How do I migrate objects and translate security from one accounts domain and one or more resource do (NETIQKB8807)

  • 7708807
  • 02-Feb-2007
  • 16-Aug-2007

Resolution

goal
How do I migrate objects and translate security from one accounts domain and one or more resource domains?

fact
Domain Migration Administrator 6.x

fact
Domain Migration Administrator 7.x

fix

This can be accomplished with one of the following procedures:

MIGRATING COMPUTERS BEFORE TRANSLATING SECURITY

In this scenario, all objects are migrated using project wizards with one project for each source domain.  This example assumes 3 resource domains. Omit steps 3 and 4 if you only have one resource domain.

  1. Log in to the Domain Migration Administrator (DMA) console using an account that is a Domain Admin in the target domain.
  2. Create a project for users and groups only.
  3. Migrate those users and groups.
  4. Log in to the DMA console using an account that is a Domain Admin in resource domain A.
  5. Create a project for computers in resource domain A.
    • You can select the computers using the Select Objects wizard, or by importing a list from a .csv file (Select objects using a csv file).
    • There will be no users in this project. 
  6. Migrate the computers without translating security.
    • Optionally, you may want to select the Change default logon domain registry key checkbox.
  7. Log in to the DMA console using an account that is a Domain Admin in resource domain B.
  8. Create a project for computers in resource domain B.
    • You can select the computers using the Select Objects wizard, or by importing a list from a .csv file (Select objects using a csv file). 
    • There will be no users in this project.
  9. Migrate the computers without translating security.
    • Optionally, you may want to select Change default logon domain registry key checkbox.
  10. Log in to the DMA console using an account that is a Domain Admin in resource domain C.
  11. Create a project for computers in resource domain C. 
    • You can select the computers using the Select Objects wizard, or by importing a list from a .csv file (Select objects using a csv file).
    • There will be no users in this project. 
  12. Migrate the computers without translating security.
    • Optionally, you may want to select Change default logon domain registry key checkbox.
  13. Log in to the DMA console using an account that is a Domain Admin in the target domain.
  14. Go back to the first project and run the Translate Security wizard, selecting the target computers that have already been migrated.

MIGRATING COMPUTERS AFTER TRANSLATING SECURITY

This is an alternative procedure, which changes the order of the steps.  Consider this procedure to prevent users from logging in before security has been translated.

  1. Log in to the DMA console using an account that is a Domain Admin in the target domain.
  2. Create a project for users and groups only.
  3. Migrate those users and groups.
  4. Log in to the DMA console using an account that is a Domain Admin in the resource domain.
  5. Go to the same project from step 1.
  6. Run the Translate Security Settings wizard in Add mode, selecting the workstation which is still in the resource domain.
    • This will require that the Domain Admins account from the source Resource domain als.
      o have administrative rights to the source Accounts domain.
  7. Migrate the workstation. 
    • This can be done using the DMA Migrate Computers wizard, manually joining the computer to the domain, or by using netdom. 
    • After the computer reboots, it will be in the target domain, and users will be able to log in using their new accounts and receive the correct profile.

If you migrate computers at the global level, the wizard will only pull user and group accounts for the security translation from the same source domain as the computer you are migrating.  Therefore, migrating users and groups in a project and then migrating computers at the global level is not an alternative solution.

.


Additional Information

Formerly known as NETIQKB8807

Feedback service temporarily unavailable. For content questions or problems, please contact Support.