[en] Information for administrators

Informations for Users [fr]

Information for administrators (in french)

The migration of the Active Directory DOMAIN STI(sti.intranet.epfl.ch -> intranet.epfl.ch) involves three stages :
—preparation
—migration
—verification

Preliminary analysis

There are two main uses of Active Directory :

only user authorization and user access of resources

user and computer access to resources

You have to identify the use of AD in your lab and add it; in the calendar.
Please  modify directly.

User authorization and access of resources with Active Directory

1 Preliminary work
You should agree with your lab Director for the appropriate day and time to start the migration.

Migrations can be grouped by Institute or Centers to simplify the global process.
During the migration, the automatic account synchronization mechanism will be stopped (for Active Directory and NAS).

Your users must be informed during the migration process of the following :
— before this process, by giving this web site as reference,
— at the beginning of the migration,
— at the end of the process,

2 Migration

One important aspect during the migration is to ensure the retention of end-users data.
It is essential that you follow the different steps of the migration process to prevent security issues (disjoint user security label between the source DOMAIN and the destination DOMAIN).
user accounts are only at level 4(unit) in the directory (unit)-Users.

On the agreed date and time, the objects in the Organization Unit of your lab are moved from the DOMAIN sti.intranet.epfl.ch to intranet.epfl.ch :

For each lab, the order of the migration is as follows :

1 Groups
IMPORTANT, convert all your groups in universal groups
2 Services accounts
3 Users accounts

3 After the migration in INTRANET

For end-users the changes are described here :
before the migration
during the migration
after the migration

Computers joined to Active Directory

Depending on their integration to AD, three scenarios are possible :
A authentication by clients on computers in Active Directory
B authentication by clients + servers in Active Directory
C authentication by students on computers in Active Directory

Service account for managing Active Directory

Before the migration:
the account admin(unit)is used for  :
- manage computers and data of the unit;
- manage Active Directory
- join computer to Active Directory

During and after the migration in INTRANET
The account admin(unit);is used to :
- manage the computers and the data of the unit;

The account AD(sciper) is linked to the role of IT Manager and it is found in the Organization Unit where you are accredited in the first position. It is unique for all the units you manage.
The account AD(sciper) is used for all the units to:
- manage Active Directroy
- join computers to AD in INTRANET

1 Preliminary work

You must agree with the Director of your lab for the date and time of the migration.
The migration process is grouped by Institute or Center to simplify the global process.
During the migration, the automatic account synchronization mechanism is stopped (for Active Directory and NAS).

Your end-users must be informed during the migration :
— before it begins, giving this website as reference
— at the beginning of the migration
— at the end of the migration

On the technical side there are several conditions which must be met :

Universal groups
You have to convert all your groups(local and global) to universal groups (names of the groups should end with a U)

Computers which have not been used and disconnected for more than 90 days:
If a computer joined to Active Directory is powered off, it cannot be used after 90 days( Tombstone lifetime).
For those computers, you have to restart the process of joining them again to Active Directory before the migration.

Computers should be grouped into two categories :

Windows XP :

Those computers are not easily migrated using the automatic method. It is better to do them manually using the script provided. WARNING, as from April 2014, Windows XP will reach its end of life and will no longer be maintained by Microsoft. You should therefore consider upgrading to Windows 7..

Windows 7 :

These computers can be automatically migrated. You need to follow the following steps:
1 identify the PC
2 identify the network shares mounted for each user
3 apply the GPO of the migration on the OU; 
4 verify access to the computer and test the path to the default shares C$ and ADMIN$
5 test remote rebooting

The migration plan of your unit must be properly reported in the calendar..
Please modify directly.

2 Migration

One important task during the migration is to ensure the integrity of end-users data.
It is essential that you follow the different steps of the migration process to prevent security issues (disjoint user security label between the source DOMAIN and the destination DOMAIN).
user accounts are only at level 4(unit) in the directory (unit)-Users

For each lab, the order of the migration is as follows  :

1 Groups
IMPORTANT, convert all your groups in universal groups!

!!! no authentication of end-users during step 2 -4 !!!
WARNING, computers to be migrated must be powered ON 
To prevent usage of computers during this process, a GPO is applied.
Next, all computers are remotely rebooted !

2 Service accounts

3 User account
-Note that if the migration is done manually using the script provided, the user can log on in the new DOMAIN INTRANET and check the profile. Usually after the migration of the user, the profile is properly mapped to the users new authentication DOMAIN

4 migration of computers 
5 migration of user profiles 
- Your user connect to the DOMAIN INTRANET and verify if the desktop and user preferences have been transferred properly.

6 migration of member servers
- verify access to the servers and netwoerk shares 
- approve migration of the servers
- wait for the confimation that the process has completed
- remote rebooting of all the servers

6 Post migration verifications:

For All:

The passwords saved on your computers may not be valid. The side effects are described here :

Network shares and other services:
After the migration of the computer, you have to connect to the DOMAIN INTRANET.
For example for the user Jean Dupont with the username jdupont, connect using INTRANET\jdupont

Warning this change is valid for all the computers which you use and where you are authenticated.

Smartphone and Tablets:
For iPhone, you have to change DOMAIN parameter to INTRANET
For Windows Mobile, you have to delete the old profile and create a new one with the new domain. 
For Android, you have to remove the profile and create a new one.

WARNING, if you have Android 2.2, your mail client will not be able to synchronize with the mail server.

Gaspar
During the migration of the institute, it is not possible to modify your password with Gaspar
Contact us if you are in this case.

Computer in Active Directory

Windows

During the migration process your account and your computer will be migrated to the new DOMAIN
You should see your desktop and preferences as before the migration. For example your mounted folders and network shares should work
You have to delete previously saved credentials in your keychain for services which were using DOMAIN STI for authentication and add new entries with the new DOMAIN INTRANET
After the migration of the computer, you have to connect to the DOMAIN INTRANET.

MAC server
If you are using Active Directory for authentication or Active Directory kerberos
Contact us before the migration.

Linux workstation/server
If you joined your Linux workstation to Active Directory for authentication or you have Linux Servers using Kerberos authentication for SAMBA
Contact us before the migration

For your users, the changes are described here :
— before the migration
— during the migration
— after the migration

In Case of Problems

We are here to help you :
Laurent Kling 33511
David Desscan 34633