Processing by RUM and ADPW

Question

Hello IT Consultants, 
 Greetings of the day! 
 I have questions and confusion regarding Quest Migration tools RUM and ADPW. Hope you guys will explain this. 
 Processing by RUM and ADPW. Let me explain what I meant to say. 
 Q1: Resources e.g. File/Folder/Share ACL processing is only done by RUM while moving server to target domain? 
 Q2: Processing by ADPW is done while adding migrated target user and groups to source domain local groups in order to access source domain resources while server is connected to source domain. What about Security Descriptor processing? When and in which domain it is performed after migration? Does security descriptor processing depends on domain membership of server as well? 
 I read somewhere that " Anywhere in any trusting Active Directory where you may find a SOURCEDOM user or group that you migrated with QMM in an ACL or group membership, you want to run ADPW ". So my question is how does ADPW process ACL? I think file/folder/share ACL is updated by RUM only? ADPW is only used for updating group membership, security descriptor processing, cleanup sidhistory only. Then how does ADPW process ACL? 
 Q3: What about Server local group processing? When and in which domain it is performed? Do we need to add migrated target users and groups in the source server local groups? Is this only done when server is connected to source domain? What if server is moved to target domain then what needs to be done? 
 Q4: What about workstation processing. When, in which domain and by which tools it is performed? 
 Q5. Please explain other processing scenarios by ADPW and RUM. 
 
 Thanks in advance!

Jeff Shahan · Accepted Answer

douglas shawn 1986 said: Q1: Resources e.g. File/Folder/Share ACL processing is only done by RUM while moving server to target domain? 
 Correct. Resource Update Manager handles all OS level permissions translation and can move the host to the target. 
 douglas shawn 1986 said: Q2: Processing by ADPW is done while adding migrated target user and groups to source domain local groups in order to access source domain resources while server is connected to source domain. What about Security Descriptor processing? When and in which domain it is performed after migration? Does security descriptor processing depends on domain membership of server as well? 
 Correct. That is part of what ADPW can do. Processing the Security Descriptors in the directory (nTSecurityDescriptor) or the permissions TAB of a migrated object where QMM AD merged to replaced the target security descriptor is another task ADPW handles. No, membership plays not role is the process of updating any permissions with any utility. 
 Note: That was 1 statement and 3 questions in question 2. 
 douglas shawn 1986 said: Q3: What about Server local group processing? When and in which domain it is performed? Do we need to add migrated target users and groups in the source server local groups? Is this only done when server is connected to source domain? What if server is moved to target domain then what needs to be done? 
 See Question 1. No, membership plays not role is the process of updating any permissions with any utility. Yes, you do and RUM does it. No, membership plays not role is the process of updating any permissions with any utility. No, membership plays not role is the process of updating any permissions with any utility. 
 Note: That was 5 questions in question . 
 douglas shawn 1986 said: Q4: What about workstation processing. When, in which domain and by which tools it is performed? 
 See Question 1. No, membership plays not role is the process of updating any permissions with any utility. 
 douglas shawn 1986 said: Q5. Please explain other processing scenarios by ADPW and RUM. 
 This is too vague really to field. In general ADPW handles AD related tasks. RUM handle OS level permissions.

Jeff Shahan · Answer

douglas shawn 1986 said: As Johnny said, Re-ACL is done while the server sits in the source as well as in target. 
 Sure that is the normal, standard process, but is it not a hard requirement. In fact you can process a source server joined to the target domain even after the source domain is shut off. 
 douglas shawn 1986 said: So it means if server is in source then in order to resource process, we will directly add Migrated Global and migrated Universal groups in ACL to allow group members to access resources in source domain. 
 Correct. Additionally the server local groups are processed and any source member has it mapped target object will be added to the local server group membership. 
 douglas shawn 1986 said: But then how it is different than adding migrated target users and groups to Source domain local group by ADPW. In both way access is granted. 
 This related to domain local groups and server domain membership. While you might think that both ways grant the same access they do not. 
 douglas shawn 1986 said: How do I know whether I need to process resource Re-ACL or adding migrated groups to source domain local groups? 
 Are there permissions secured by source objects? RUM Resource Processing Task to append the Target Objects. 
 Is it secured using domain local groups? Run ADPW. 
 Plan to change the domain of a server before all users are migrated AND the resources are secured using domain local groups? Migrate Domain Local Groups with the Add Source Member to Target group option enabled. 
 Each of the above is always a stand alone question to trigger the process.

JohnnyQuest · Answer

douglas shawn 1986 - with utmost respect, this Forum is not a "migration school" nor is it intended to provide on-demand consulting. Domain migrations are complex undertakings with many variables that can influence both the need for and timing of certain activities like the use of ADPW, file system re-permissioning and so on. It is not possible to explain every nuance of every scenario in documentation. Due to this complexity and the limitations of what can be explained in documentation, customers who undertake migration projects using the Migration Manager tool will usually hire experienced Consultants to help them understand the tool and help to design their processes with them. The experience these Consultants bring includes both advanced knowledge of Active Directory and the Migration Manager tool. The challenge we have with the types of questions you are asking is that they are often very broad like: Q5. Please explain other processing scenarios by ADPW and RUM. We don't have the time or the space to explain all of your options - that is what Consultants are for. 
 In other cases, the initial answer is going to be one or more of: "it depends on your process" and/or "it depends on your environment" and/or "it depends on your I.T. processes". 
 I can give you a short answer to this one: 
 Q1: Resources e.g. File/Folder/Share ACL processing is only done by RUM while moving server to target domain? No - it can be done while the server sits in the source, the target or both. Re-ACL'ing is not solely tied to the actual move of the server. The move is a separate operation. 
 And to this one: So my question is how does ADPW process ACL? 
 The ACLs in question here are ACLs on AD objects (also sometimes called security descriptors) - ADPW can update those. Under the covers, it works exactly the same way as it does in the file system - translate SOURCE\Objectname to TARGET\ObjectName based on mappings that QMM establishes within its Project data when you initially migrate your user and group objects.

Processing by RUM and ADPW

Top Replies