Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
JoiningaworkstationtotheTAMUITDomainandProfileMigration
ContentsMigration Prerequisites ................................................................................................................................ 1
Firewalls .................................................................................................................................................... 1
“Run As” and Other Alternate Credentialing Methods ............................................................................ 2
File and Print Sharing Is Disabled .............................................................................................................. 2
Insufficient Privileges on the Domain ....................................................................................................... 2
Wireless Clients ......................................................................................................................................... 2
Domain Clarity .......................................................................................................................................... 2
Creating an Active Directory Computer Object ............................................................................................ 2
Joining a Computer to the ADS Domain ....................................................................................................... 6
Joining a Computer ................................................................................................................................... 6
Join a Computer and Migrate a Profile ..................................................................................................... 8
Document Update History .......................................................................................................................... 11
File Server Structure, Paths, Permissions & Sync'd Files ………………………………………………………………………..12
File Server Directory Structure ............................................................................................................... 12
File Server Path ....................................................................................................................................... 12
File Permissions ....................................................................................................................................... 13
Sync’d Files .............................................................................................................................................. 13
MigrationPrerequisites
FirewallsThe workstation initially communicates with the domain controller using NetBIOS over TCP and UDP, so
if these avenues are blocked by a firewall or some other conflict, the computer will not be able to join
the domain properly.
2
“RunAs”andOtherAlternateCredentialingMethodsThe profile migration process can interfere with programs that are configured to run under alternate
credentials. This might require a reinstallation or a reconfiguration after joining the domain. Make a
note of any applications that might be starting under alternate credentials before joining the domain.
FileandPrintSharingIsDisabledIf File and Print Sharing is not bound to your network interface, you might not be able to join the
domain. If you receive an error that causes the Profile Wizard to fail at step 7 (Migration complete!) and
that is not resolved by correcting firewall settings, check the properties of your Local Area Connection.
Look for “File and Printer Sharing for Microsoft Networks” in the list of protocols bound to the network
adapter. If it is listed and unchecked, check the box and click OK.
InsufficientPrivilegesontheDomainEach IT Manager will have permissions to create computer instances and join computers to their specific
unit OU. These permissions will be assigned to the IT Manager’s NETID by TAMU IT.
WirelessClientsThe workstation must be on the network and communicating with the domain controller before a
domain user will be able to log in. It is recommended that all workstation joins be performed with an
Ethernet connection to the campus network. You might be able to run the profile wizard and join the
domain over a wireless connection, but after reboot, you will have to establish a hard wired connection
before logging in with a domain account. Once a user has logged in to their domain account, while the
workstation is connected to network via Ethernet cable, Windows will then cache the user’s credentials
so their next log in requires no connection to a domain controller.
DomainClarityWhile the ADS domain will be referenced throughout this document and the Windows Administrative
tools display ADS the actual domain all workstations and user accounts will be associated with will be
the AUTH domain. TAMU IT has both domains in the same forest and per their configuration the
process to join computers utilizes the ADS domain while the actual instances reside in the AUTH domain.
As will be noted after a workstation has been joined to the TAMU IT one means of logging into the
computer, via a domain account, will be using AUTH\NETID(of the user).
CreatinganActiveDirectoryComputerObjectPrior to joining any workstation to the ADS domain a computer object entry must be made in Active
directory in the appropriate “Computers” OU where that workstation will reside. This can be done
3
either through a computer joined to the ADS domain and configured with the Microsoft Remote Server
Administrative tools or TAMU IT provides access to the administration tools via remote desktop. The
steps for accessing the tools via the remote desktop method follow.
1. Enable your NETID account for two factor authentication per TAMU IT steps presented at
services.tamu.edu/duo‐enroll
2. Open Remote Desktop Connection, Select “Show Options” and enter techbox.ads.tamu.edu for
the remote computer name.
3. Select the “Advanced” and then “Settings” to configure the connection settings.
4. Select “Use these RD Gateway server settings” and enter rds.tamu.edu for “Server name”, set
“Logon method” to Ask for password (NTLM), check “Bypass RD Gateway server for local
address and check “Use my RD Gateway credentials for the remote computer”
Click OK
5. Select Connect and enter your NETID credentials when prompted by Windows Security.
NOTE: Username can be entered as either [email protected] or AUTH\NETID
4
Click OK
6. Successful entry of NETID credentials will trigger the second portion of the dual factor
authentication. The Initiate remote connection screen will display while the dual factor
authentication is complied with or a timeout occurs.
7. Access to the remote site will require acceptance of the security certificate.
Click Yes
8. Locate the Microsoft Administrative Tools and Select “Active Directory Users and Computers”
5
9. Navigate to the Delegated OU for your specific unit using the following path: TAMUSystems >> TAMU >> Units >> College of Agriculture & Life Sciences >> Units >> Your Unit >> Delegated
10. Right click on Delegated, select New >> Organizational Unit and name the OU Computers
6
Click OK
11. Right click on Computers, select New >> Computer
12. Enter the computer instance name
Click OK
JoiningaComputertotheADSDomainIf a computer to be joined to the ads domain is brand new or resides on another domain and has no
legacy account profile to migrate then a simple domain join is probably warranted. Steps for a simple
join can be found in the Join a Computer section below.
If a computer user wants to perpetuate their current local or domain account profile (desktop icons,
backgrounds, My Document folders and various other application configuration details) then the profile
7
can be migrated to the user’s ads domain account rather than having to rebuild it from scratch. NOTE:
The profile is only available on this computer as Roaming profiles are not supported by the ads domain.
The process to join a computer and simultaneously migrate a user profile to the ads domain can be
found in the Join a Computer and Migrate a Profile section below.
JoinaComputerIf the computer to be joined currently resides on another domain it will first need to be removed from
the current domain so begin with step 1. Otherwise proceed to step 8.
1. Login to the computer as a local administrator.
NOTE: Be sure a local administrator account exists and is active prior to rebooting the computer.
2. Right click on Computer and select Properties
3. Select “Change Settings”
4. Select “Change”
5. Select “Workgroup” and enter a temporary name in the field
8
Click OK
6. Once the computer has been un‐joined select OK button of Welcome to workgroup message.
7. Reboot the computer to complete domain removal process.
8. Login to the computer as a local administrator
9. Repeat steps 2 – 4
10. Select Domain and enter ads.tamu.edu in the associated field
Click OK
11. Enter ads credentials with permission to join a computer to the domain
Click OK
12. Welcome to the ads.tamu.edu will indicate a successful join.
Click Ok
9
13. Complete the domain join by closing all windows and rebooting the computer
14. When the Windows Login displays, login with the user’s domain account to verify everything
transferred successfully. Enter the username as “[email protected]”. Enter the associated
password, then press Enter or click OK.
JoinaComputerandMigrateaProfileProfile Wizard provides a process to join a computer to a domain and simultaneously migrate an existing
user account profile to the ads domain profile. The local profile is not deleted by this process but after
the migration will be used by the person’s domain account on that computer.
NOTE: The computer can be migrated directly from one domain to the ads domain using Profile Wizard. There is
no need to first remove the computer from the previous domain.
1. Login to the computer as a local administrator.
(Be sure to login with an account that is not associated with the profile to be migrated.)
2. Download the User Profile Wizard from the enterprise file server under
temp\MigrationSoftware\Profwiz3 or from http://www.forensit.com/Downloads/Profwiz3.zip
3. Run the User Profile Wizard and select the Local Computer.
Click Next.
4. Under “Enter the domain” type ‘ads.tamu.edu’, leave “Join Domain” checked, under “Enter the
account name” type the NETID for the person whose profile is being migrated. The format of
the NETID entry should be as follows: [email protected] .
10
Click Next.
5. Select the user account associated with the profile being migrating to the ads domain.
Click Next.
6. Enter a domain username and password with permissions to perform joins to the domain.
For domain user name please use: “[email protected]” where “NETID” is yours.
Click OK.
7. The ads domain is not configured to support roaming profiles so the profile migrated will only be
available on the computer where it is migrated. Select Yes so the profile is migrated locally.
11
Click Yes.
8. If everything worked, “Migration Complete!” is displayed in a text box in the wizard.
If an error is shown after “Joining to domain…”, then the computer is not connecting to the
domain controller for some reason. It could be a network or firewall issue.
If you see “Migration Complete!” then click Next.
NOTE: The local profile will still be listed under the local username on the C: drive, but it will be associated
with the user’s ads domain account.
9. Click “Finish” and restart the computer.
10. There may be a temporary delay as the profile rebuilds certain index files.
11. When the Windows Login displays, login with the user’s domain account to verify everything
transferred successfully. Enter the username as “[email protected]”. Enter the associated
password, then press Enter or click OK.
12
FileServerStructure,Paths,Permissions&Sync’dFilesFiles previously stored on Agnet file servers have been ported to TAMU IT file servers and an active sync is in place to ensure continuity. The directory structure, on TAMU IT servers, currently reflects that used on Agnet files servers to facilitate the porting of data. TAMU IT has setup a path to access these files but prior to access file permissions will need to be established. This will consist of providing each user permission to access the file server and then establishing individual permissions on their personal folder or group folder(s). A file path can then be set for each folder.
FileServerDirectoryStructureThe standard directory structure for files ported onto the TAMU IT file servers contain two top level
folders: temp and protect. The protect folder contains 3 subfolders: group, share and user.
/temp
/protect /group /share /user
temp is meant as a temporary file storage area for use by the IT Manager. Suggested uses of the folder
include:
Storage of ISO’s
Temporary transfer location for files group is intended for special groups of users who need a common folder to share documents, etc. It is recommended as a best practice that each of these groups be setup by creating a group in Active Directory with those users as members, creating a folder for that group and then applying the Active Directory group to the permissions of that folder.
share is intended as an area for all users within a unit to create their own folders, content, etc. to share with each other. user is the top‐level folder for all of the units users’ home directories
FileServerPathTAMU IT has established the following path to access the TAMU IT file server: \\os‐nex‐t1.cis.tamu.edu\clals When accessing the file storage, via the above paths, there will be two requests for credentials. In both cases this requires use of UIN credentials. Note that the UIN will need to be prefaced with AUTH\. NOTE: Only those units having utilized agnet enterprise file storage have been setup to date. The corresponding unit_idr_name for these units is listed below. Remaining units will need to contact TAMU IT and request setup of their folder and permissions as specified in the next section.
13
Unit Name ‐ Unit_Dir_Name ALEC – alec Animal Science – ansc Biological and Agricultural Engineering – baen Entomology – entomology Horticulture – hort Nutrition and Food Science – nfsc Plant Pathology and Microbiology – plantpm Recreation, Parks and Tourism – rpts Soil and Crop Sciences – soilcrop WildLife and Fishery Sciences ‐ wfsc
FilePermissionsPrior to accessing the file server permissions will need to be established. This will consist of providing
each user permission to access the file server and then establishing individual permissions on their
personal folder or group folder(s). A file path can then be mapped for any unit folder using standard
mapping methods provided via Windows.
If a unit had file services, via Agnet, then a Groups OU has been configured under the units Delegated
OU. In Groups will be two security groups: Unit Name‐FileMgr & Unit Name‐FileUsers. (If neither of
these security groups exists they need to be requested, through TAMU IT, before anyone in the unit will
be able to access the file server.)
NOTE: The unit name is replaced with your department acronym. This naming convention is recommended for all security groups to simplify any administrative requests the may be sent to TAMU IT.
Anyone who needs access to the file server will need to be added to the FileUsers group. Anyone designated as an administrator, on your file space, will need to be added to the FileMgr group.
Sync’dFilesIf a unit has utilized file storage on the Agnet file servers then those files have been migrated to the TAMU IT file space. An active sync is in place to ensure any changes made on the Agnet file space are reflected on the TAMU IT file space. The sync can be removed on request by the IT Manager.
While the migration copied the files, associated permissions were not migrated. Prior to the migration
the UnitName‐File Mgr and UnitName‐FileUsers groups were established in a unit’s file structure so
some of the same permissions could be setup and assigned as files were migrated. The remainder of the
permissions will need to be assigned manually as detailed below.
Each personal folder, under User, will need to have permissions for the folder owner assigned. The
permissions provided for the folder owner, on the AgriLife file server, default to Modify, Read &
Execute, List folder contents, Read and Write. To reflect those permissions on the TAMU IT folders
1. Right click on the user’s folder and select Properties
2. Select the Security tab and click on Edit
14
3. Select Add, enter the user’s UIN and click Check Names
Click OK
4. Select the User, check off the permissions desired, in the lower window, and click Apply
Click OK
Repeat the previous 5 steps for each folder under User.
Each of the folders under Group will also need to have their permissions re‐established. Best practice in
this case is to create a security group and assign that group access permissions to the folder (utilize
15
same steps as outlined for user permissions). Personnel added to the security group will then have
permission to access the corresponding folder.
DocumentUpdateHistoryTom Lyster 10/1/2015 Added File Server Section