Enable permissions for migrating an on-premises domain with SID History

This topic explains how to enable the permissions required for migrating an existing domain from on-premises to Managed Service for Microsoft Active Directory while preserving SID History.

Before you begin

Before you begin, do the following:

  1. Create a Managed Microsoft AD domain.
  2. Create a trust with the on-premises domain.
  3. Make sure to read the Existing domain migration overview.

  4. Make sure that you have any one of the following Identity and Access Management (IAM) user roles:

    • Google Cloud Managed Identities Domain Admin (roles/managedidentities.domainAdmin)
    • Google Cloud Managed Identities Admin (roles/managedidentities.admin)

    For more information, see Cloud Managed Identities roles.

Create a domain local group

You can create a domain local group in Managed Microsoft AD for delegating the permissions to all the users involved in migrating your domain. To create a domain local group and add users, do the following:

  1. Create a domain local group. For example, migrate_domain_admins.

    For more information about how to create a domain local group, see Group Scope and Creating Groups in a Domain.

  2. Identify users who will perform the migration activities that include running ADMT.

  3. Ensure that these users have administrator privileges to the on-premises domain.

  4. Add these users to the domain local group. For more information, see Adding Members to Groups in a Domain.

Enable permissions on the Managed Microsoft AD domain

To enable the permissions required for migrating your on-premises domain with SID History, run the following gcloud CLI command:

gcloud beta active-directory domains migration enable DOMAIN_NAME \
  --onprem-domains=SOURCE_DOMAIN_NAME \
  --disable-sid-filtering-domains=SID_FILTERING_DOMAIN_NAME

Replace the following:

  • DOMAIN_NAME: The name of your Managed Microsoft AD domain. For example, my-domain.com.
  • SOURCE_DOMAIN_NAME: The name of your on-premises domain which Managed Microsoft AD trusts. For example, domain-one.com.
  • SID_FILTERING_DOMAIN_NAME: The name of your on-premises domain for which you want to disable SID Filtering. For example, domain-one.com.

Delegate permissions

To delegate the ability to migrate on-premises domain with SID History, you can add the domain local group or the user to the following groups available on Managed Microsoft AD:

  • Cloud Service Administrators
  • Cloud Service Migrate SID Administrators

To add a group or user to these groups, run the following commands in PowerShell:

Add-ADGroupMember -Identity 'Cloud Service Administrators' \
  -Members GROUP_OR_USER

Add-ADGroupMember -Identity 'Cloud Service Migrate SID Administrators' \
  -Members GROUP_OR_USER

Replace GROUP_OR_USER with the name of your domain local group or user. For example, migrate_domain_admins, my_user.

For more information, see Add-ADGroupMember.

After you complete these steps, you can use ADMT and migrate your existing domain from on-premises to Managed Microsoft AD with SID History.

Manage permissions

Check permissions

You can check if the permissions required to migrate domains with SID History are available on a Managed Microsoft AD domain.

To validate the permissions, run the following gcloud CLI command:

gcloud beta active-directory domains migration check-permission DOMAIN_NAME

Replace DOMAIN_NAME with the name of your Managed Microsoft AD domain. For example, my-domain.com.

This operation validates if the Managed Microsoft AD has the Cloud Service Migrate SID Administrators group created and the state of SID Filtering on all the trusted domains.

The response lists the SID Filtering state of all the trusted domains and the state of permissions required in your Managed Microsoft AD domain:

onpremDomains:
- name: domain-one.com
  sidFilteringState: ENABLED
- name: domain-two.com
  sidFilteringState: DISABLED
state: ENABLED

Your Managed Microsoft AD domain can have anyone of the following states:

State Description
STATE_UNSPECIFIED Not set.
DISABLED Managed Microsoft AD domain don't have the permissions required to migrate the on-premises domain with SID History. SID Filtering is enabled on all the trusted domains.
ENABLED Managed Microsoft AD domain has the permissions required to migrate the on-premises domain with SID History. To check the SID Filtering state, see the sidFilteringState field for all the trusted domains in the response.
NEEDS MAINTENANCE Permissions seem to be in intermittent state for your Managed Microsoft AD domain. To reset the state, either enable permissions or disable permissions as you require.

Disable permissions

After you complete the migration, you can disable the permissions provided for migrating your on-premises domain with SID History.

To disable the permissions, run the following gcloud CLI command:

gcloud beta active-directory domains migration disable DOMAIN_NAME

Replace DOMAIN_NAME with the name of your Managed Microsoft AD domain. For example, my-domain.com.

This operation disables the permissions provided to your domain by deleting the Cloud Service Migrate SID Administrators group from Managed Microsoft AD and enables SID Filtering on all the trusted domains.