Add to collection(s) Add to saved
  1. Business

Tech Brief - Effects of Customer User Account Migration

advertisement 
Effects of Customer UserAccount Migration on
BPOS-D/F
Technical Brief
Microsoft® Corporation
Published: January, 2011
Version: 2.0
Abstract
Microsoft Online currently supports only one type and method to enable BPOS-D/F customers to
migrate users within their current Active Directory structure. This technical brief clarifies which type
and method is supported and which ones are not and why. It also clarifies the impacts and possible
remediations should a customer proceed to migrate a user domain account today. Microsoft Online
plans to enhance or add support for all migration types and methods are also in this brief.
Table of Contents
Introduction .................................................................................................................................................. 3
Audience ................................................................................................................................................... 3
Context ...................................................................................................................................................... 3
Purpose ..................................................................................................................................................... 3
Domain Account Migration Types & Methods ............................................................................................. 4
Definitions ................................................................................................................................................. 4
Supported versus Unsupported Migrations.............................................................................................. 4
Why Some Migrations Are Unsupported .................................................................................................. 5
Impacts of Performing Supported & Unsupported Migrations ................................................................ 6
Future Support of Migration Types, Methods .......................................................................................... 8
Summary ..................................................................................................................................................... 10
Recommendations .................................................................................................................................. 10
References............................................................................................................................................... 10
Glossary ................................................................................................................................................... 10
Frequently Asked Questions ....................................................................................................................... 12
Appendix ..................................................................................................................................................... 14
Supported Migration Scenario ................................................................................................................ 14
Unsupported Migration Scenario............................................................................................................ 15
Microsoft Confidential
Page 2 of 16
Introduction
Audience
This document is intended for existing and future BPOS-Dedicated and Federal (BPOS-D/F) customers
and specifically organizations and individuals who manage and administer the customer’s Active
Directory as part of consuming Exchange, Lync (previous known as Office Communicator) and
SharePoint Online services.
Context
In order for users within a given customer to consume BPOS-D services, their user accounts must reside
within the customers Active Directory (AD). User accounts are placed in a distinct unit of administration
and resource grouping known as an AD domain. One or more domains are created within an AD forest,
which act as a security boundary for an organization and defines the scope of authority for
administration. There are situations when customers may need or want to migrate one or more user
accounts between domains within the same forest (Intra-forest) or across two different forests (Interforest). In doing so and based on the migration methods chosen, this could lead to the disconnection of
Microsoft Online services they were subscribed for. Disconnection of services could potentially result in
loss of data and reconnection of these services is not currently supported.
Purpose
The purpose of this document is to clarify the types and methods that Microsoft Online does and does
not support for migrating users, either intra or inter forest within their current Active Directory
structure. It is also to advise BPOS-D/F customers of the potential consequences should a customer
proceed in migrating a user domain account using a migration type and method that MS Online does not
support. A brief discussion of Microsoft Online future plans for supporting migration types and methods
has also been provided in this document.
Microsoft Confidential
Page 3 of 16
Domain Account Migration Types & Methods
Definitions
This document refers to two types of user account migrations:
 Inter-forest (a.k.a. cross-forest) migration

A domain user account is moved from one forest to another.
Intra-forest migration
A domain user account is migrated to a different domain within the same forest. This type of
migration can be made using either the Move or Clone method.
Migration methods are not widely known unless your expertise is in domain account migrations. If you
are using a domain account migration tool, it may provide the option of selecting which migration
method you want to use. Be aware that some tools do not provide the option to choose the migration
method, so it is important to understand which migration method is being employed by the tool you are
using.
 Move

This method takes the existing Active Directory user object and moves it to the destination forest.
Using this method, the user object (objectGUID) remains the same in the new domain but the
user’s security identifier (objectSID) changes.
Clone (copy)
This method takes the existing Active Directory user object, makes a copy of all the object
attributes and then deletes the user object. It then creates a brand new user object in the target
domain and copies all the attributes to this new user object. Using this method, a new user object
(objectGUID) and security identifier (objectSID) are created in the new domain or forest, and a
selected set of attributes are copied over from the old to the new user object.
Note: This method is generally not recommended for domain migrations within a forest and the
reason this is documented here is to explain that this method too will face the same effects as a
cross-forest domain move.
Supported versus Unsupported Migrations
A matrix of migration types and methods is provided below to show which one(s) MS Online currently
does and does not support in providing online services to their customers.
An unsupported migration method means that MS Online does not have a method (i.e. process, tools,
etc.) to automatically reconnect a user object from the source to the target forest or domain if migrated
using the respective migration method. The result is that the customer will experience specific negative
impacts should they proceed with an unsupported migration method including significant effort to
manually reconnect a migrated user and unrecoverable loss of user data. Details of why migration types
and methods are currently unsupported and the specific impacts by migration method by online service
are provided in the following paragraphs.
An Inter-forest migration using the Move method is constrained by Active Directory design. Since a
forest is a security boundary, moving across security boundaries means that a new user object is
automatically created. AD migration tools only allow an Inter-forest migration to be done via the Clone
method.
Microsoft Confidential
Page 4 of 16
Migration Type
Migration Method
Inter-forest (a.k.a. cross-forest) Migration
Intra-forest Migration
Move
Clone
Not Applicable
Unsupported
Supported
Unsupported
Table 1: Currently Supported/Unsupported Migration Types and Methods
Why Some Migrations Are Unsupported
The challenges with unsupported migration types, methods vary slightly depending on which online
service you are discussing. A matrix of unsupported migration types, methods by service is provided
below to summarize these challenges with additional detail to follow.
Note that while Intra-forest migrations using the Move method are supported by MS Online, they have
the same challenges for SharePoint Online that the unsupported migrations have. Refer to the Impacts
section of this document for details.
Migration Type, Method
Challenges
Inter-forest or Intra-forest
Clone Method
Exchange and Lync The objectGUID changes and online service is deprovisioned for
(previously known as OCS) migrated user(s). MMSSPP is not able to reconnect original user
Online Services object (from source forest/domain) with new user object (target
source/domain) so user data is lost.
SharePoint Online Services The objectSID is changed. Any direct permission’s for migrated
user(s) to SharePoint site collections, document libraries, lists or
MySites are broken.
LiveMeeting Online Services None
Table 2: Challenges of Unsupported Migration Types, Methods
MMSSPP uses the objectGUID in order to establish a sync connection between the customer Active
Directory and the Microsoft Managed Active Directory. Like each person’s DNA, the objectGUID is
unique and all user attributes and permissions associated with this objectGUID are unique. An
objectGUID cannot be modified. The Exchange and Lync online services use a user’s objectGUID to
provision them to the respective service(s).
If a user account is moved between domains or forests using the Clone method, a new user object is
created in the target domain/forest and a selected set of attributes are copied over from the original to
the new user object. By Active Directory design, when a new user object is created, it is created with a
new objectGUID and objectSID.
Microsoft Confidential
Page 5 of 16
Since MMSSPP associates each user account by its objectGUID, after the move, the connection MMSSPP
had with the original user object is broken (post domain account move, the original object is either
deleted or moved out of scope). The result is that MMSSPP deletes the corresponding user object in the
Managed Active Directory, along with all BPOS-D services (mailbox, Lync profile and Lync contacts)
associated with that user object. MMSSPP then creates a brand new objectGUID, objectSID, and a new
set of services that include a new mailbox and Lync profile for them.
Please note the above scenario assumes that the original object is either deleted or moved out of
MMSSPP scope. In the case where the original object still exists and is in MMSSPP scope, this will result
in a sync error with the original object still being connected to Microsoft Online services.
A new objectSID also has an impact on users who are provisioned to SharePoint Online. Users who have
been directly permissioned on to SharePoint site collections, document libraries, lists or MySites will lose
access to all of these resources since the objectSID has changed. Users will continue to be able to access
resources that were granted permissions via security groups.
Today, there is no way for MMSSPP to associate the newly created domain account with the previous
one. To add to that, reconnection of services could lead to potential loss of email; entail tedious and
time consuming steps per user-account, for which our support team is not staffed for.
The specific effects on objectGUID and objectSID during typical user account migration scenarios is
shown for both supported and unsupported migrations in the Appendix of this document.
Impacts of Performing Supported & Unsupported Migrations
MS Online recognizes that there are business scenarios when a domain user account migration or AD
forest consolidation is of high importance or urgency from the customer’s perspective. Some common
examples are: (1) a user moves geographically, requiring changing membership to a different domain or
forest; (2) a user has a change in employee status (such as from contractor to FTE), or (3) a customer
wants to consolidate multiple domains/forests, or migrate from a single-label domain to a domain with
a fully qualified domain name (FQDN).
In this event, MS Online recommends that BPOS-D customer’s either use supported migration types,
methods where applicable or defer user account migrations until the needed method is supported. MS
Online explicitly recommends that BPOS-D customers DO NOT use the unsupported migration types,
methods until such time as they are supported. This is due to the impacts and limited or difficult
remediation’s required to resolve problems resulting from doing these unsupported migrations.
A summary of the impacts and possible remediation in performing supported and unsupported
migrations has been provided in the following table to help ensure BPOS-D customers are aware of
them should they choose to move forward with user account migrations.
Customers should also note the following:
1. The severity of a listed impact and the associated remediation can be viewed as variable
depending on the number of users to be migrated. For example, the impact on an Intra-forest
migration using the Move method is that SharePoint permissions may be broken for the migrated
user(s). The remediation is to manually restore those permissions once the user is migrated.
Having to do this manual action for a small number of users may be perceived as less severe than
for a large number of users.
2. When using a domain account migration tool to manage an Intra-forest migration, use extreme
care to ensure that the tool is configured to use the Move method, which is the recommended
method to use. Some migration software toolsets may offer only the Clone method or use the
Clone method as the default setting for user account migrations.
Microsoft Confidential
Page 6 of 16
3. Please advise your MS Online Technical Account Manager (TAM) or other MS Online
representative prior to moving any user accounts. This will enable MS Online to consult as
appropriate and be forewarned should any issues occur during the account migrations.
Microsoft Confidential
Page 7 of 16
Inter-forest, Intra-forest
Clone Method
Intra-forest
Move Method
Service
Exchange and
Lync
SharePoint
LiveMeeting
Exchange and
Lync
SharePoint
LiveMeeting
Impact
User account is deleted from
Managed AD.
Service(s) are de-provisioned for that
user.
Any direct permission’s for migrated
user(s) to SharePoint site collections,
document libraries, lists or MySites
are broken. Users will continue to be
able to access resources that were
granted permissions via security
groups.
None
None
Remediation
None.
Deleted information is not
retrievable.
Any direct permission’s for migrated
user(s) to SharePoint site collections,
document libraries, lists or MySites
are broken. Users will continue to be
able to access resources that were
granted permissions via security
groups.
None
Customers only option would be
to manually (remove and add
user) reset SharePoint site
permissions for each user
individually
Customers only option will be to
manually reset (remove and add
user) SharePoint site permissions
individually for each user.
N.A
N.A
N.A
Table 3: Impacts in Performing Unsupported Migrations
Future Support of Migration Types, Methods
MS Online is planning and coordinating changes among the online service teams that will enhance
currently supported migration methods, types and enable currently unsupported migration methods,
types to be supported.
Migration Type
Migration Method
Inter-forest (a.k.a. cross-forest) Migration
Intra-forest Migration
Move
Clone
Not Applicable
Supported
Supported
Supported
Table 4: Future Supported, Unsupported Migration Types and Methods
The specific changes being planned are:
 Add functionality to MMSSPP that will automatically reconnect migrated domain user accounts
provisioned within the Exchange and Lync online services
 Provide a self-service tool for SharePoint Online that will help customers reset SharePoint
permissions for users that have had domain account migrations
The MMSSPP changes are targeted for implementation as part of the MMSSPP 11.1 release. This
release is expected to be available by the end of June, 2011. The target for the SharePoint Online selfservice tool is also by the end of June, 2011.
Microsoft Confidential
Page 8 of 16
BPOS-D customers will be required to perform certain steps so that the additional user account
migration capabilities being implemented will work as intended. MS Online will be providing
documentation to BPOS-D customers that outline those steps by the end of Q1, 2011.
Microsoft Confidential
Page 9 of 16
Summary
Recommendations
MS Online recommends to BPOS-D customers, that where applicable and possible, to:
1. Complete any forest/domain consolidations or large-scale user account migrations prior to
onboarding to BPOS-D online services or defer them until MS Online completes their planned
MMSSPP and SharePoint changes in Q2, 2011.
2. Use supported migration types, methods or defer user account migrations until the needed
method is supported.
3. NOT use the unsupported migration types, methods until such time as they are supported. This is
due to the impacts and limited or difficult remediation’s required to resolve problems resulting
from doing these unsupported migrations.
4. Ensure they are aware of respective impacts and available remediation’s for chosen migration
types and methods
References


SID versus GUID: http://technet.microsoft.com/en-us/library/cc961625.aspx
ADMT Guide: Migrating and Restructuring Active Directory Domains:
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx
Glossary
Term
Definition
Customer
Refers to a BPOS-D customer consuming one of more
Microsoft Online services.
BPOS-D Services
Collectively refers to Exchange, Lync and SharePoint for the
purposes of this document.
Domain
A domain is a distinct unit of administration and resource
grouping in Active Directory Domain Services (AD DS).
Forest
An Active Directory forest contains all the domains, sites, and
trusts that are part of Active Directory Domain Services (AD
DS). The forest acts as a security boundary for an organization,
and it defines the scope of authority for administration. By
default, a forest contains a single domain, which is called the
forest root domain.
Intra-forest Migration
These are moves between domains within the same forest.
Inter-forest Migration
These are moves across two different forests. Also known as
cross-forest migrations.
Security-Identifier (SID)
A security identifier (SID) is a unique value of variable length
that is used to identify a security principal or security group in
Windows operating systems. SIDs can sometimes change.
Microsoft Confidential
Page 10 of 16
Term
Definition
Object-Global Unique Identifier
(a.k.a. objectGUID or GUID)
A GUID is a 128-bit value assigned to every user or group that
is unique not only in the enterprise but also across the world.
Active Directory uses GUIDs internally to identify objects. The
values of other object properties can change, but the ObjectGUID never changes. When an object is assigned a GUID, it
keeps that value for life.
objectSID (a.k.a. SID)
A binary value that specifies the security identifier (SID) of the
user. The SID is a unique value used to identify the user as a
security principal.
Security Principal
Active Directory user and computer accounts (as well as
groups) are referred to as security principals, a term that
emphasizes the security that the operating system implements
for these entities. Security principals are directory objects that
are automatically assigned SIDs when they are created.
MMSSPP
Microsoft Managed Solutions Service Provisioning Provider.
This is the Identity Sync and provisioning service solution for
MS Online services.
Migration Method
Refer to the way in which a domain user account is migrated.
This document considers 2 different Migration Methods; (1)
Move; (2) Clone
Migration Type
Refers to the entities across which the user is being migrated.
This document includes 2 different Migration Types: (1) Interforest (a.k.a. cross-forest); (2) Intra-forest
Microsoft Confidential
Page 11 of 16
Frequently Asked Questions
Q1.
What specific services are deprovisioned in a non-supported migration?
A1.
Detailed in the following table:
BPOS-Dedicated Service
Exchange Online Service
Mailbox
Mailbox Permissions
Impact
Deprovisioned
Deprovisioned
Exchange Active Sync (EAS)
Deprovisioned
Blackberry Services (BES)
Deprovisioned
Archiving (ProofPoint)
Services
Lync Online Service
Deprovisioned
Lync Profile (contact
information)
Lync permissions
Deprovisioned
Deprovisioned
SharePoint Online Service
Team sites
Deprovisioned
MySites
Deprovisioned
LiveMeeting Service
No impact
MMSSPP attribute Sync
Deprovisioned
Group Memberships
Impact is determined by the options
of domain account migration tool. If
the tool copies group memberships,
there will be no impact. If not,
group memberships will be
deprovisioned
Q2.
How are services affected in a supported move?
A2.
Detailed in the following table:
BPOS-Dedicated Service
Impact
Exchange Online Service
Mailbox
No impact
Mailbox Permissions
No impact
Exchange Active Sync (EAS)
No impact
Blackberry Services (BES)
No impact
Archiving (ProofPoint)
Services
No impact
Lync Online Service
Microsoft Confidential
Page 12 of 16
Lync Profile Connection
No impact
SharePoint Online Service
Team sites
Permissions broken
MySites
Permissions broken
LiveMeeting Service
No impact
MMSSPP attribute Sync
No impact
Group Memberships
No impact
Q3.
Is there any 3rd-party software that can help with remediating unsupported migrations?
A3.
No. Provisioning and deprovisioning of services are tied to MMSSPP and so there is no 3rd party
software that can plug into MMSSPP.
Q4.
Can Microsoft Support help if I make an unsupported migration?
A4.
No. Microsoft Helpdesk Support does not support these scenarios.
Q5.
What can I do to remediate the impact if I must make a non-supported migration?
A5.
Please create a support request and inform your TAM immediately.
Q6.
Why can’t the SIDhistory be utilized?
A6.
SIDFiltering is enabled over all Active Directory trust setup between Microsoft and the customer
forest(s) or domain(s). This is a Microsoft security requirement. SIDFiltering filters SIDhistory,
which is why SIDhistory cannot be utilized. Please note this is in context with BPOS services,
SIDhistory can be utilized to access resources within the customer environment .
Q7.
Why can’t MMSSPP reset SharePoint permissions?
A7.
MMSSPP only provisions services for Exchange and Lync and does not write to the SharePoint
database.
Q8.
Why is the Live Meeting Service not impacted by these changes?
A8.
LiveMeeting permissions are permissioned on the LiveMeeting Portal using Security Groups
from each domain in the customer environment. As long as the new account is in a domain
(which it typically is) that has a security group permissioned on the portal, there will be no
impact. In this case, if there is an impact it is because there is no SG or the new account is not a
member of this SG.
Microsoft Confidential
Page 13 of 16
Appendix
Supported Migration Scenario
Environment Details
 Single Forest: Contoso.com
 Child Domain 1: NA.Contoso.com
 Child Domain 2: Europe.Contoso.com
User




Details:
Name: John Doe
Domain: Contoso
SID: A
ObjectGUID: X
Scenario States:
Pre-Migration
 MMSSPP has established a sync connection with Contoso\John Doe using objectGUID X and has
provisioned, Microsoft Online Mailbox and Lync profile using SID A
 Contoso\John Doe’s SharePoint permissions are associated to SID A
The Migration
 Customer uses domain migration tool to migrate John Doe from domain 1 na.Contoso.com to
domain 2 europe.Contoso.com
Post Migration
 After the migration, Europe\John Doe has the same objectGUID X but the SID changes to SID B.
 At the next sync cycle, MMSSPP will find John Doe with objectGUID X has a new SID and so it will
sync the new SID and reset the Exchange and Lync permissions with the new SID B to the object in
the Microsoft managed Active Directory. No impact to Exchange or Lync services.
 However, since Europe\John Doe SID has changed, he loses permissions to all SharePoint sites he
previously had access to, because his SID has changed to B.
Microsoft Confidential
Page 14 of 16
John
JohnDoe
Doe(Disabled
(Disabled
logon
logonaccount)
account)
Linked
Linkedmailbox
mailbox
SID:
SID:AA
OCS
OCSProfile:
Profile: SID
SID A
A
One-way Forest level Trust
SIDFiltering Enabled
John
JohnDoe
Doe
(enabled
(enabledlogon
logon
account)
account)
SID:
SID:AA
ObjectGUID:X
ObjectGUID:X
MMSSPP Synchronization & Provisioning engine
NA.Contoso.com
NA.Contoso.com
Contoso.com
Contoso.com
SharePoint Team site
MySites
Document Library &
lists
John
JohnDoe
Doe
SID:
SID:BB
ObjectGUID:X
ObjectGUID:X
SIDhistory:A
SIDhistory:A
Read Access SID A
Europe.Contoso.com
Europe.Contoso.com
John is delegate of Jane Doe
Mailbox Delegation: SID A
Send-As permissions: SID A
Contoso.mgd.microsoft.com
Contoso.mgd.microsoft.com
Customer Active Directory Forest
Microsoft Online Hosted Forest
Figure 2: Currently Supported Migration Scenario
Unsupported Migration Scenario
Environment Details
 Forest 1: Contoso.com
 Forest 2: Blueyonder.com
User




Details:
Name: John Doe
Domain: Contoso
SID: A
ObjectGUID: X
Scenario States:
Pre-Migration
 MMSSPP has established a sync connection with Contoso\John Doe using objectGUID X and has
provisioned, Microsoft Online Mailbox and Lync profile using SID A
 Contoso\John Doe’s SharePoint permissions are associated to SID A
The Migration
 Customer uses domain migration tool to migrate John Doe from Forest Contoso to Forest
BlueYonder
Post Migration
 After the move, BlueYonder\John Doe has objectGUID Y and SID B
 At the next sync cycle, MMSSPP will not find John Doe with objectGUID X and so it will delete the
object in the Microsoft managed Active Directory, along with all services associated with it
Microsoft Confidential
Page 15 of 16


MMSSPP will then create a brand new user object for BlueYonder\John Doe and provision a new
mailbox and Lync profile.
BlueYonder\John Doe also loses permissions to all SharePoint sites he previously had access to
because his SID has changed to B.
John
JohnDoe
Doe(Disabled
(Disabled
logon
logonaccount)
account)
Linked
Linkedmailbox
mailbox
SID:
SID:AA
OCS
OCSProfile:
Profile: SID
SID A
A
One-way Forest level Trust
SIDFiltering Enabled
MMSSPP Synchronization & Provisioning engine
SharePoint Team site
MySites
Document Library &
lists
John
JohnDoe
Doe
(enabled
(enabledlogon
logon
account)
account)
SID:
SID:AA
ObjectGUID:X
ObjectGUID:X
Read Access SID A
Contoso.com
Contoso.com
John is delegate of Jane Doe
Mailbox Delegation: SID A
Send-As permissions: SID A
Contoso.mgd.microsoft.com
Contoso.mgd.microsoft.com
Microsoft Online Hosted Forest
Customer Active Directory Forest 1
Customer Active Directory Forest 2
Services disconnected, permissions
broken
John
JohnDoe
Doe
SID:
SID:BB
ObjectGUID:Y
ObjectGUID:Y
SIDhistory:A
SIDhistory:A
BlueYonder.com
BlueYonder.com
Figure 3: Currently Unsupported Migration Scenario
Microsoft Confidential
Page 16 of 16
Related documents
an anthropological study of migration in the Chaoshan
an anthropological study of migration in the Chaoshan
E1466I / Systems Engineer Prin
E1466I / Systems Engineer Prin
An Historical Overview of Forest Policies of Pakistan
An Historical Overview of Forest Policies of Pakistan
Migration
Migration
My Harrow Account - West London Alliance
My Harrow Account - West London Alliance
Elisa Minoff is a political, legal, and intellectual historian of the
Elisa Minoff is a political, legal, and intellectual historian of the
wg 5.11
wg 5.11
Overview
Overview
Download
advertisement