microsoft sharepoint online for...
TRANSCRIPT
Microsoft SharePoint Online for Enterprises
Domain Migration Planning Template Published: October 2012
Microsoft SharePoint Online Domain Migration Planning Template
12.3
ii
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
©2012 Microsoft Corporation. All rights reserved.
Microsoft, ActiveSync, Active Directory, Entourage, Forefront, Internet Explorer, Lync, Outlook, SharePoint, Windows, Windows Phone, Windows Mobile, Windows PowerShell, and Windows Vista are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Microsoft SharePoint Online Domain Migration Planning Template
12.3
iii
Contents
Chapter 1 Assessment .................................................................................................................................... 1 section 1.1 Project Scope ............................................................................................................................................................. 1
section 1.2 Migration Plan ........................................................................................................................................................... 1
section 1.2.1 Tasks ..................................................................................................................................................................... 2
section 1.2.2 Domain List/Data Source .............................................................................................................................. 2
section 1.2.3 Active Directory Trusts .................................................................................................................................. 3
section 1.2.4 Current Environment ...................................................................................................................................... 3
Chapter 2 During Migration .......................................................................................................................... 4 section 2.1 User Profiles and Active Directory ..................................................................................................................... 4
section 2.1.1 Active Directory Design................................................................................................................................. 4
section 2.1.2 Active Directory Synchronization .............................................................................................................. 5
section 2.1.3 BCS Sync'd .......................................................................................................................................................... 6
section 2.1.4 User Updated .................................................................................................................................................... 7
section 2.2 People ........................................................................................................................................................................... 7
section 2.2.1 Resolve Users .................................................................................................................................................... 7
Chapter 3 CR List ............................................................................................................................................ 8
Chapter 4 Reports .......................................................................................................................................... 9 section 4.1 Orphan Site Report .................................................................................................................................................. 9
section 4.2 Active Directory Groups ......................................................................................................................................... 9
section 4.3 Broken Inheritance ................................................................................................................................................... 9
Chapter 5 Schedule ...................................................................................................................................... 10 section 5.1 Active Directory Migration Schedule ............................................................................................................. 10
section 5.2 DMT Migration Schedule ................................................................................................................................... 10
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
1
Chapter 1
Assessment
The purpose of this domain migration plan template is to identify and capture all the known facts
regarding domain migrations for Microsoft® SharePoint® Online for enterprises dedicated plan
customers. Based on known information and assumptions, this document is an attempt to identify steps
required for a successful completion of domain migrations. Customers must use this template as the basis
of a complete domain migration plan.
The scope of this document is limited to remediation of user profile and permissions. Active Directory
information captured and covered in this document is limited to what is required for the user profile and
permission remediation. The purpose of completing this template is to ensure customers are protected
from the known failure modes of SharePoint Online domain migration.
Important
This domain migration plan template must be completed and submitted for approval through the
service delivery manager (SDM), along with the requisite configuration requests (CRs). The
customer’s domain migration plan must be approved by Microsoft before domain migration can
occur. Before domain migration planning can begin, customers must read the SharePoint Online
Domain Migration Policy, available to customers on the Customer Extranet site.
section 1.1
Project Scope
In this section, provide an executive summary of what this project is to achieve.
What is the scope of the project?
What are the business drivers?
Include a project description.
section 1.2
Migration Plan
Insert a screen shot of the project plan here. Include all important dates, including Alpha Pilot, Pilot and
production wave schedule.
Phase Dates Main Characteristics Notes
First Phase
Test `
Alpha Pilot
Pilot-1
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
2
Phase Dates Main Characteristics Notes
Pilot-2
Wave-1
Second Phase
(if applicable)
Test
Alpha Pilot
Pilot-1
Pilot-2
Wave-1
section 1.2.1 Tasks
The following table lists the tasks to be performed before, during, and after the migration. The scope of
these tasks is limited to user migration in SharePoint Online only.
The template below has examples of the required tasks.
Task Order Task Owner Dependency
1 Prepare CR’s Customer
2 Submit CR’s Customer/SDM
4 Plan Active Directory migration waves Customer
section 1.2.2 Domain List/Data Source
Please list these details.
Active Directory domains
User profile data sources
Domain synchronization
Active Directory OU structure
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
3
Active Directory trust relationships
User log on account/domain
section 1.2.3 Active Directory Trusts
Clearly define and illustrate the current trust relations in SharePoint Online. Also include the trust
relationships planned. In certain scenarios, the customer will gradually decompose the existing trust once
the migration is complete. Please include those as well. Divide this section into Current Scenario, During
Migration, and Final Scenario.
Scenario Trust relationship in SharePoint Online
Current Scenario
During Migration
Final Scenario
Please use a visual illustration to show various states of Active Directory trusts.
section 1.2.4 Current Environment
This section is important to the understanding of how domains are configured and designed. Details in
this section help the customer identify how user profiles and authentication work in the current
environment. Provide specifics of domain trusts and how SharePoint Online is configured to various
domains. As a result of this section, you will able to answer these questions:
Is sufficient trust is in place to authenticate a user?
Is there a trust to a domain from the cloud, which would allow users to use login credentials that
they should not be using once migration starts?
Apart from Active Directory trust, you will also start collecting information on how your SharePoint Online
environment is configured. If you are not sure how to get specific information, please contact the SDM. In
most cases a service request (SR) is required. Typically, you will look for the following information:
FIM filters in place (on your existing Active Directory connection)
People Picker search custom filter
OU scope that your current user profile connection crawls
Any web application permission policy in place
Any audience targeting to an Active Directory security group
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
4
Chapter 2
During Migration
Based on the current Active Directory trust and user profile connection discovered above, what additional
configuration will be needed during the transition? The following sections address the collection of
detailed information for the following:
Authentication
User profiles
Resolving users in People Picker
FIM filters should be put in place
People picker custom filter
User profile property list and binding
section 2.1
User Profiles and Active Directory
Important
For information about failure modes and remediation for handling user profiles during migrations,
see the SharePoint Online Domain Migration Policy, available to customers on the Customer
Extranet site.
section 2.1.1 Active Directory Design
In this section, describe how the user migration is managed and controlled in Active Directory. Include
these specific details:
1. Migration method –There are various methods that can be adopted in order to migrate users in
Active Directory:
o The user objects are copied into the target directory prior to their logon migration.
o The user objects are copied but disabled in the target domain prior to actual user logon
migration.
o The user objects are not copied into target domain, but migrated along with their logon
migration.
Item User State Migration State
Copy all user objects into
Target domain
User objects are copied to a
different OU (rest) in the
target (and are disabled /
enabled)
Pre-migration
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
5
Item User State Migration State
User Logon migration Users are moved from rest
OU into the employee OU
and are enables
During migration
Delete user in the source
domain
Users account is disabled or
deleted in the source domain
Post migration
2. Extension attributes and other attributes
Attribute Currently in all the domains Will be added / removed
Manager Yes Deleted in target domain
Awards No Added: To all the domain
schema
3. Filter users: How will the SG groups be created to block and unblock users in old and new
domains from accessing SharePoint Online? Specify the synchronization with relationship to the
domain migration stages.
Stage Block user in source
domain
Block user in destination
domain
current
During migration
After Migration
section 2.1.2 Active Directory Synchronization
Identify the user profile properties in this section that are being synchronized from the current Active
Directory. This will help ensure that source Active Directory attribute schema and the target domain
attribute schema are in sync. Note any additional attributes that are being included in the schema and
that all the domains that are used to build user profiles during migration conform to the schema.
User Profile properties Current Active Directory
attr. Schema
Source Active Directory attr.
Schema
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
6
User Profile properties Current Active Directory
attr. Schema
Source Active Directory attr.
Schema
section 2.1.2.1
Account block/unblock activities
When a user logs into SharePoint 2010, authentication is done by the Operation System and the IIS. Since
there will be various trust relationships between domains, if users are not disabled in the source domain
as they are migrated, in theory users can log into SharePoint using the old login (sign in as). If the domain
migration tool (DMT) is executed for that user in SharePoint Online, the user will generally see an “access
denied” error from the SharePoint authorization process. But the user will be served pages that have “All
authenticated user” permissions defined. This may create confusion and an undesired user experience. If
the DMT is not executed for the user in SharePoint Online, logging in using the new log-in will cause the
DMT to fail for that user.
Migration Stage Not Migrated user in
Source
Not Migrated user in target
Current
During
After
You can use a web application policy in combination with an Active Directory security group to deny
access to SharePoint Online by placing users in the Active Directory security group. Please describe here
how this is being addressed.
section 2.1.3 BCS Sync'd
Many organizations use a BCS layer to populate certain user profile properties. Please identify profile
properties, if any. This may call for some remediation of BCS layer as the users are being migrated. LANID
is almost always used as a primary key when using BCS to synch user profile properties. Ensure that back-
end attribute data source switches to the new LANID as users are being migrated.
Information Yes / No Plan to remediate
Do you use BCS to sync data in
profile properties?
Are you planning to modify you
BCS solution for migrated users?
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
7
Information Yes / No Plan to remediate
Are there any custom applications
that may be using the BCS sync’d
data?
section 2.1.4 User Updated
Because user-updated properties are managed by the users and are stored in the profile database, when
the user is migrated, these properties are lost. SharePoint builds new profiles. Depending on the number
of user updateable properties and how critical they are, have a plan to automate populating these
properties by leveraging the user profile service API. This is not a required step. But depending on the
business requirement, include the decision and plan to handle the user-updated profile properties.
Property Any change in the target domain Dependency if this not
remediated
section 2.2
People
section 2.2.1 Resolve Users
Since People Picker and user profile are two completely separate features, People Picker executes in real
time against Active Directory. For this to work correctly, ensure that People Picker is configured to resolve
users from the appropriate domain. Ensure that the new domains are reachable from the SharePoint
Online data center. In this section, please list the FQDN’s of domains that will now be used to resolve the
users.
FQDN list
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
8
Chapter 3
CR List
Purpose
(Jon Doe is migrated to
newdomain)
CR CR
Number
SharePoint
Online template
links
New account profiles are not
imported in SharePoint online
farm before running DMT.
After this CR is run,
NewDomain\Jon Doe profile
will be “marked for deletion.”
1. Standard CR: Update FIM Filter to
exclude NewDomain\Jon Doe
SPOD-10-143:
Modify Forefront
Identity Manager
Filter
To delete the users’ old profile
after the domain migration, the
customer must go to SPSites to
manage user profile deletion.
1. Managed in SPSites. Below are the
details on the user profile deletion
in SPSites.
2010: Click Here for documentation
2013: Click Here for documentation
If the user accesses a
SharePoint Online site with new
domain account, the migration
will FAIL. These CRs are to
ensure that NewDomain\Jon
Doe CANNOT access any
SharePoint Online sites.
2. Standard CR: update People Picker
Filter to exclude NewDomain\Jon
Doe (only be able to choose users
in CURRENT domain)
3. Standard CR: implement a DENY
ALL web application policy for SG
that contains NewDomain\Jon
Doe
SPOD-10-135:
People Picker
Filter
SPOD-10-023:
Update User
Policy for Web
Application
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
9
Chapter 4
Reports
section 4.1
Orphan Site Report
Orphan sites are a failure scenario in SharePoint 2010. Submit the appropriate SR to get a report on users
impacted by orphan sites (config orphan) and to clean up orphan sites.
section 4.2
Active Directory Groups
As of the writing of this document, DMT does not re-permission the security in SharePoint Online directly
given to Active Directory groups. Describe the remediation in place to re-permission Active Directory
groups in SharePoint Online. Typically this is a manual remediation.
section 4.3
Broken Inheritance
This is a POC/test scenario. Please perform adequate testing in the pre-production environment (PPE) to
ensure the DMT tool is able to remediate the sub sites permissions that do not inherit permission from
the parent.
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
10
Chapter 5
Schedule
section 5.1
Active Directory Migration Schedule
Phase Date User count Environment
Test 10 On premises
Alpha Pilot 10 Production
Pilot-1 50 Production
Pilot-2 50 Production
Wave-1 1000 Production
End Migration Production
section 5.2
DMT Migration Schedule
DMT execution
Phase
Date Max user
count/DMT run
DMT frequency
per day
Environment
Test 10 On premises
Alpha Pilot 10 Production
Pilot-1 50 Production
Pilot-2 50 Production
Wave-1 1000 Production
End Migration Production
Note: The DMT can be schedule hourly and up to 1,000 user records/If the DMT is scheduled to run
once a day, the .csv file can contain 10,000 user records.
Microsoft SharePoint Online Domain Migration Planning Template
2010/2013
11