6. SMART Active Directory Migrator Agent

Installation

6.1 Installing the SMART AD Migrator Agent on Devices The SMART AD Migrator Agent is a key component of Active Directory migration. The agent contacts the SMART AD Migrator server at regular intervals, called polling, looking for jobs and tasks to perform.

Refer to the Requirements for to verify all workstations and servers meet the requirements for agent installation.

Agent Installation

The agent can be installed using a GPO (Group Policy Object) or manually. For more information, see the Active Directory Migrator Agent Installation and Troubleshooting video.

To install the agent with a GPO:

1. Right-click on the SMART AD Migrator Agent MSI, point to Share with, and click on specific people.

2. Add a security group. The "authenticated users" group already includes all computers and is a good group to use. The group you add must have the shared Read permission and NTFS permission.

3. Click Share.

4. Click Done.

5. From the Start menu, point to Administrative Tools and click on Group Policy Management.

6. Right-click on the domain or OU you will be migrating and click on Create a GPO in this domain, and link it here.

7. In the New GPO dialog box, enter a Name for the GPO and click OK.

8. Click on the new GPO and click OK.

9. Right-click on the GPO and select Edit.

10. Open Computer Configuration > Policies > Software Settings and right-click on Software Installation and then point to New and click on Package.

11. In the File Name field, enter the UNC path to the MSI file and click Open.

12. Select the SMART ADMigrator Agent and click Open.

13. In the Deploy Software window, select the Assigned deployment method and click OK.

The device must be rebooted for the applied group policy to complete the agent installation.

To verify the GPO:

1. Log on to a workstation within the scope of the GPO using administrator credentials.

2. From a command prompt on the workstation, run gpresult -r


3. The Computer Settings section will display the applied group policy.

A newly applied group policy will not immediately be displayed.

The Computer Settings section displays the applied group policy , but the agent installation is not completed until the device is rebooted.

To manually install the agent:

1. Copy the SMART AD Migrator Agent MSI file to each computer.

2. Double-click the file to open the installer.

3. On the Welcome screen, click Next.


4. On the Destination Folder screen, click Next.

5. On the Enter Server URI screen, enter the FQDN of the server running the AD Migrator service and click Next.

Leave this screen blank if an SRV record has been created. See Creating SRV Records below for more information.


6. On the Ready to Install the Program screen, click Install.

7. When the install completes, click Finish.

Refer to the Troubleshooting topic to resolve common agent install issues.

Creating SRV Records

The SMART AD Migrator Agent uses DNS to "autodiscover" the SMART AD Migrator server. An SRV (service location) record must be created in DNS to point the clients to the correct server or servers. For more information, see the Creating SRV Records video.


To create an SRV record using DNS Manager:

1. In the DNS Manager, right-click on the DNS server and click on Other New Records.

2. In the Resource Record Type dialog, select the Service Location (SRV) type and click Create Record.

3. In the New Resource Record dialog, enter "_btadm" in the Service field.

4. Enter the following information for HTTP or HTTPS:

o For HTTP:

Protocol: _http

Priority: 0

Weight: 0

Port Number: 80

Host offering the service: the FQDN of server running the AD Migrator service.

o For HTTPS:

Protocol: _https

Priority: 0

Weight: 0

Port Number: 443

Host offering the service: the FQDN of server running the AD Migrator service.

You can make SRV records using HTTP, HTTPS, or both protocols. Using HTTPS is suggested for increased security. If both protocols are used, the agent will always attempt to use HTTPS first.

5. Click OK.

Every client running the agent software must be able to resolve the DNS records.

To verify the clients can resolve the SRV DNS records:

1. Open a command prompt on the client machine.

2. Run nslookup -q=srv _btadm._http.source.int where "http" is the protocol: http or https, and "source.int" is the name of the source domain.


Section 7. Using the SMART Active Directory

Migrator Console

7.1 Launching the Active Directory Migrator Console To launch the Active Directory Migrator console:

1. Double-click the SMART AD Migrator Console desktop shortcut.

OR

Select SMART AD Migrator Console in the Start menu.

2. The SMART Active Directory Migrator screen appears briefly and the application opens.

7.2 Refreshing Data Use the Refresh button to refresh the data currently displayed in the table. The refreshed data will display all previous changes to the database and the currently available right click-options. All selected filter options will not be affected by refreshing.

To refresh the data displayed in the table:

1. Click the Refresh button .

7.3 Creating Mapping Files Use the Create Mapping Files button to generate the User Mapping File (Map.usr) and Group Mapping File (Map.gg). These files are automatically created during the ReACL process so the only time they need to be created manually is if there is a stand-alone process that requires them, such as the Remote Profiles utility used for ReACL’ing Citrix users or roaming profiles, or for re-permissioning SQL databases. This process is otherwise not required.


To create the mapping files:

1. Click the Create Mapping Files button.

2. The Mapping Files window appears and displays the location of the created Map.usr and Map.gg files. Click OK.

Each time the Create Mapping Files process is run, the Map.usr and Map.gg files are overwritten.

If the Active Directory environment is non-English, the values in the sAMAccountName column of the BT_SystemGroup table in the SQL database will need to be changed after SMART Directory Sync is installed to have the appropriate non-English values.

7.4 Migration Groups Objects in the table can be grouped into Migration Groups for migration process management. Migration Groups allow you to filter and sync smaller groups of objects. An item can be part of a single Migration Group only.

To set Migration Group for objects:

1. Click on table rows to select one or more objects in the list. (Use Ctrl-Click to select more than one row.)

2. Right-Click to view the options menu and select Set Migration Group.

3. Select a migration group from the drop-down list or click New to create a new Migration Group for the selected objects. To remove a previously select migration group, select <None> from the drop-down list.

4. If creating a new Migration Group, enter a Migration Group Name.

5. Click Save. The Migration Group column is populated for the selected objects.


7.5 Using Blacklists Objects can be added to the blacklist. Blacklisted objects will not be displayed (unless the "Show Blacklisted" option is selected) or synced.

To add objects to the blacklist:


2. Right-Click to view the options menu and select Add to Blacklist. The selected objects are removed from the displayed list.

3. Select the Show Blacklisted option to view the blacklisted objects.

To remove objects from the blacklist:

1. Select the Show Blacklisted option to view the blacklisted objects.


3. Right-Click to view the options menu and select Remove from Blacklist. The selected objects are removed from the displayed list.

4. Deselect the Show Blacklisted option to view the non-blacklisted objects.

7.6 Grouping, Sorting, and Filtering Tables The data table can grouped by column headers, sorted by column or filtered.

Grouping

To group the data table by column headers:

1. Click and drag a column header to the area above the column headers to group by that column header.

2. Click and drag additional column headers to create child groups.

3. To remove a grouping, rollover and click the "X" in the grouped by column heading.

Sorting

To sort the data table by column headers:

1. Click a column header to sort the table by the column in ascending order.

2. Click the column header again to sort the table by the column in descending order.

3. Click the column header a third time to remove the column sort and return to the default sort.


Filtering

To filter the data table with the column filters:

1. Click the filter icon in the column header. The filter options window appears.

2. Select filter options and then click Filter. The table is updated as you select the options. The filter icon is darkened when applied.

3. To remove the column filter, click the filter icon and click Clear Filter.

4. To clear all column filters, click the Clear All Column Filters button or right-click on the header row and select Clear All Column Filters.

To filter the data table by DirSync Profile:

1. Select a profile from the DirSync Profiles drop-down list. The table is updated to display only objects associated with the selected DirSync profile. By default, objects from All Profiles are displayed.


To filter the data table by Migration Group:

1. Select a migration group from the Migration Group drop-down list. The table is updated to display only objects in the selected migration group. By default, objects from All batches are displayed.

7.7 Customizing Columns The default data tables do not display every available column. However, the displayed columns can be customized. Also the column order can also be changed.

To choose displayed columns:

1. Click the Choose Columns button in the table header or right click on the header row and select Choose Columns. The Choose Columns window appears.

2. Select the columns to display in the table.

3. Click OK. The table is updated with the selected columns.

To change the order of columns:

1. Click and drag the column header and drop it in a new location. The table is updated.


7.8 Selecting Multiple Table Rows There are several ways to select multiple table rows.

To select all table rows:

1. Click the Select All button in the table header or use Ctrl+A. The first 1000 rows are selected by default.

By default, the first 1000 rows are selected. This setting can be changed in SQL in the ADM_Setting table field SelectAllLimit.

2. Perform a right-click action to the selected rows.

If attempting to select more than 1000 rows at time, perform the action on the first 1000, filter the list based on the action, and then select all again.

To select more than one table row:

o Use Ctrl+Click to select more than one row.

o Use Shift+Up/Down Arrow to select additional rows before or after the currently selected row.

o Use Shift+Pg Up/Pg Dn to select all rows before or after the currently selected row.

The following key shortcuts do not work: Shift+Ctrl+End, Shift+Ctrl+Home, Shift+Ctrl+Page Down, Shift+Ctrl+Page Up, Shift+Left Click, Click+Shift+Left Click.

7.9 Triggering a Sync Use the Sync button to sync the data currently displayed in the table. Select a different DirSync Profile before starting a sync to synchronize just that configured Source to Target. If All Profiles is selected, all of the DirSync AD Migrator profiles will be synchronized. If the DirSync AD Migrator profile has been set to synchronize on a schedule, manually starting a sync is not necessary.

Only objects marked as "Ready to Sync" will be synced to the target.

To sync the data displayed in the table:

1. Click the Sync button .


2. After clicking the Sync button the following confirmation for the synchronization of the selected DirSync Profile will be displayed.

3. If All Profiles are selected the prompt will appear as follows:

4. If a sync is already running the following will be displayed:


Section 8. Migrating Users The Users screen allows you to sync users to the target as well as enable and disable users on the source and target before cutover occurs.

Sync Users

To sync users to the target:

1. Click on table rows to select one or more users in the list (Use Ctrl-Click to select more than one row).

2. Right-Click to view the options menu and select Ready to Sync. The Ready to Sync column for the selected users becomes checked. The selected users are synced during the next sync cycle (scheduled in SMART Directory Sync or triggered manually with the Sync button in SMART AD Migrator).

If the Ready to Sync column doesn’t display all of the check marks expected, click on the Refresh button to refresh the data in the table.

3. To prevent the users from syncing, select the users and select Not Ready to Sync from the right-click menu.

Enable and Disable Users

To enable/disable users on the source or target.

1. Click on table rows to select one or more users in the list (Use Ctrl-Click to select more than one row).

2. Right-Click to view the options menu and select one of the following options:

o Enable on Target only

o Enable on Target/Disable on Source

o Enable on Source only

o Enable on Source/Disable on Target

The Source UAC and/or Target UAC columns of the selected users is updated.


A sync must be performed before the selected Enable/Disable User option takes effect.

Set as Migrated

As a way to manage the User Accounts that are fully completed, that require no further action, they can be set as migrated:

1. Click on table rows to select one or more users in the list.

2. Right-Click to view the options menu and select Set as Migrated.

3. Click Save. The Migrated column of the selected users is checked.

User Columns

The following columns appear on the Users screen by default:

o Migration Group- The Migration Group name. Use the Right-click Set Migration Group option to change.

o First Name - the first name attribute of the source user account

o Last Name - the last name attribute of the source user account

o sAMAccountName - the sAMAccountName attribute of the source user account

o Display Name - the display name attribute of the source user account

o Distinguished Name - the distinguished name attribute of the source user account

o Target Distinguished Name - the distinguished name attribute of the target user account. This column is populated when a user is synced.

o Description - the description attribute of the source user account

o Migrated - The migrated status of the user. Use the Right-click Set as Migrated option to change.

o Ready to Sync - This is checked if the user account is currently ready to sync. Use the Right-click Ready to Sync option or Not Ready to Sync option to change.

o Created - This is checked if the user account has been created in the target

o Source UAC - Indicates if the user account is enabled in the source. Use the Right-click Enable/Disable User options to change.


o Target UAC - Indicates if the user account is enabled in the target. Use the Right-click Enable/Disable User options to change.

o Last Sync - Displays the date/time of the last sync.

The following additional fields can be displayed by customizing the columns:

o ID - SQL record number

o Migration Group ID

o Blacklisted - This is checked if the user is currently on the blacklist. Use the Right-click Add to Blacklist option or Remove from Blacklist option to change.

o Alias

o Assistant

o Company

o Country

o Country Code

o Country Name

o Deleted Item Flags

o Delivery Content Length

o Department

o Department Number

o Division

o Employee ID

o Employee Number

o Employee Type

o Extension 1 - 15

o Manager

o Object SID


Section 9. Migrating Rooms The Rooms screen allows you to sync rooms to the target.

Sync Rooms

To sync rooms and resources to the target:

1. Click on table rows to select one or more rooms in the list (Use Ctrl-Click to select more than one row).

2. Right-Click to view the options menu and select Ready to Sync. The Ready to Sync column for the selected rooms becomes checked. The selected rooms are synced during the next sync (scheduled in SMART Directory Sync or triggered manually with the Sync button).

3. To prevent the rooms from syncing, select the rooms and select Not Ready to Sync from the right-click menu.

Room Columns

The following columns appear on the Rooms screen by default:

o Migration Group - The Migration Group name. Use the Right-click Set Migration Group option to change.

o Room Number - the room number attribute of the source room

o Display Name - the display name attribute of the source room

o Distinguished Name - the distinguished name attribute of the source room

o Target Distinguished Name - the distinguished name attribute of the target room. This column is populated when a room is synced.

o Description - the description attribute of the source room

o Ready to Sync - This is checked if the room is currently ready to sync. Use the Right-click Ready to Sync option or Not Ready to Sync option to change.

o Created - This is checked if the room has been created in the target.






o Blacklisted - This is checked if the room is currently on the blacklist. Use the Right-click Add to Blacklist option or Remove from Blacklist option to change.

o Alias

o Assistant

o Company

o Country

o Country Code

o Country Name



o Department

o Department Number

o Division

o Extension 1 - 15

o Manager

o Object SID


Section 10. Migrating Contacts The Contacts screen allows you to sync contacts to the target.

Sync Contacts

To sync contacts to the target:

1. Click on table rows to select one or more contacts in the list (Use Ctrl-Click to select more than one row).

2. Right-Click to view the options menu and select Ready to Sync. The Ready to Sync column for the selected contacts becomes checked. The selected contacts are synced during the next sync (scheduled in SMART Directory Sync or triggered manually with the Sync button).

3. To prevent the contacts from syncing, select the contacts and select Not Ready to Sync from the right-click menu.

Contact Columns

The following columns appear on the Contacts screen by default:


o First Name - the first name attribute of the source contact

o Last Name - the last name attribute of the source contact

o Display Name - the display name attribute of the source contact

o Distinguished Name - the distinguished name attribute of the source contact

o Target Distinguished Name - the distinguished name attribute of the target contact. This column is populated when a contact is synced.

o Description - the description attribute of the source contact

o Ready to Sync - This is checked if the contact is currently ready to sync. Use the Right-click Ready to Sync option or Not Ready to Sync option to change.

o Created - This is checked if the contact has been created in the target.






o Blacklisted - This is checked if the contact is currently on the blacklist. Use the Right-click Add to Blacklist option or Remove from Blacklist option to change.

o Alias

o Assistant

o Company

o Country

o Country Code

o Country Name



o Department

o Department Number

o Division

o Employee ID

o Employee Number

o Employee Type

o Extension 1 - 15

o Manager

o Object SID


Section 11. Migrating Groups The Groups screen allows you to sync groups to the target.

How different types of groups (Domain Local, Global, and Universal Group) are created on the target and how group collisions are handled is defined on the AD Target Options tab of the Active Directory Migrator synchronization profile.

Sync Groups

To sync groups to the target:

1. Click on table rows to select one or more groups in the list (Use Ctrl-Click to select more than one row).

2. Right-Click to view the options menu and select Ready to Sync. The Ready to Sync column for the selected groups becomes checked. The selected groups are synced during the next sync (scheduled in SMART Directory Sync or triggered manually with the Sync button).

3. To prevent the groups from syncing, select the groups and select Not Ready to Sync from the right-click menu.

Group Columns

The following columns appear on the Groups screen by default:


o sAMAccountName - the sAMAccountName attribute of the source group account

o Display Name - the display name attribute of the source group account

o Distinguished Name - the distinguished name attribute of the source group account

o Target Distinguished Name - the distinguished name attribute of the target group account. This column is populated when a group is synced.

o Description - the description attribute of the source group account

o Ready to Sync - This is checked if the group is currently ready to sync. Use the Right-click Ready to Sync option or Not Ready to Sync option to change.

o Created - This is checked if the group account has been created in the target.






o Blacklisted - Checked if the group is currently on the blacklist. Use the Right-click Add to Blacklist option or Remove from Blacklist option to change.

o Alias

o Assistant

o Company

o Country

o Country Code

o Country Name



o Department

o Department Number

o Division

o Extension 1 - 15

o Managed By

o Object SID


Section 12. Migrating Devices

12.1 Settings The Settings screen allows you to define the settings used when the device Cutover process is started.

Migration Options

To add migration options:

1. Click the Migration Options tab.

2. Click the Add button. The Migration Options window appears.

3. Enter values in the following fields:

o Option Name - the name to identify the options (for example, "10 Second Reboot Delay")

o Domain Join Delay - the delay (in seconds) before joining the domain


o Reboot Delay - the delay (in seconds) before rebooting

If set to any value other than zero (0), the user will receive a pop-up notification informing them that the workstation will be rebooted when the cutover is performed. If set to zero, no notification will appear.

o Recycle Bin - select how to handle the Recycle Bin during cutover, either Empty or Don't Empty

Users may get an error message that their Recycle Bin has been corrupted after migration if the Recycle Bin is not empty. See Troubleshooting for more information about this issue.

o Target OU - the target OU where the devices will be created. If you leave this field blank, the devices will default to the Computers container.

4. Click Save. The migration options are added to the list.

Cutover Credentials

The specified credentials must be able to join and disjoin a computer from the specified domain and well as disable a computer in the specified domain. A trust between the source and target domain is not required.

To add cutover credentials:

1. Click Cutover Credentials tab.

2. Click the Add button. The Cutover Credentials window appears.


o Name - the name to identify the cutover credentials (for example, "DomA to DomB Admins")

o Source Domain FQDN - the domain FQDN of the source in source.domain.dom format

o Source Username - the username to access the source domain in domain\username or UPN ([email protected]) format

o Source Password - the password to access the source domain


o Target Domain FQDN - the domain FQDN of the target in target.domain.dom format

o Target Username - the username to access the target domain in domain\username or UPN ([email protected]) format

o Target Password - the password to access the target domain

4. Click Save. The cutover credentials are added to the list.

Network Profiles

To add network profiles:

1. Click the Network Profiles tab.

2. Click the Add button. The Network Profiles window appears.


o Profile Name - the name to identify the network profile

o Obtain DNS server address automatically? - options include No Change, Manually Assign, or Use DHCP

o Preferred DNS Server - the preferred DNS server

o Alternate DNS Server - the alternate DNS server

o Append primary and connection specific DNS suffixes - options include No Change, Obtain from NIC, or Manually Assign.

o DNS Suffixes - Enabled if Manually Assign is selected to the Append primary and connection specific DNS suffixes option. The list of DNS suffixes. Enter each suffix and then press Enter.

o DNS Suffix for this Connection - the DNS suffix once cutover is complete

o Register the connection's addresses in DNS - options include No Change, No, or Yes


o Use this connection's DNS suffix in DNS registration - Enabled if Yes is selected to the Register the connection's addresses in DNS option, select No Change, Don't register manual DNS suffix, or Register manual DNS suffix.

o Preferred WINS Server - the preferred WINS server

o Alternate Wins Server - the alternate WINS server

4. Click Save. The migration option is added to the list.

12.2 Migrating Devices Workstations and Servers are referred to as Devices in SMART AD Migrator. The Devices screen allows you to register devices, change the polling interval, and manage the device Discovery, ReACL, Cutover, and Cleanup processes.

The SMART AD Migrator Agent must be installed on the device before a device can be registered or any actions taken on it. Refer to Installing the SMART AD Migrator Agent on Devices topic for more information.

Polling Interval

The polling interval is set to 14400 seconds (4 hours) by default. The polling interval tells devices how frequently to contact the SMART AD Migrator Server and check for jobs. If left at the default interval of 14400 seconds (4 hours), it is possible that any command sent to the device may not execute for up to four hours. The polling interval is set to a high number to keep the load off of the web servers until devices are closer to the actual date of cutover.

Such a lengthy time between sending a command to a device and the device executing the command is not likely to be effective on the day of cutover. To ensure adequate response time on the day of cutover, it is recommended to decrease this interval in advance of the Cutover process.

Devices will only obtain an updated polling interval when next contacting the SMART Active Directory Migrator web service. Since this interval is likely to be 4 hours, the polling interval should be decreased at least 4 hours before the update is desired to take effect.To set polling interval:

1. Click on table rows to select one or more devices in the list (Use Ctrl-Click to select more than one row).

2. Right-click to view the options menu and select Set Polling Interval. The Set Polling Interval window appears.

3. Edit the Polling Interval (seconds) field and click Save.


The polling interval default for all newly registered devices can be changed in SQL in the ADM_Setting table field PollIntervalSeconds.

Discovery

The Discovery process gathers properties (OS versions, network properties, and so on) from the device to allow additional future functionality. The first discovery process begins for a device when the device becomes registered which will automatically occur after the Device Agent has been installed, as long as the environment is properly configured.

To start the device Discovery process manually:


2. Right-click to view the options menu and select Discovery. The Queue Summary window appears.

3. Click OK. The Discovery Status column is populated with the current status. Use the Right-click View Jobs option or double-click a row in the Devices table to view the list of jobs for the specific Device.

ReACL

The ReACL process updates the device’s domain user profiles for use by the matching target user after cutover.

Before ReACL can occur, the target users and groups which have permissions set on the device must be migrated to the target.

To start the device ReACL process:


2. Right-Click to view the options menu and select ReACL. The Queue Summary window appears.

3. Click OK. The ReACL Status column is populated with the current status. Use the Right-click View Jobs option or double-click a row to view the list of jobs.


The ReACL process will automatically create two files on the device being ReACL’d, map.usr and map.gg. These files are used to find the source permissions and add the appropriate target permissions during the ReACL process. System groups, such as Domain\Domain Admins and Domain\Domain Users are included in the map.gg file for updating the group permissions during the ReACL process. If the Active Directory environment is non-English, the values in the sAMAccountName column of the BT_SystemGroup table in the SQL database will need to be changed after SMART Directory Sync is installed to have the appropriate non-English values.

If the Mapped Network Drive is being mapped via GPO or using an integrated credential such as the current windows logon session, ReACL will create a warning entry in the log “…WARNING: The UserName value for drive U was empty and could not be mapped to the target user.” This warning does not mean that the mapped drive cannot be accessed after Cutover.

Cutover

The Cutover process moves a device from the source domain to the new target domain.

To start the Cutover process:


2. Right-Click to view the options menu and select Cutover.

3. Click OK. The Cutover Options window appears.

4. Select Cutover Credentials, a Network Profile, and Migration Option from the drop-down lists.

5. Click OK. The Queue Summary window appears.

6. The Cutover Status column is populated with the current status. Use the Right-click View Jobs option or double-click a row to view the list of jobs.

The Cutover Options are set on the Settings screen.

Cleanup

The Cleanup process removes the Source SIDs after the Cutover process completes.

Cleanup should be done when the migration project is completed. Before running the Cleanup process if a trust is in place, the trust can be broken to test if any application permissions are broken.

The Cleanup process is not support on Windows 8.x/Server 2012 or higher.

To start the Cleanup process:


2. Right-Click to view the options menu and select Cleanup. The Queue Summary window appears.

3. Click OK.

4. The Cleanup Status column is populated with the current status. Use the Right-click View Jobs option or double-click a row to view the list of jobs.


View Jobs

To view device jobs:


2. Right-Click to view the options menu and select View Jobs. The Device Jobs window appears.

3. The Device Jobs table includes the following columns:

o Job ID - the ID of the job

o Queued Timestamp - the date and time the job was queued

o Command Name - the command name of the job

o Status - the current status of the job

o Cancel Requested - checked in a cancel of the job has been requested

o Message - Result codes and messages for the job

o Timeout (sec) - the timeout in seconds

o Retry Count - the number of times the job has been retried

o Rollback Status - the status of a rollback

o Rollback Message - the status of a rollback

4. To cancel a job, select the job and click the Cancel button or select Cancel from the right-click menu. To refresh the jobs list, click the Refresh button.

Jobs can be canceled when the Status or Rollback Status is either Queued, Scheduled, Started, or In Progress.

Device Columns

The following columns appear on the Devices screen by default:


o sAMAccountName - the sAMAccountName attribute of the source device

o Distinguished Name - the distinguished name attribute of the source device

o Registered - This is checked if the device is registered with the server.

o Agent Last Contact - Displays the time and date of the last contact between the agent and the SMART AD Migrator Server.

o Description - the description attribute of the source device

o Polling Interval - The time interval (in seconds) between polls. This is set to 14400 seconds (4 hours) by default. Use the Right-click Set Polling Interval option to change. The SMART AD Migrator agent will pick up the new polling interval value the next time it contacts the Web Service.

o Discovery Status - The status of the discovery process. Use the Right-click Discovery option to start the Discovery process.

o ReACL Status - The status of the ReACL process. Use the Right-click ReACL option to start the ReACL process.


o Cutover Status - The status of the Cutover process. Use the Right-click Cutover option to start the Cutover process.

o Cleanup Status - The status of the Cleanup process. Use the Right-click Cleanup option to start the Cleanup process.



o Migration Group ID - The Migration Group ID.

o Blacklisted - checked if the device is currently on the blacklist. Use the Right-click Add to Blacklist option or Remove from Blacklist option to change.


Section 13. Migrating NAS The NAS screen allows you to ReACL NAS (Network Attached Storage) devices via a network share.

Add a NAS

To add a NAS device:

1. Click the Add button. The Network Storage window appears.



o UNC Path - the UNC path to the network share used access the NAS device

o Device Name - The name of the device used to access the NAS device. This device must be local (same network, region, and so on) to the NAS device.

o Username - the username to access the NAS device in domain\username format

o Password - the password to access the NAS device

3. Click Save. The NAS device is added to the list.

Edit a NAS

To edit a NAS device:

1. Click on a table rows to select one a NAS device in the list.

2. Click the Edit button or select Edit from the right-click menu. The Network Access Storage window appears.

3. Edit the values.

4. Click OK. The NAS device is updated in the list.

Delete a NAS

To delete a NAS device:

1. Click on table rows to select one or more NAS devices in the list (Use Ctrl-Click to select more than one row).

2. Click the Delete button or select Delete from the right-click menu. The NAS device is removed from the list.

ReACL

The ReACL process updates the NAS’s domain user profiles for use by the matching target user after cutover.

To start the device ReACL process:


2. Right-Click to view the options menu and select ReACL. The Queue Summary window appears.

3. Click OK. Use the Right-click View Jobs option to view the list of jobs.

Cleanup

The Cleanup process removes the Source SIDs after the Cutover process completes.

To start the Cleanup process:

1. Click on table rows to select one or more NAS devices in the list. (Use Ctrl-Click to select more than one row or Shift-Click to select a range of rows.)

2. Right-Click to view the options menu and select Cleanup. The Queue Summary window appears.

3. Click OK.


4. The Cleanup Status column is populated with the current status. Use the Right-click View Jobs option to view the list of jobs.

View Jobs

To view NAS device jobs:


2. Right-Click to view the options menu and select View Jobs. The Device Jobs window appears.

3. The Device Jobs table includes the following columns:

o Job ID - the ID of the job

o Queued Timestamp - the date and time the job was queued

o Command Name - the command name of the job

o Status - the current status of the job

o Cancel Requested - checked in a cancel of the job has been requested

o Message - Result codes and messages for the job

o Timeout (sec) - the timeout in seconds

o Retry Count - the number of times the job has been retried

o Rollback Status - the status of a rollback

o Rollback Message - the status of a rollback

4. To cancel a job, select the job and click the Cancel button or select Cancel from the right-click menu. To refresh the jobs list, click the Refresh button.

NAS Columns

The following columns appear on the NAS screen by default:

o ID - the migration ID

o Device Name - The name of the device used to access the NAS device. This device must be local to the NAS device.

o UNC Path - the UNC path to the network share used to access the NAS device

o Username - the username to access the NAS device

o ReACL Status - The status of the ReACL process. Use the Right-click ReACL option to start the ReACL process.

o Cleanup Status - The status of the Cleanup process. Use the Right-click Cleanup option to start the Cleanup process.


Section 14. Troubleshooting o Problem: What do you do when a user tries to use a network printer post ReACL process and/or cutover and

receives an access denied error?

Solution: Migrate the SID History for that user to resolve the problem.

o Problem: ASP.NET will sometimes not register properly with IIS, which can cause errors when the SMART AD Migrator agent tries to communicate with the Web Service. How do I address this?

Solution: During installation, the installer needs to enable the IIS feature for the server if the feature was not enabled so that web-service can be installed and configured. To address this problem, you should manually re-register the ASP.NET with IIS. To do this, run the below command on the server under C:\Windows\Microsoft.NET\Framework\v4.0.30319:

aspnet_regiis -i

o Problem: What do I do if the Agent_<datetime>.log shows an Error: Login failed for user 'IIS APPPOOL\ADM AppPool' in System.Data.SqlClient.SqlException?

Solution: To fix this:

1. Open SQL Management Studio where DirSync databases were setup

2. Go to SQL Server Security -> Logins

3. New Login

4. User name: IIS APPPOOL\ADM AppPool

5. Click on User Mappings

6. Select BTCodex for the database

7. Select db_datareader and db_datawriter for Roles

8. Click OK

9. Restart the agent on the workstation or wait for the next polling interval

o Problem: Observed Access Denied error when trying to ReACL a Windows NAS Shared Drive.

Solution: To fix this:

1. Add the user credential in the NAS screen in the SMART AD Migrator Console. This user should be installed on a workstation with Local Admin Rights.

2. After the agent installed on the workstation, change the SMART AD Migrator Agent Service account from Local System to the user credential specified in step 1. This user should also be logged in on the workstation as well.

3. Turn off UAC on the workstation.

4. ReACL the Windows NAS Shared Drive.


o Problem: Users are getting an error message that their Recycle Bin has been corrupted once their computer has been migrated.

Solution: This is a common issue with Domain Migrations and is caused when the recycle bin is not empty. This is happening because the name of the Recycle Bin is the user’s SID and the Recycle Bin cannot be reACL’d. After the workstation has been reACL’d and migrated when the user logs on, if the existing Recycle Bin is not empty the user cannot access it. But if the existing Recycle Bin is empty a new one is created and the Target user’s SID is the name of the Recycle Bin.

Resolution:

Empty the recycle bin as part of the Cutover process.

o Problem: SMART Directory Sync does not start if SQL Authentication method is used with windows authentication.

Solution: Manually add the computer account to the SQL server and granted with the Sys_Admin role. To accomplish this, perform the following steps.

1. Via the SQL Management Studio, open a new query window. Enter the below script.

2. CREATE LOGIN [Domain\machine_name$] FROM WINDOWS

3. Via the Security and Logins, located the newly created Computer Name.

4. Grant this user with System_Admin role.

Password Sync Troubleshooting

o Problem: If you encounter "Access is denied" errors when syncing passwords with Directory Sync.

Solution: This is most likely because the utility (psexec.exe) used for remote calls to the Global Catalog is failing. Some things you can try are:

1. Try the GC server's IP address, FQDN and Shortname. IP address often works when others do not.

2. From the Directory Sync machine browse to \\[GC]\admin$ with the admin username\password.

3. Run the Directory Sync service with credentials that have access to the GC instead of as LocalSystem.

4. Firewalls\Anti-Virus software should not be a problem but turning them off may help.

AD Migrator Agent Installation Troubleshooting

o Problem: The device registers, but does not get discovered (Discovery Status remains black in the AD Migrator console).

Solution: Install PowerShell 2.0 or higher on the client. Operating systems earlier than Windows 7 do not natively include PowerShell.

o Problem: During manual installation, a "wizard interrupted" error appears.

Solution: Install .NET 4.0 or higher on the client and run the installer again.

o Problem: After a successful manual install, an "Unable to register" error appears in the Event Viewer.

Solution: Verify the path to the AD Migrator server is correct and complete.


o Problem: After a successful manual install, an "Unable to auto-discover" error appears in the Event Viewer.

Solution: The SRV records are missing, incorrect, or unreachable. Verify SRV records are set up properly.


Appendix A. Upgrading SMART AD Migrator SMART AD Migrator can be upgraded to a new version without uninstalling the existing version. The install wizard will detect the necessary changes and manage the upgrade.

1. Download the install executable file of the new version from the FTP site and save it on the server. After you have finished downloading, the Desktop icon will appear.

2. Double-click the executable file.

3. An install wizard confirmation message appears. Click Yes to continue with the upgrade.

4. The wizard screen appears. Click Next to continue.

5. The Database Server Login screen appears. The wizard detects the server location and credential information of the existing SMART AD Migrator install. Click Next to continue. Note that if you choose to install to a database other than the existing database, previous changes made to the views will be lost.


7. The Files in Use screen appears. Choose to automatically close and attempt to restart the applications or to not close the applications. A reboot will be required if you choose to not close the applications. Click OK to continue.


Appendix B. Modifying, Repairing and Uninstalling

SMART AD Migrator SMART AD Migrator can be modified, repaired, or uninstalled from the Programs and Features upgraded to a new version without uninstalling the existing version. The install wizard will detect the necessary changes and manage the upgrade.

1. Open Programs and Features by clicking the Windows Start button, clicking Control Panel, and clicking Programs and Features.

2. Select Binary Tree SMART Active Directory Migrator from the list of programs and click Change.

3. The wizard screen appears displaying the following options. Select one of the following options and click Next:

o Modify – use the Modify option to add and subtract components of SMART AD Migrator.

o Repair – use the Repair option if SMART AD Migrator needs to be repaired due to corruption.

o Remove – use the Remove option to uninstall SMART AD Migrator. You can also uninstall by clicking Uninstall on the Programs and Features page.

4. Proceed through the wizard until finished.


Appendix C. AD Source – AD Target Default Mapping The below table displays the default values of the AD Source to AD Target mapping table.

Source Field Internal Field Target Field Source Typ

e

Target Type 1

Target Type 2

Comments

altRecipient ForwardingAddress altRecipient any any

assistant Assistant any any

authOrig AuthOrig authOrig any any

C CountryAbbreviation C any any

cn CommonName cn any any

Co CountryName Co any any

codePage CodePage codePage any any

Comment Comment Comment any any

company Company company any any

countryCode CountryCode countryCode any any

deletedItemFlags DeletedItemFlags deletedItemFlags any any

delivContLength DelivContLength delivContLength any any

department Department department any any

departmentNumber DepartmentNumber departmentNumber any any

description Description description any any

displayName DisplayName displayName any any

division Division division any any

dLMemSubmitPerms DLMemSubmitPerms dLMemSubmitPerms any any

dLMemRejectPerms DLMemRejectPerms dLMemRejectPerms any any

employeeID EmployeeID employeeID any any

employeeNumber EmployeeNumber employeeNumber any any

employeeType EmployeeType employeeType any any

extensionAttribute1 Extension1 extensionAttribute1 any any These are Exchange



e

Target Type 1

Target Type 2

Comments

defined custom attributes.

extensionAttribute10 Extension10 extensionAttribute10 any any These are Exchange defined custom attributes.









extensionAttribute5 Extension5 extensionAttribute5 any any These are Exchange



e

Target Type 1

Target Type 2

Comments

defined custom attributes.





facsimileTelephoneNumber OfficeFAXNumber facsimileTelephoneNumber any any

generationQualifier Suffix generationQualifier any any

givenName FirstName givenName any any

homePhone HomePhoneNumber homePhone any any

HomePostalAddress HomePostalAddress HomePostalAddress any any

Info Info Info any any

initials Initials initials any any

internationalISDNNumber InternationalISDNNumber internationalISDNNumber any any

internetEncoding internetEncoding internetEncoding any any



e

Target Type 1

Target Type 2

Comments

ipPhone IPPhone ipPhone any any

jpegPhoto JPEGPhoto jpegPhoto any any

l OfficeCity l any any

language Language language any any

legacyExchangeDN LegacyExchangeDN legacyExchangeDN any any

localeID LocaleID localeID any any

mail InternetAddress mail any any

mailNickname PrimaryAlias mailNickname any any

manager Manager any any

mAPIRecipient MAPIRecipient mAPIRecipient any any

middleName MiddleName middleName any any

mobile CellPhoneNumber mobile any any

msDS-PhoneticCompanyName

msDSPhoneticCompanyName

msDS-PhoneticCompanyName

any any

msDS-PhoneticDepartment msDSPhoneticDepartment msDS-PhoneticDepartment any any

msDS-PhoneticDisplayName msDSPhoneticDisplayName msDS-PhoneticDisplayName any any

msDS-PhoneticFirstName msDSPhoneticFirstName msDS-PhoneticFirstName any any



e

Target Type 1

Target Type 2

Comments

msDS-PhoneticLastName msDSPhoneticLastName msDS-PhoneticLastName any any

msExchAddressBookFlags msExchAddressBookFlags msExchAddressBookFlags any any

msExchALObjectVersion msExchALObjectVersion msExchALObjectVersion any any

msExchArchiveGuid msExchArchiveGuid msExchArchiveGuid any any

msExchArchivename msExchArchivename msExchArchivename any any

msExchAssistantName msExchAssistantName msExchAssistantName any any

msExchBlockedSendersHash msExchBlockedSendersHash msExchBlockedSendersHash any any

msExchBypassAudit msExchBypassAudit msExchBypassAudit any any

msExchELCExpirySuspensionEnd



any any

msExchELCExpirySuspensionStart



any any

msExchELCMailboxFlags msExchELCMailboxFlags msExchELCMailboxFlags any any

msExchExternalOOFOptions msExchExternalOOFOptions msExchExternalOOFOptions any any

msExchHideFromAddressLists



any any

msExchMailboxAuditEnable msExchMailboxAuditEnable msExchMailboxAuditEnable any any

msExchMailboxAuditLogAgeLimit



any any



e

Target Type 1

Target Type 2

Comments

msExchMailboxGuid msExchMailboxGUID msExchMailboxGuid any any

msExchMDBRulesQuota msExchMDBRulesQuota msExchMDBRulesQuota any any

msExchMessageHygieneFlags



any any

msExchMessageHygieneSCLDeleteThreshold



any any

msExchMessageHygieneSCLJunkThreshold



any any

msExchMessageHygieneSCLQuarantineThreshold



any any

msExchMessageHygieneSCLRejectThreshold



any any

msExchModerationFlags msExchModerationFlags msExchModerationFlags any any

msExchPoliciesExcluded msExchPoliciesExcluded msExchPoliciesExcluded any any

msExchPoliciesIncluded msExchPoliciesIncluded msExchPoliciesIncluded any any

msExchProvisioningFlags msExchProvisioningFlags msExchProvisioningFlags any any

msExchRecipientDisplayType msExchRecipientDisplayType msExchRecipientDisplayType any any This mapping is ignored and msExchRecipientDisplayType is set to 6 when the profile is set to sync users as Mail-Enabled Users or Disabled Mail-Enabled Users,



e

Target Type 1

Target Type 2

Comments

or the profile is set to sync users “As-Is” and the object in the source is Mailbox-Enabled.

msExchRecipientTypeDetails msExchRecipientTypeDetails msExchRecipientTypeDetails any any This mapping is ignored and msExchRecipientTypeDetails is set to 128 when the profile is set to sync users as Mail-Enabled Users or Disabled Mail-Enabled Users, or the profile is set to sync users “As-Is” and the object in the source is Mailbox-Enabled.

msExchRequireAuthToSendTo



any any

msExchResourceCapacity msExchResourceCapacity msExchResourceCapacity any any

msExchResourceDisplay msExchResourceDisplay msExchResourceDisplay any any

msExchResourceMetaData msExchResourceMetaData msExchResourceMetaData any any

msExchResourceSearchProperties



any any

msExchSafeRecipientsHash msExchSafeRecipientsHash msExchSafeRecipientsHash any any



e

Target Type 1

Target Type 2

Comments

msExchSafeSendersHash msExchSafeSendersHash msExchSafeSendersHash any any

msExchTransportRecipientSettingsFlags



any any

msExchUMDtmfMap msExchUMDtmfMap msExchUMDtmfMap any any

msExchUMSpokenName msExchUMSpokenName msExchUMSpokenName any any

msExchUserCulture msExchUserCulture msExchUserCulture any any

msExchVersion msExchVersion any any

name Name name any any

O O O any any

otherFacsimileTelephoneNumber

OtherFacsimileTelephoneNumber

otherFacsimileTelephoneNumber

any any

otherHomePhone OtherHomePhone otherHomePhone any any

otherIpPhone OtherIpPhone otherIpPhone any any

otherMobile OtherMobile otherMobile any any

otherPager OtherPager otherPager any any

otherTelephone OtherTelephone otherTelephone any any

pager PagerNumber pager any any

personalPager PersonalPager personalPager any any



e

Target Type 1

Target Type 2

Comments

personalTitle PersonalTitle personalTitle any any

Photo Photo Photo any any

physicalDeliveryOfficeName Location physicalDeliveryOfficeName any any Important, particularly for printers.

pOPCharacterSet POPCharacterSet pOPCharacterSet any any

pOPContentFormat POPContentFormat pOPContentFormat any any

postalAddress PostalAddress postalAddress any any

postalCode OfficeZip postalCode any any

postOfficeBox PostOfficeBox postOfficeBox any any

preferredDeliveryMethod PreferredDeliveryMethod preferredDeliveryMethod any any

primaryInternationalISDNNumber

PrimaryInternationalISDNNumber

primaryInternationalISDNNumber

any any

primaryTelexNumber PrimaryTelexNumber primaryTelexNumber any any

proxyAddresses ProxyAddresses any any

roomNumber RoomNumber roomNumber any any

sAMAccountName SAMAccountName sAMAccountName any any The following restricted chars will be replaced with underscores:

, + " < > ; = / [ ] : |



e

Target Type 1

Target Type 2

Comments

* ? \

showInAdvancedViewOnly ShowInAdvancedViewOnly showInAdvancedViewOnly any any

sn LastName sn any any Sometimes used as surname.

st OfficeState st any any

street Street street any any

streetAddress OfficeStreetAddress streetAddress any any

telephoneAssistant TelephoneAssistant telephoneAssistant any any

telephoneNumber OfficePhoneNumber telephoneNumber any any

terminalServer TerminalServer terminalServer any any

textEncodedORAddress TextEncodedORAddress textEncodedORAddress any any

thumbnailLogo ThumbnailLogo thumbnailLogo any any

thumbnailPhoto ThumbnailPhoto thumbnailPhoto any any

title JobTitle title any any

url WebSite url any any

userCert UserCert userCert any any

userCertificate UserCertificate userCertificate any any



e

Target Type 1

Target Type 2

Comments

userPrincipalName UserPrincipalName userPrincipalName any any

userSMIMECertificate UserSMIMECertificate userSMIMECertificate any any

wWWHomePage WWWHomePage wWWHomePage any any

managedBy ManagedBy group

group

contact

groupType GroupType groupType group

group


Appendix D. Customizing Overrides To add a mapping override:

1. From the Mapping tab, click Overrides. The View Overrides window appears.

2. Click Add and the Override dialog appears.

3. Select Person or Groups from the View drop-down list.

4. Enter a Field Name for the new override.

5. Enter a Field Value for the new override.

6. Enter Comments for the new override.

7. Click Save.

8. Click Yes for the confirmation message.


To edit a mapping override:


2. Select an Override and click Edit. The Override dialog appears.

3. Edit the Field Value for the override. The View and Field Name cannot be edited.

4. Edit Comments for the override.

5. Click Save.



To delete a mapping override:


2. Select an Override and click Delete.



Appendix E. Cutover Job Result Codes

Result Code

Error Rollback Possible

1 Unidentified Error - PowerShell Command Error No

2 Source Domain could not be contacted No

4 Bad Source Credentials No

8 Target Domain could not be contacted No

16 Bad Target Credentials No

32 Target DNS Server could not be contacted or could not resolve the target DNS domain

No

64 Change Obtain DNS by DHCP

128 Set DNS Server IPs

256 Set WINS Servers

512 Register NIC with DNS

1024 Clear DNS Suffix Search List / Set to use NIC

2048 Set Alternate DNS Suffix List

4096 Enable Dynamic DNS Registration

8192 Set NIC Specific DNS Suffix

16384 Domain Disjoin Failed

32768 Domain Join Failed

65536 Source domain name does not match the system's domain No

131072 Computer Reboot failed

262144 Target Domain Name could not be resolved via existing DNS, and new DNS Servers were not provided

No


Appendix F. Updating Remote Profiles The below processes allow you to ReACL Windows roaming profiles or Citrix profiles.

Requirements

o PowerShell 2.0

o PowerShell ExecutionPolicy = Unrestricted

o Administrator access

Roaming Profile ReACL Process

To ReACL Roaming Profiles:

1. Create the user mapping file (Map.usr) in the SMART AD Migrator Console.

2. Log into the Windows Server with the administrator credentials.

3. Copy the following files to the Windows Server where the profile share is located, to a directory on the drive:

a. BT-TakeOwnership.ps1

b. userlist.csv

c. RemoteProfiles.zip (note: downloaded separately from the BT FTP)

o RemoteProfiles.exe

o RemoteProfiles.exe.manifest

o RemoteProfiles.res

o (13) FINAL .DLL files

o userlist.csv

d. ReACL (note: can be copied from a client workstation where the agent is deployed)

o ReACL.exe

o ReACL.exe.manifest

o Map.usr

4. Edit userlist.csv.

a. Add in the profile folder names that you are wanting to take ownership of.

b. Example:

o rprofile1 (Legacy Windows Operating System Roaming Profile folder name)

o rprofile2.V2 (Windows Vista/2008+)

c. Do not remove the header “ProfileName” on the first line. This is required.


5. Open PowerShell command window and navigate to directory where files are located.

a. Run .\BT-TakeOwnership.ps1 -SharePath <location of profile folders>

b. The script will take ownership using the currently logged in user and add that owner to the directory ACLs.

6. Double-click on RemoteProfiles.exe

a. File -> Select Mapping File.

b. Select Map.usr.

c. In the dialog box, select the user profiles listed in userlist.csv.

d. Select options:

o Update Network Drives to update network drive mappings.

o Skip Previously Updated ACL’s to prevent ACL bloat.

Selecting the Skip Previously Updated ACL’s option will result in slower performance of the utility. This is due to the fact that every ACL in the profile hive will be checked to see if it contains an ACE entry for the target account.

e. Click Update.

f. Verify RProfileResults_<datetime>.log results.

7. Open command window and navigate to directory where files from Step 2 are located.

a. ReACL.exe -f:<location of profile folders>

You do not have to specify the drive letter, so if the folder is physically located at c:\roamfolder, the command syntax will be: ReACL.exe –f:roamfolder

b. Verify ReAclResults_<datetime>.log.

8. Go back to the PowerShell console window.

9. Run .\BT-TakeOwnership.ps1 -SharePath <location of profile folders> -ReturnOwnership $true

The script will return ownership to all directories and files.

10. Now, from the AD Migrator Console UI, ReACL the machines where the remote users log in. This will ReACL local profile instances as well as the usrClass.dat file that is, by default, not a roaming file.

Citrix Profile ReACL Process

All of the users’ profiles, desktop, registry keys, etc. are stored in the NTUSER.DAT file. When a user logs into Citrix, it will copy their NTUSER.DAT file to the server they are opening their session on. When the user logs off, it will take the temporary NTUSER.DAT file from the online session and overwrite the stored NTUSER.DAT file with this new one.

When reACL’ing Citrix users with the Remote Profile tool, it opens up the stored NTUSER.DAT file on the Citrix server and performs a reACL of everything inside. When the user logs back in to Citrix, they’re using the reACL’d NTUSER.DAT file.


The user MUST be logged off of Citrix when the remap on the Citrix server is run, otherwise when the user logs off of Citrix from an active session, it will overwrite the changes made by the Remote Profiles tool.

To ReACL the NTUSER.DAT files on the Citrix server, you have to run the tool outside of SMART AD Migrator.

To ReACL Citrix Profiles:

1. Create the user mapping file (Map.usr) in the SMART AD Migrator Console.

2. Log into the Windows Server with the administrator credentials.

3. Copy the following files to the Windows Server where the profile share is located, to a directory on the drive:

a. RemoteProfiles.zip (note: downloaded separately from the BT FTP)

o BT-TakeOwership.ps1

o RemoteProfiles.exe

o RemoteProfiles.exe.manifest

o RemoteProfiles.res

o .DLL files

o userlist.csv

4. Double-click on RemoteProfiles.exe

a. Select “Citrix Profiles”

b. File -> Select Mapping File.

c. Select Map.usr.

d. In the dialog box, select the user profiles you want to update.

e. Select options:

o Update Network Drives to update network drive mappings.

o Skip Previously Updated ACL’s to prevent ACL bloat.

Selecting the Skip Previously Updated ACL’s option will result in slower performance of the utility. This is due to the fact that every ACL in the profile hive will be checked to see if it contains an ACE entry for the target account.

f. Click Update.

g. Verify RProfileResults_<datetime>.log results.


Appendix G. SMART Active Directory Reporter

Overview

SMART Active Directory Reporter (AD Reporter) provides a query-based interface that allows network administrators and IT personnel to easily build custom queries for issues specific to their network.

AD Reporter queries Windows 2003/2003 R2/2008/2008 R2/2012 Active Directories across forests from a central console, allowing you to perform customized searches by domain, object, object property and by using wildcards. AD Reporter search results can be set to any or all object properties.

Installing AD Reporter

To install AD Reporter:

1. Open the zip file and then launch the Setup.exe.


2. Select the Install SMART Active Directory Reporter Software checkbox and click Install.

3. Select the Installation Drive and Path and click on Select.


4. Wait for installation to complete.

Uninstalling AD Migrator

To uninstall AD Reporter:

1. Select Uninstall from the Start menu.


2. Click on OK to continue with the uninstall.

3. Select ADReporter and click on OK


4. Click on Exit when the uninstall is complete.

Opening AD Reporter

To open AD Reporter:

1. Click Start, click Binary Tree, click the AD Migrator Suite folder and then right-click on the AD Reporter icon and select to Run as administrator.

Setting the screen size

You can change the size of the AD Reporter application to better fit your screen.

To set the screen size:

1. On the Configuration menu, click Set Screen Size.

2. In the Screen Size Options, select a screen size resolution.

3. Click OK.

4. Close and reopen the application to view the application in the selected size.

Configuring AD Reporter

Configuring AD Reporter requires you to define one or more active directory domains and select the current active directory domain to search.


To configure AD Reporter:

1. On the Configuration menu, click Add Active Directory Domain.

2. In the Domain Configuration Wizard, enter the domain NetBIOS name in the Active Directory Domain NetBIOS in Upper Case field, and then click Verify.

3. Click Add.

4. On the Configuration menu, click Set Current Active Directory Domain.

5. Select the current active domain to search, and then click OK.

Searching

To search:

1. Click the type of object to search for from the Object Type list. The list includes:

o Domain

o User

o Group

o Organizational Unit (OU)

o Computer

o Print Queue

o Volume (Shared Folders)

o Contact

o Exchange (user properties)

2. Select the property to search for from the Search For list.

3. Select one or more properties to return in the results from the Return results list. Use Ctrl-Click or Shift-Click to select more than one property to return.

4. Click Begin Search. You can also click Search Active Directory on the Active Directory Search and Report menu.

5. In the Narrow Search Option window, enter known property information to narrow the search criteria. Wildcards can be used in the search criteria. The default "All" will search for all of the instances of the selected property.

6. Click OK. The results are displayed.

If results appear to take a long time to retrieve, DNS server may not be properly configured, there may be broken trust relationships – the domain AD Reporter is querying is not reachable, or the account or proxy account may not have adequate rights to the domain being queried (check user rights).


Results

Viewing results

To view results:

o In the results list, click a column header to sort by the column.

o Click and drag the column headers to increase the width of each column.

o Use the scroll bars to view information that is not displayed in the window.

Saving results as a text file

To save results as a text file:

o On the File menu, click Save Search Results as Text File. The results file is saved in the ADReporter\Reports folder.

If you have searched for a large amount of information, we recommend you save results as an MS Excel file as the text file does not have columns. Once you save the results as an MS Excel file, you can easily format the columns to a more readable format.

Viewing and managing results saved as a text file

To view and manage results saved as a text file:

1. On the View and Manage Saved Results menu, click View and Manage Text File Reports.

2. In the AD Reporter Manage Reports window, select a report and click View to view the file. You can also click Delete to remove the file.

Printing results

To print results:

1. On the File menu, click Print Search Results.

2. Select a printer and then click Print.

Exporting results as an Excel file

To export results as Excel file:

1. On the File menu, click Export Results as MS Excel File.

2. Enter a name for the file, and then click OK. The results file is saved in the ADReporter\Reports folder.

Viewing and managing results exported as an Excel file

To view and manage results exported as an Excel file:

Excel must be installed.


1. On the View and Manage Saved Results menu, click View Saved Microsoft Excel File.

2. In the Saved Reports window, select a report and click Open to view the file in Excel.

Advanced Options

Editing Object Properties

To edit object properties:

1. On the Advanced Options menu, click Edit Object Properties.

2. In the AD Reporter Advance Properties window, select an object type to modify and then click Modify.

3. To remove an object property, select the property and click Remove. To add an object property, enter the property name and click Add.

Added properties must exist, are case-sensitive, and must be populated to return information.

4. Select the object property to update the list of object properties.

Backing up and restoring Object Properties

To back up and restore Object Properties:

1. On the Advanced Options menu, click BackUp/Restore Object Properties, and then select one of the following options:

o BackUp Current Object Properties – backs up current object properties to a .zip file at the installation location

o Restore Default Object Properties – restores the default object properties

o Restore Object Properties From BackUp – restores the object properties from the saved back up

2. Click OK.

3. Select the Object Property to update the list of object properties.

AD Report Tools

Convert Raw Active Directory Data to Textual Format

To convert Raw Active Directory Data to textual format:

1. Create a report that includes results in Raw data format (SID, GUID, LogonHours, Date, GroupType).

2. In the results list, double-click the searched for object property.

3. In the Select Item to Send to Clipboard list, select the raw data to convert from the list and then click OK.

4. On the AD Report Tools menu, click Convert Raw Active Directory Data to Textual Format.

5. In the Conversion window, select the conversion type for the raw data on your clipboard and then click OK.

6. Right-click and select Paste. The raw data is inserted.


7. Click OK. The converted data is displayed.

Get all current object properties by Object Type

To get all current object properties by object type:

1. On the AD Report Tools menu, click Get All Current Object Properties by Object Type.

2. Select an object type and then click OK.

3. Select one or more properties to add to AD Reporter and click OK.

4. The AD Reporter Available Properties window appears with the selected properties added to the list of properties. You can also remove or add properties on this screen.

5. Click Close to close the window.

Active Directory Reports

AD Reporter includes several predefined reports allowing quick searches for frequently used information.

o On the Active Directory Reports menu, point to user Reports, group Reports, or computer Reports, and then click a report. The search results appear.

o On the Active Directory Reports menu, click Generate User Mapping File to generate a list of unmatched sAMAccountName values on the Source and Target based on the input of a matching attribute.

Active Directory Reports include:

User Reports

o Disabled users – all users with the Account Status = “Account Disabled”

o User never logged on – all users with the Logon Status = “0” (zero) or blank

o All users without an email address – all users with the Email Status = “No email address”

o Duplicate Source and Target Users – duplicate same-named user accounts in the source and target. At least two domains must be configured to run this report.

Group Reports

o Groups with no members – all groups with the Membership Status= “no group members”

o All security groups – all security groups with Group Type value displayed

o All distribution groups – all distribution groups with Group Type value displayed

o Duplicate Source and Target Groups – duplicate same-named group accounts in the source and target. At least two domains must be configured to run this report.

Computer Reports

o All XP computers – All XP computers with Computer Type value displayed

o All Vista computers – All Vista computers with Computer Type value displayed


o All Windows 7 computers – All Windows 7 computers with Computer Type value displayed

o All Windows 8 computers – All Windows 8 computers with Computer Type value displayed

o All Windows 2000 Servers-Workstations – All Windows 2000 Servers-Workstations with Computer Type value displayed

o All Windows 2003 Servers – All Windows 2003 Servers with Computer Type value displayed


o All Windows 2008 R2 Servers – All Windows 2008 R2 Servers with Computer Type value displayed


o All Computers without a description - All Computers with the Computer Description = “No Description”

Generate User Mapping File

The User Mapping File is a list of unmatched sAMAccountName values on the Source and Target based on the input of a matching attribute.

If using an attribute to link the source and target user accounts together, ensure that the values of the attribute on the Source are unique so there are not multiple matches generated. If the values of the attribute on the Target are not unique, the report will throw an error and will not allow the creation of the UsersMapping.map file at the end of the process.

To generate a User Mapping File:

1. On the Active Directory Reports menu, click Generate User Mapping File.

2. Select a Source Domain and click OK.

3. Select a Target Domain and click OK.

4. Enter the LDAP name of the AD attribute you want the accounts to match on and click OK. The matching results appear.

5. Click Yes to create a mapping file from the results. A mapping file cannot be created if one or more of the results have multiple target matches.

AD Reporter Best Practices

Check Access Rights

o You must be logged on to a Windows 2003/2008/2012 Domain. If you are not logged on to a Windows 2003/2008/2012 Domain, you cannot connect to Active Directory to set AD object attributes.

o If you are searching a single domain, you must have Domain Admin rights to the domain.

o If you are searching domains and child domains, you must have Enterprise Admin rights to the domain tree.

o Ensure that non-existent or broken trusts relationships do not exist. If there are non-existent or broken trust relationships, AD Reporter will attempt to query non-existent domains, slowing the search.


To Query Share Information

o When Querying Share (Volume) information, Shares must be published to Active Directory. AD Reporter searches Active Directory information, not computer information; if the Shares are not published to Active Directory, AD Reporter will not retrieve results.


Appendix H. Advanced Network Requirements

SMART Active Directory Migrator Port Requirements

Source Target Ports Protocol

AD Migrator Web Service SQL Server holding primary database

1433 TCP & UDP

AD Migrator Console SQL Server holding primary database

1433 TCP & UDP

Client servers and workstations

AD Migrator Web Service 80 or 443 (Configurable)

TCP

SMART Directory Sync to SQL Server Access


Directory Sync SQL Server holding the primary database 1433 TCP & UDP

Directory Sync SQL Server holding the logging database 1433 TCP & UDP

SMART Directory Sync Profile Specific Scenario Requirements

Directory Sync Match Only or Update Only Profile (no object creation)


Directory Sync Source Domain controllers 389, 445*, 3268 TCP (all)

UDP (389)

Directory Sync Target Domain controllers 389, 445, 3268 TCP (all)

UDP (389)

* Port 445 only needs to be open to the Source Domain Controller during Directory Sync Profile creation


Directory Sync Profile with Create Only or Create/Update Matching Option


Directory Sync Source Domain controllers 389, 445*, 3268 TCP (all)

UDP (389)

Directory Sync Target Domain controllers 139, 389, 445, 3268 TCP (all)

UDP (389)

* Port 445 only needs to be open to the Source Domain Controller during Directory Sync Profile creation

Directory Sync Profile with Password Copy (Synchronization) selected


Directory Sync Source or Target Domain controllers 139, 389, 445, 3268 TCP (all)

UDP (389)

Directory Sync Profile with SID History Migration selected


Directory Sync

Source or Target Domain controllers running Windows 2008 or newer

135, 137, 139, 389, 445, 3268 and 49152-65535

TCP (all)

UDP (389)

Directory Sync

Source or Target Domain controllers running Windows 2003

135, 137, 139, 389, 445, 3268 and 1024-5000

TCP (all)

UDP (389)


About Binary Tree Binary Tree is a singularly focused global provider of migration software and solutions for Lotus Notes, Microsoft Exchange, Active Directory, and Windows Server environments. Since 1993, Binary Tree has enabled more than 6,000 customers to migrate more than 30 million email users, and facilitated some of the most complex migrations on the planet. Its software solutions are available for migrating from Exchange 2003/2007/2010/2013 and Lotus Notes to on-premises and online versions of Microsoft Exchange, as well as migrations of Active Directory and Windows Server environments. Binary Tree is a Microsoft Gold Partner, an IBM Advanced Business Partner, and is one of Microsoft’s preferred vendors for migrating to Microsoft Office 365. The Company is headquartered outside of New York City with offices in London, Paris, Stockholm and Sydney. For more information, visit us at www.binarytree.com.

Binary Tree Social Media Resources

© Copyright 2015, Binary Tree, Inc. All rights reserved.

Binary Tree, the Binary Tree logo, the SMART Migration graphics, and any references to SMART Migration and Binary Tree’s software products, are trademarks of Binary Tree, Inc. All other trademarks are the trademarks or registered trademarks of their respective rights holders.

http://www.binarytree.com/

http://www.facebook.com/BinaryTreeInc

http://www.facebook.com/BinaryTreeInc

http://twitter.com/BinaryTreeInc

http://twitter.com/BinaryTreeInc

http://feeds.feedburner.com/binarytree/LZJk

http://feeds.feedburner.com/binarytree/LZJk

Documents

SMART Active Directory Migrator 9 0 Comprehensive User Guide