0

This is a general post not seeking a technical resolution to a precise problem. I just want to warn industry colleagues. My career focus has been on AD for 20 years. The precise niche I concentrate on is Migrations and Consolidation projects. I currently work at an organization where I'm migrating 4 domains into one larger one. We've had no end of issues. I've been dealing with a host of challenges for 6 straight months. I've never seen anything like this before.

It seems that in 2021, the tried and trusted (15 year old methods) for migrating from one domain to another are failing at the user profile migration (translation) stage. If you are familiar with tools such as ADMT or Quest Migration Manager for AD, you will be familiar with the security translation wizard/agent whose job is to scour through each ACL on each and every file/folder to ensure that the TARGET domain security principal is added and given identical permissions to the SOURCE domain security principal. Well, it seems that in the latest Windows 10 release (and probably several before that), there are files/folders that the security translation tool is simply not able to modify the security for. These are mainly related to Office365 Apps profile folders. The result is your users end up with profiles that either half translated or completely corrupted. Office 365 apps do not launch correctly meaning you have to reconfigure every single Office app for all impacted users. Something you want to avoid if you have thousands to migrate.

In addition to all of this, TPM (Trust Platform Module), your onprem identity and your cloud identity combine together to create a security layer that cannot be security translated by the traditional migration tools. Basically, they lock out any other user account from accessing your O365 apps profile data even if that account has full rights to the profile\AppData folders.

It's not 100% consistent, but over 500 profile migrations I have seen it 75-80% of the time (could be build/Office app specific). The only way out of this situation is to give users a brand new profile. So folks, next time you perform a domain migration with profile security translation and something is going wrong, it's not just you! Hundreds of people are reporting this issue with no clear direction from Microsoft. Quest are blaming "environmental" issues. I think Microsoft's New Age Developers have lost all concept of domain migrations. They are building security models without any thought towards keeping the user profile "portable". A user profile has always been something you can assign to a new user account, but not anymore?

A point of note also is that MS ADMT does not officially support Windows 10 or Windows Server 2016/2019 for that matter.

Spirited Warrior
  • 19
  • 2
  • That's interesting information, but how hard could it be to write some code that re-ACL's files/folders in a user profile? – Greg Askew Dec 29 '21 at 11:51
  • That's not hard. But it only solves half the problem. The TPM issue is the one that can't be resolved as it's a black boxed security layer of it's own. – Spirited Warrior Dec 29 '21 at 12:13
  • Frankly, it's hard not to think of the black helicopters scenario where MSFT is actively (ahem) deprecating Active Directory, because apparently in their fairyland, every org of every conceivable size and with any LOB product should be 100% operating in Azure AD. MIM 2016 going EOL with no replacement is a big warning sign AFAIC. – LeeM Dec 30 '21 at 06:43
  • A Q&A site is not really the best choice to spread this information. It would be better to open a ticket directly at Microsoft and discuss this with them. If they identify a bug or unwanted behaviour, they can then fix it for everybody. – Daniel Jan 03 '22 at 20:30
  • @Daniel - You're a bit too trusting of MS's ability to A) understand the issue and B) Have the inclination to deal with it. Plenty of tickets are open. They're not getting the issues. Some of us have more experience of AD and MS technologies than the current offshored and outsourced people they call "MS Support Professionals" – Spirited Warrior Jan 10 '22 at 17:37

0 Answers0