How do I migrate and rename the 'Domain Admins' global group from the NT 4 source domain to make it (NETIQKB16334)

  • Document ID:7716334
  • Creation Date:02-Feb-2007
  • Modified Date:20-Sep-2007
    • Micro Focus Products:
      Domain Migration Administrator

Resolution

goal
How do I migrate and rename the 'Domain Admins' global group from the NT 4 source domain to make it a new group that will coexist with the 'Domain Admins' global group in the target domain?

fact
Domain Migration Administrator 7.1

fix

There are two methods for accomplishing this.  The first is when you are adding a prefix or suffix to the Domains Admins group name as it is migrated and the second method is giving the group a completely different name by using database modeling.

Adding a Prefix or Suffix When the Group is Migrated

In the DMA project:

  1. Run the 'Select Objects' wizard and add the source 'Domain Admins' global group to the project.  If the Domain Admins group does not appear, select Options... from the 'Group Selection' screen and select the  Show well-known users and groups in migration wizards checkbox.
  2. Run the 'Migrate Groups' wizard.  Complete the wizard by including the following options, and migrate the group.
    1. On the 'Data Source' page of the wizard, deselect the Migrate data using modeling database as source? and Use migration settings defined in the Migration Settings Wizard checkboxes.
    2. On the 'Group Options' page, select the radio button for either Rename with prefix: or Rename with suffix: and specify the prefix or suffix.

The source 'Domain Admins' group will now be mapped to the new target group.  DMA will use this mapping for security translation operations.  Members of the source Domain Admins group that have been migrated with DMA will be placed in the target group.


Using Data Modeling to Rename the Group

In the DMA project:

  1. Run the 'Select Objects' wizard and add the source Domain Admins global group to the project.  If the Domain Admins group does not, select Options... from the 'Group Selection' screen and select the Show well-known users and groups in migration wizards checkbox.
  2. Import data for modeling by selecting 'Modeling: Import Data' and completing the wizard.  If you have modeled other objects and want to keep these, select Keep modeling changes.  Otherwise, select Discard modeling changes.
  3. Select Modeling: Edit Group Data.  In the right pane of the DMA console, double-click the group to be migrated.  Click the samAccountName field and edit the name to the desired new group name, click OK.
  4. Run the 'Migrate Groups' wizard.  Ensure the Migrate data using modeling database as source? checkbox is selected.  
  5. Specify a target container other than the container where the well-known 'Domain Admins' group already exists in the target domain (either in the 'Specify Migration Settings' wizard or in the 'Migrate Groups' wizard).  Complete the wizard and migrate the source group.
  6. Open Active Directory Users and Computers.
  7. In the target container where the new 'Domain Admins group' was migrated to, right-click the 'Domain Admins' group and select Rename.  Set the 'Group name' field to the desired name, click OK.

The source 'Domain Admins' group will now be mapped to the new target group.  DMA will use this mapping for security translation operations.  Members of the source Domain Admins group that have been migrated with DMA will be placed in the target group.



note
Please note that this information can also be obtained from Chapter 2 of the DMA & SC User Guide.

note

The Domain Admins Global Group (GG) receives its administrative rights from being a member of the Administrators Local Group (LG) on the domain controller.  Moreover, the Domain Admins GG is added to the Administrators LG on each machine when it joins the domain, thereby distributing those administrative rights throughout the domain.  It is important when you translate security, that you select every computer in the source domain.  Security translation will add the renamed Domain Admins GG from the target domain to every Administrator LG in the source including those on the domain controllers.

We recommend when you are selecting options on the 'Translate Objects' screen, that you choose all of them except for 'Change domain logon screen...? This so any ACL that contains the Domain Admins GG are translated.  Those objects are files, folders, local groups, printers, shares, etc.



note

Keep in mind that SID History cannot be used in either of these scenarios. The SID of a source well-known group cannot be added to the SID history of a target group that is not the same well-known group.

  • e.g. from 'Source\Domain Admins' to 'Target\NewDomain Admins'

For more information regarding a possible error when trying to migrate with SID History while renaming a well-known group, refer to the following knowledge base article:

 

 



Additional Information

Formerly known as NETIQKB16334