What trust relationships are required for Domain Migration Administrator to migrate users, groups, a (NETIQKB8806)

  • Document ID:7708806
  • Creation Date:02-Feb-2007
  • Modified Date:16-Aug-2007
    • Micro Focus Products:
      Domain Migration Administrator

Resolution

goal
What trust relationships are required for Domain Migration Administrator to migrate users, groups, and computers when there is a source accounts domain and a source resource domain?

fact
Domain Migration Administrator 6.x

fact
Domain Migration Administrator 7.x

fix

The only supported migration scenario, with Domain Migration Administrator (DMA), is when there are two one way trusts between each source domain and the target domain.  The two one way trusts are needed to perform all the migration tasks supported by DMA.  For some tasks, you are able to get by with only a one way trust.

When there are two source domains, one for user and group accounts and one for computers, there needs to be at least a one way trust between each source domain and the target domain. There also needs to be a one way trust where the source Accounts domain trusts the source Resource domain. The trust is to facilitate using an account with the correct permissions to perform the desired migration tasks.  The one way trust is a minimum, however we recommend that you create two one-way trusts between each source and target domain.  Details of the permissions required for the various migration tasks are listed in Appendix B of the DMA User Guide.  As always, we recommend that you test your migration strategy in a test environment to confirm that the required trusts and permissions are in place. 

The following scenarios describe a way to perform a migration using only one trust between the source and target domains.  This provides for a minimal migration.  Security translation has not been included in these scenarios.

1. For migrating users and groups from an accounts domain:

  • One way trust where the source Accounts domain trusts the target domain.
  • DMA console is in target domain.
  • The logged on account is defined in the target domain, is a member of the Domain Admins global group in the target, and a member of the local Administrators group in source Accounts domain.
  • Successfully migrated users and groups.

2. For migrating computers from a resource domain:

  • One way trust where the target domain trusts the source Resource domain.
  • DMA console is in target domain.
  • The account logged on to the DMA console is defined in the source Resource domain:
    • Member of the Domain Admins global group in the source Resource domain (in order to be local admin on all of the workstations)
    • Member of the local Administrators group in target domain
    • Member of the local Administrators group in the source Accounts domain
  • Successfully migrated computers.

 



Additional Information

Formerly known as NETIQKB8806