• State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 22 subscribers
  • Views 10280 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Accounts required for QMM for AD

SamChak
over 6 years ago

I will be starting a Migration of 11 AD Forest Objects to 1 AD Forest, like consolidating 11 AD Forest Objects to 1 AD. I have read the service accounts requirement but can anyone precisely tell me in total how many service as well as Administrator accounts. Please keep in mind i'll not be doing anything related to Exchange. Only AD Migration...

Thanks,

Sam

  • 0 over 6 years ago
    Hello Sam, this is what you need in terms of Service Accounts

    1 account for the Source Domain, make it part of the Domain Admins groups on the Source Domain and member of the Local Administrator group on the QMM console (s-source-adsa), in your case, you need to create this account on each Source Domain that you will be migrating

    1 account for the Target Domain, make it part of the Domain Admins groups, member of the Administrators on the Builtin group on the Target Domain and member of the Local Administrators group on the QMM console (s-target-adsa)

    1 account for the AD LDS/ADAMM, make it part of the Domain Users group on the target domain, and member of the Local Administrators group on the QMM console (s-auxiliary)

    1 account for the QMM Administrator Console, make it parf of the Domain Users group on the target domain and member of the Local Administrators groups on the QMM console (a-migrationmgr)

    I'll review my lab one more time to make sure that no more permissions are needed.
  • 0 over 6 years ago

    Hello,

    In short you can go with two different models. A Quest service account in each forest or a single Quest service account created in the Target and nested in all other Source Forests. All admin accounts.

     

    No need to create a separate account for all services, single accounts are easier to manage

    Cheers,
    Enrico

  • 0 over 5 years ago
    Hi Enrico. Quick question on this. We are going through a domain split. Our consultant we hired to split the domains is requesting 2 service accounts. 1 for the AD portion, and 1 for the Exchange portion. I understand the reason for 2 accounts, but would 1 account work?

    Also, he's requesting that the the AD service account have the following permissions:
    a. This account needs to be a DOMAIN ADMIN of source domain.
    b. This account needs to be a LOCAL ADMINISTRATOR on all workstations and servers that are going to be migrated to target domain.
    c. This account needs FULL CONTROL over the Organizational Units where source accounts are going to be migrated from.

    Does this seem accurate?

    And for the Exchange account, they are requesting the following permissions:
    a. This account needs to have impersonation rights in the source exchange organization (msdn.microsoft.com/.../bb204095(v=exchg.140).aspx)
    b. This account needs to be a local administrator on every exchange server in the source domain
    c. This account needs full control over the mailbox databases in the source domain (ADSI Edit – configuration container  services  ex org  expand the administrative group and then databases, right click each database and grant full control to each database).
    d. A throttling policy in source exchange environment needs to be set on this account so that it is unrestricted in its ability to sync mail for hundreds of mailboxes simultaneously.

    Does this seem accurate as well?


    I can't seem to find any documentation on the Quest site regarding the service accounts needed for AD and for Exchange respectively. I have only been searching for a couple minutes though. Could you point me in the right direction?

    Thanks!