[ad_1]
February 2, 2024: We’ve up to date this publish to repair damaged hyperlinks and added a notice on migrating passwords.
Prospects usually ask us migrate their on-premises Energetic Listing (AD) area to AWS to allow them to be freed from the operational administration of their AD infrastructure. Incessantly they’re uncertain make the migration easy. A typical method utilizing the CSVDE utility doesn’t migrate attributes akin to consumer passwords. This makes migration troublesome and necessitates guide effort for a big a part of the migration that may trigger operational and safety challenges when migrating to a brand new listing. So, what’s modified?
Now you can use the Energetic Listing Migration Toolkit (ADMT) together with the Password Export Service (PES) emigrate your self-managed AD to AWS Listing Service for Microsoft Energetic Listing, also referred to as AWS Managed Microsoft AD. This lets you migrate AD objects and encrypted passwords to your customers extra simply.
AWS Managed Microsoft AD is a managed service constructed on Microsoft Energetic Listing. AWS offers operational administration of the area controllers, and you employ customary AD instruments to manage customers, teams, and computer systems. AWS Managed Microsoft AD lets you reap the benefits of built-in Energetic Listing options, akin to Group Coverage, trusts, and single sign-on and helps make it easy emigrate AD-dependent workloads into the AWS Cloud. With AWS Managed Microsoft AD, you may be part of Amazon EC2 and Amazon RDS for SQL Server situations to a website, and use AWS Enterprise IT purposes, akin to Amazon WorkSpaces, and AWS IAM Id Heart with Energetic Listing customers and teams.
On this publish, we are going to present you migrate your present AD objects to AWS Managed Microsoft AD. The supply of the objects may be your self-managed AD working on EC2, on-premises, co-located, and even one other cloud supplier. We’ll present use ADMT and PES emigrate objects together with customers (and their passwords), teams, and computer systems.
The publish assumes you might be aware of AD and use the Distant Desktop Protocol shopper to signal and use EC2 Home windows situations.
Background
On this publish, we are going to migrate consumer and laptop objects, in addition to passwords, to a brand new AWS Managed Microsoft AD listing. The supply will probably be an on-premises area.
This instance migration will probably be for a reasonably easy use case. Giant prospects with complicated supply domains or forests might have extra complicated processes concerned to map customers, teams, and computer systems to the only OU construction of AWS Managed Microsoft AD. For instance, it’s possible you’ll wish to migrate an OU at a time. Prospects with single area forests could possibly migrate in fewer steps. Equally, the choices you would possibly choose in ADMT will fluctuate based mostly on what you are attempting to perform.
To carry out the migration, we are going to use the Admin consumer account from the AWS Managed Microsoft AD. AWS creates the Admin consumer account and delegates administrative permissions to the account for an organizational unit (OU) within the AWS Managed Microsoft AD area. This account has a lot of the permissions required to handle your area, and all of the permissions required to finish this migration.
On this instance, we now have a Supply area referred to as supply.native that’s working in a 10.0.0.0/16 community vary, and we wish to migrate customers, teams, and computer systems to a vacation spot area in AWS Managed Microsoft AD referred to as vacation spot.native that’s working in a community vary of 192.168.0.0/16.
Emigrate customers from supply.native to vacation spot.native, we want a migration laptop that we be part of to the vacation spot.native area on which we are going to run ADMT. We additionally use this machine to carry out administrative duties on the AWS Managed Microsoft AD. As a prerequisite for ADMT, we should set up Microsoft SQL Specific 2019 on the migration laptop. We additionally want an administrative account that has permissions in each the supply and vacation spot AD domains. To do that, we are going to use an AD belief and add the AWS Managed Microsoft AD admin account from vacation spot.native to the supply.native area. Subsequent we are going to set up ADMT on the migration laptop, and run PES on one of many supply.native area controllers. Lastly, we are going to migrate the customers and computer systems.
Be aware: For those who migrate consumer passwords through the use of ADMT and PES, and if the supported Kerberos encryption sort RC4_HMAC_MD5 is disabled on shopper computer systems, Kerberos authentication fails for the customers till they reset their passwords. This happens due to the design of the PES software and the tactic that it makes use of to synchronize passwords. We advocate for the consumer to reset their password after migration.
For this instance, we now have a handful of customers, teams, and computer systems, proven within the supply area in these screenshots, that we are going to migrate:
Determine 1: Instance supply customers
Determine 2: Instance shopper computer systems
Within the the rest of this publish, we are going to present you do the migration in 5 fundamental steps:
Put together the forests, migration laptop, and administrative account.
Set up SQL Specific and ADMT on the migration laptop.
Configure ADMT and PES.
Migrate customers and teams.
Migrate computer systems.
Step 1: Put together the forests, migration laptop, and administrative account
Emigrate customers and passwords from the supply area to AWS Managed Microsoft AD, you could have a 2-way forest belief. The belief from the supply area to AWS Managed Microsoft AD lets you add the admin account from the AWS Managed Microsoft AD to the supply area. That is needed so you may grant the AWS Managed Microsoft AD Admin account permissions in your supply AD listing so it could possibly learn the attributes emigrate. We’ve already created a two-way forest belief between these domains. It’s best to do the identical by following this information. As soon as your belief has been created, it ought to present up within the AWS console as Verified.
The ADMT software must be put in on a pc that isn’t the area controller within the vacation spot area vacation spot.native. For this, we are going to launch an EC2 occasion in the identical VPC because the area controller and we are going to add it to the vacation spot.native area utilizing the EC2 seamless area be part of characteristic. This can act because the ADMT switch machine.
Launch a Microsoft Home windows Server 2019 occasion.
Full a website be part of to the goal area vacation spot.native. You’ll be able to full this manually, or alternatively you should utilize AWS Techniques Supervisor to finish a seamless area be part of as lined right here.
Signal into the occasion utilizing RDP and use Energetic Listing Customers and Computer systems (ADUC) so as to add the AWS Managed Microsoft AD admin consumer from the vacation spot.native area to the supply.native area’s built-in directors group (you won’t be able so as to add the Admin consumer as a website admin). For info on arrange this occasion to make use of ADUC, please see this documentation.
Determine 3: the “Administrator’s Properties” dialog field
Step 2: Set up SQL Specific and ADMT on the migration laptop
Subsequent, we have to set up SQL Specific and ADMT on the migration laptop by following these steps.
Set up Microsoft SQL Specific 2019 on the migration laptop with a fundamental set up.
Obtain ADMT model 3.2 from Microsoft.
Run the installer and, when setting the software up, on the Database Choice web page of the wizard, for Database (ServerInstance), sort the native occasion of Microsoft SQL Specific we beforehand put in to work with ADMT.
Determine 4: Specify the “Database (ServerInstance)”
On the Database Import web page of the wizard, choose No, don’t import knowledge from an present database (Default).
Determine 5: The “Database Import” dialog field
Full the remainder of the set up utilizing all the default choices.
Step 3: Configure ADMT and PES
We’ll use PES to deal with encrypted password synchronization. Earlier than we configure that, we have to create an encryption key that will probably be used throughout this course of to encrypt the password migration.
On the ADMT switch machine, open an elevated Command Immediate and use the next format to create the encryption key.
Right here’s an instance:
Be aware: For those who get an error stating that the command is just not discovered, shut and reopen Command Immediate to refresh the trail places to the ADMT executable, after which attempt once more.
Copy the outputted key file onto one of many supply.native area controllers.
Obtain the Password Export Server on one of many supply.native area controllers.
Begin the set up and, within the ADMT Password Migration DLL Setup window, browse to the encryption file you created within the earlier step.
When prompted, enter the password used within the ADMT encryption command.
Run PES utilizing the native system account. Be aware that this may immediate a restart of the area controller you’re putting in PES on.
As soon as the area controller has rebooted, open providers.msc and begin the Password Export Server Service, which is at present set to Guide. You would possibly select to set this to automated if it’s possible your DC will probably be rebooted once more earlier than the tip of your migration.
Determine 6: Begin the Password Export Server Service
Now you can open the Energetic Listing Migration Software: Management Panel > System and Safety > Administrative Instruments > Energetic Listing Migration Software.
Proper-click Energetic Listing Migration Software to see the migration choices:
Determine 7: Record of migration choices
Step 4: Migrate customers and teams
Within the Area Choice web page, choose or sort the Supply and Goal domains, after which choose Subsequent.
On the Consumer Choice web page, choose the customers emigrate. You should use an embody file in case you have a big area. Choose Subsequent.
On the Organizational Unit Choice web page, choose the vacation spot OU that you just wish to migrate your customers throughout to, after which choose Subsequent. AWS Managed Microsoft AD offers you a managed OU the place you may create your OU tree construction.
On this instance, we are going to place them in Customers OU:
On the Password Choices web page, choose Migrate passwords, after which choose Subsequent. This can contact PES working on the supply area controller.
On the Account Transitions Web page, determine deal with the migration of consumer objects. On this instance, we’re going to copy the state from the supply area. Migrating SID historical past is useful while you’re doing lengthy, staged migrations the place customers might have to entry assets within the supply and vacation spot area earlier than migration is full. Presently, AWS Managed Microsoft AD doesn’t help migrating consumer SIDs. We choose Goal similar as supply, after which choose Subsequent. Once more, what you select to do is likely to be completely different.
Determine 8: The “Account Transition Choices” dialog
Now, let’s customise the switch. The next display screen shot exhibits the generally chosen choices on the Consumer Choices web page of the Consumer Account Migration Wizard:
Determine 9: Widespread consumer choices
It’s possible that you just’ll have multiple migration go, so selecting the way you deal with present objects is vital. This will probably be a single run for us, however the default habits is to not migrate if the item already exists (see the picture of the Battle Administration web page under). For those who’re working a number of passes, you’ll will wish to take a look at choices that contain merging conflicting objects. The tactic you choose will rely in your use case. For those who don’t know the place to begin, learn this text.
Determine 10: The “Battle Administration” dialog field
In our instance, you may see that our 3 customers, and any teams they had been members of, have been migrated.
Determine 11: The “Migration Progress” window
We will confirm this by checking that the customers exist in our vacation spot.native area:
Determine 12: Checking the customers exist within the vacation spot.native area
Step 5: Migrate computer systems
Now, we’ll transfer on to laptop objects.
Open the Energetic Listing Migration Software: Management Panel > System and Safety > Administrative Instruments > Energetic Listing Migration Software.
Proper-click Energetic Listing Migration Software and choose Laptop Migration Wizard.
Choose the computer systems you wish to migrate to the brand new area. We’ll choose 4 computer systems for migration.
Determine 13: 4 computer systems that will probably be migrated
On the Translate Objects web page, choose which entry controls you wish to reapply throughout the migration, after which choose Subsequent.
Determine 14: The “Translate Objects” dialog field
The migration course of will present accomplished, however we want to ensure all the course of labored.
To confirm that the migration was profitable, choose Shut, and the migration software will open a brand new window that has a hyperlink to the migration log. Test the log file to see that it has began the method of migrating these 4 computer systems:
2017-08-11 04:09:01 The Energetic Listing Migration Software Agent will probably be put in on WIN-56SQFFFJCR1.supply.native
2017-08-11 04:09:01 The Energetic Listing Migration Software Agent will probably be put in on WIN-IG2V2NAN1MU.supply.native
2017-08-11 04:09:01 The Energetic Listing Migration Software Agent will probably be put in on WIN-QKQEJHUEV27.supply.native
2017-08-11 04:09:01 The Energetic Listing Migration Software Agent will probably be put in on WIN-SE98KE4Q9CR.supply.native
If the admin consumer doesn’t have entry to the C$ or admin$ share on the pc within the supply area share, then then set up of the agent will fail as proven right here:
2017-08-11 04:09:29 ERR2:7006 Failed to put in agent on WIN-IG2V2NAN1MU.supply.native, rc=5 Entry is denied.
As soon as the agent is put in, it is going to carry out a website disjoin from supply.native and carry out a be part of to desintation.native. The log file will replace when this has been profitable:
2017-08-11 04:13:29 Put up-check handed on the pc ‘WIN-SE98KE4Q9CR.supply.native’. The brand new laptop identify is ‘WIN-SE98KE4Q9CR.vacation spot.native’.
2017-08-11 04:13:29 Put up-check handed on the pc ‘WIN-QKQEJHUEV27.supply.native’. The brand new laptop identify is ‘WIN-QKQEJHUEV27.vacation spot.native’.
2017-08-11 04:13:29 Put up-check handed on the pc ‘WIN-56SQFFFJCR1.supply.native’. The brand new laptop identify is ‘WIN-56SQFFFJCR1.vacation spot.native’.
You’ll be able to then view the brand new laptop objects within the vacation spot area.
Log in to one of many outdated supply.native computer systems and, by trying on the laptop’s System Properties, verify that the pc is now a member of the brand new vacation spot.native area.
Determine 15: Affirm the pc is member of the vacation spot.native area
Abstract
On this easy instance we confirmed migrate customers and their passwords, teams, and laptop objects from an on premises deployment of Energetic Listing, to our totally AWS Managed Microsoft AD. We created a administration occasion on which we ran SQL Specific and ADMT, we created a forest belief to grant permissions for an account to make use of ADMT to maneuver customers, we configured ADMT and the PES software, after which stepped by way of the migration utilizing ADMT.
The ADMT software offers us a good way emigrate to our managed Microsoft AD service that enables highly effective customization of the migration, and it does so in a safer means by way of encrypted password synchronization. It’s possible you’ll have to do extra investigation and planning if the complexity of your surroundings requires a unique method with a few of these steps.
You probably have suggestions about this publish, submit feedback within the Feedback part under. You probably have questions on this publish, begin a brand new thread on the AWS Listing service discussion board or contact AWS Assist.
Need extra AWS Safety information? Comply with us on X.
Austin Webber
Austin is a Cloud Assist Engineer specializing in enterprise purposes on AWS. He holds material professional accreditations for WorkSpaces and FSx for ONTAP. Exterior of labor he enjoys enjoying video video games, touring, and fishing.
[ad_2]
Source link
