What are the best practices for using DMA and ADC? (NETIQKB5703)

  • 7705703
  • 02-Feb-2007
  • 30-Nov-2007

Resolution

fact
Domain Migration Administrator 7.x

fix

In general, it is best to migrate users and groups using DMA before using ADC when the target domain is running in native mode and SID History is migrated. Consider the following scenario. There are multiple NT4 domains with an Exchange 5.5 organization that need to be consolidated into one Windows 2000 Active Directory. Between the NT4 domains, different naming conventions have been used and some users may have ended up with multiple accounts. For instance, John Arthur has an account named JohnA01 in Domain A, while he has another account named JArt in Domain B. John's Exchange 5.5 alias is JohnArt with the mailbox's primary NT account being linked to John's account in Domain A. The best practice for migrating in this scenario and still retaining the data rich Exchange information is as follows:

  1. Migrate users and groups with SID History from Domain A to the target AD.
  2. Migrate users and groups with SID History from Domain B and use data modeling to merge any duplicate accounts into the existing accounts in the target AD.
  3. Use ADC to replicate the Exchange 5.5 information to the target AD.
    ADC will use the SID History attribute in AD to match the Exchange Directory object to the account that already exists in AD.

Result:

  • CN = John Arthur (Display Name from Exchange)
  • SamAcctName/Pre-W2K = JohnA01 (since data modeling was used to merge the accounts)
  • SID History from both Domains
  • All Exchange Information intact

If the customer uses ADC first because the target is mixed mode, there are at least 2 options. One, use the Update Active Directory Connector Accounts Wizard (DMA 7.x) or the ADCUpdate.exe utility (DMA 6.3) to create a mapping between the NT account and AD account, enable the account, migrate the password, and migrate associated groups. The mapping can be used to translate security towards the end of the migration process. This process maps accounts based on the msExchMasterAccountSID

The second option is to migrate users and groups from the NT source with the 'Update and Replace' setting enabled. During this process, DMA uses the samAccountName to map the NT account to the AD account. This means that the samAccountName and the Exchange 5.5 Alias must be the same in order for DMA to recognize that these accounts are the same between the source and target domain. If these attributes are not the same, then use data modeling to set the samAccountName to the 5.5 Alias. DMA will now match the accounts and replace and update the target AD account.

Result:

  • CN = John Arthur (Display Name from Exchange)
  • SamAcctName/PreW2K = JohnA (Alias from Exchange, data modeled for mapping)
  • SID History from both Domains
  • All Exchange Information intact

NOTE: It is important to note that there is a small amount of collision handling in ADC for existing accounts. However, SID History is the default means for ADC to map to existing AD accounts.



note

Please refer to the following knowledge base article for more information regarding the Update Active Directory Connector Accounts wizard:

NETIQKB6409  - How does ADC and the Update ADC Accounts Wizard work?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB6409



note
Please note that information regarding the Update Active Directory Connector Accounts wizard can also be obtained from Chapter 2 of the product User Guide.

Additional Information

Formerly known as NETIQKB5703

Feedback service temporarily unavailable. For content questions or problems, please contact Support.