NT-to-Win2K Migration Tools

Domain Migration Administrator 6.10
NetIQ's Domain Migration Administrator 6.10 was the easiest product to learn and to use to start performing migrations. The company built all the migration tools into the Domain Migration Administrator interface, so all operations retain a consistent look and feel.

I installed Domain Migration Administrator onto the Corp server from the installation CD-ROM. I pointed the installation program to a license key file and installed and licensed the software in less than 1 minute. Domain Migration Administrator uses an MMC snap-in for all operations, and the console's left pane displays the Domain Migration Administrator container, which Figure 6 shows. Selecting the Domain Migration Administrator container displays the Migrate Trusts, Map and Merge Groups, Migrate User Accounts, Migrate Groups, Translate Security Settings, and Translate Security for Exchange Mailboxes tasks in the right pane. Each task in the list includes a brief description of its intended use.

Creating a Project
I began my migration by selecting Create a Migration Project, which launched the Project Settings Wizard. I could create a new project or import a project from a Microsoft Access database (MDB) file. I chose to create a new project. Several steps prompted me to specify a source and target domain, choose whether to skip disabled accounts, and name the new project. This process created a Sales 2 Corp container for my new project under the Domain Migration Administrator container. Selecting the Sales 2 Corp container displayed a split right pane; the left section of the pane displayed the project status, and the right section displayed icons to run specific migration tasks. The right section of the pane organized the tasks under Defining the Project, Preparing the Migration, and Performing the Migration headings and listed the tasks in the order I needed to perform them.

I opened the Project Object Selection Wizard and selected the users, groups, and computers to migrate. After I selected those items, a Data Modeling window opened. From the window, I chose fields to add to an Access database for data modeling. This feature provides granular control over how objects make the transition from source to target domain. Access 2000 must be available on the same system as Domain Migration Administrator before you can take advantage of this capability. After I selected the objects to migrate, additional tasks necessary to complete the project appeared in the right console pane.

I next needed to specify Fast Track Settings. The Migration Settings Wizard helped me configure a target OU in the AD, name-conflict handling, account renaming, password options, account disabling, account skipping, terminal server profiles translation, and roaming profiles translation. The specified settings apply to all migrations in the project, but you can use database modeling for a migration to override any setting.

NetIQ also offers Directory and Resource Administrator for distributed administration of NT domains. You can use Directory and Resource Administrator's ActiveViews structure as a source for populating AD and migrating users and groups in Domain Migration Administrator.

Preparing the Migration
I opened Reporting Wizard and specified which directory to store the reports in. I selected a variety of reports that would be helpful in preparing my migration, then the program generated the reports and saved them in HTML format to the specified directory. The program also created a Reports container under the Sales 2 Corp container. The report list included all possible reports, even those that hadn't yet run. I selected a report that hadn't run, when the right pane displayed a message that said the report hadn't been run but that I could run it by clicking a link. I clicked the link to generate and display the report on the fly.

I then went into the Service Account Migration Wizard to find accounts that services use to log on to the system. This process used Domain Migration Administrator Agent to perform a task on a remote system. The agent queried my server for accounts that a service was using for logon, listed the account name and related service, and selected that account to include it in the migration.

The next step was to import modeling data into the Access database. The program imported the 270 objects I had selected for migration into Access in about 40 seconds. After importing the data, I could choose to edit either the user data or group data. I made minor changes to a few user and group descriptions in the database, then exited Access. The modeling capability is a very simple yet powerful tool for previewing and making changes to a migration project. From the Access interface, you can make minor or wholesale changes to any migration project before you perform the migration.

Migrating Users and Groups
The Trust Migration Wizard recognized that a bidirectional trust relationship between my source and target domains was in place, so no action was necessary. I then launched the Group Mapping and Merging Wizard to learn how to merge multiple groups from a source domain into one group in the destination AD domain. This tool is good for cleaning up groups with redundant permissions.

The User Account Migration Wizard lets you perform a test migration to confirm that the migration will run without errors, then performs the migration. I also had the option to use the configured Fast Track Settings or the modeling database to migrate user accounts. I chose to use the modeling database, then the User Account Migration Wizard stepped me through the prepopulated migration settings, which showed the values I had selected in the Fast Track Settings. The wizard also reminded me about the service account that the Service Account Migration Wizard discovered earlier, and I chose to migrate that account. After verifying the settings, the program migrated user accounts to the destination OU in the target AD domain. The results pane's status section showed the migration of 266 of the 268 users. I checked the migration log and found messages for the Administrator and Guest accounts explaining that Domain Migration Administrator doesn't process built-in NT accounts.

I then launched the Group Account Migration Wizard, which lets you use either Fast Track Settings or the modeling database to perform a test or actual migration of groups from the source to the target AD domain. I chose to use the modeling database for this domain. The migration processed 17 groups and migrated 9 of those groups. An error message showed that Domain Migration Administrator doesn't process built-in accounts or change the membership of built-in groups. I examined the migration log file and verified that the eight unmigrated groups were built-in NT groups. After migrating users and groups, additional icons appeared for translating security and synchronizing passwords.

Server Consolidation
Part of my migration project's design included consolidating the HRDOMAIN, PRODDOMAIN, and SALESDOMAIN servers' functions and distributing them among servers in the NTLAB.COM domain. NetIQ said the company will include a server consolidation tool in the Domain Migration Administrator 6.2 release but didn't have this tool available at press time. Manually moving resources from those domains would require taking ownership as an administrator of some objects. Taking ownership results in some destructive side effects to original ACLs that skew the testing of security translation (i.e., reassigning ACLs). I chose instead to translate security on the HRDOMAIN, PRODDOMAIN, and SALESDOMAIN servers and not consolidate them.

Translating Security
I opened the Security Translation Wizard to update ACLs and give both the original and migrated accounts access to appropriate files. I received a prompt to specify which users' files to update and on which computers to update those files. The program dispatched Domain Migration Administrator Agent to each selected computer. The agent performed the security translation and reported the status to the Domain Migration Administrator console, which detailed the operation. Domain Migration Administrator Agent automatically removes its program from the remote computer after the agent completes its job. The security translation for the Files and Users shares on the HRDOMAIN server took about 15 seconds.

In the next project step, I used the Exchange Directory Migration Wizard to translate security for Exchange Server mailboxes. For the Wizard to perform its job, I needed to install the Microsoft Exchange Administrator application on the same computer as Domain Migration Administrator. I chose to add equivalent security references for each user-migrated mailbox in the AD domain. The wizard updated 246 mailboxes with the appropriate permissions in about 20 seconds, which was extremely fast compared with the other products I tested.

Migrating Computers
Domain Migration Administrator lets you remotely rename a computer and change its domain membership. I used this capability to make my workstations members of the NTLAB.COM domain after I had updated and verified the functionality of all the users, groups, and objects. This capability works only for member servers or workstations, so you can't use it on a domain controller. The Computer Migration Wizard stepped me through selecting computers to migrate, choosing the destination OU, selecting objects for security translation, and specifying the number of minutes before a reboot occurs.

Cleanup and Rollback
After verifying appropriate access to files and mailboxes by the accounts in the AD domain, I began the cleanup phase. Cleanup of ACLs was simple because I only needed to repeat the steps I used for translating security. This time, I selected the check box to remove security for the original accounts. Cleaning up the Exchange Server mailbox permissions was also simple, using the same remove-security functionality. The program supports undo only on the last operation performed.

• Lab Reports: "NT-to-Win2K Migration Tools" states that NetIQ's Domain Migration Administrator 6.2 will include a domain consolidation tool. The product will include a server consolidation tool. We apologize for any inconvenience this error might have caused.