Enable permissions for migrating an on-premises domain with SID history

This page explains how to enable the permissions required for migrating an existing Active Directory domain from on-premises to Managed Service for Microsoft Active Directory while preserving SID history.

Before you begin

Before you begin, do the following:

  1. Create a Managed Microsoft AD domain.
  2. Create a trust with the on-premises domain.
  3. Make sure that you read the Existing domain migration overview and understand these security implications.
  4. Make sure that you have any one of the following Identity and Access Management ( IAM) user roles:

    • Google Cloud Managed Identities Domain Admin (roles/managedidentities.domainAdmin)
    • Google Cloud Managed Identities Admin (roles/managedidentities.admin)

    For more information, see Cloud Managed Identities roles.

Enable permissions to migrate a domain with SID history

You can grant the permissions required to migrate a domain along with SID history either to a global group or a single user. However, we recommend that you use a global group to grant the permissions required to migrate a domain along with SID history. Creating a global group makes it easier for you to delegate the permissions to all of the users involved in migrating your domain.

For both these approaches, make sure that the users are part of Managed Microsoft AD and have administrator privileges to the on-premises domain.

Create a global group

To create a global group and add users, do the following:

  1. Identify users who need to perform the migration activities that include running ADMT.
  2. Ensure that these users are part of Managed Microsoft AD and have administrator privileges to the on-premises domain.
  3. Create a global group in Managed Microsoft AD. For example, migrate_domain_admins.

    For more information about global group, see Group Scope.

  4. Add the users to the global group.

Enable permissions on the Managed Microsoft AD domain

When you enable the permissions required on Managed Microsoft AD using the gcloud CLI, Managed Microsoft AD creates a delegated group, Cloud Service Migrate SID Administrators, under the Cloud Service Objects OU. This delegated group provides the permissions required to migrate an on-premises domain along with SID history.

Name Type Description
Cloud Service Migrate SID Administrators Domain Local Members can migrate SID history while migrating Active Directory objects from on-premises to Managed Microsoft AD using ADMT tool. This can include members from trusted domains.

To enable the permissions required for migrating your on-premises domain with SID history, run the following gcloud CLI command:

gcloud beta active-directory domains migration enable DOMAIN_NAME \
  --onprem-domains=SOURCE_DOMAIN_NAME \
  --disable-sid-filtering-domains=SID_FILTERING_DOMAIN_NAME

Replace the following:

  • DOMAIN_NAME: The name of your Managed Microsoft AD domain. For example, my-domain.com.
  • SOURCE_DOMAIN_NAME: The name of your on-premises domain which Managed Microsoft AD trusts. For example, domain-one.com.
  • SID_FILTERING_DOMAIN_NAME: The name of your on-premises domain for which you want to disable SID filtering. For example, domain-one.com.

Delegate permissions

To delegate the ability to migrate an on-premises domain with SID history, add the global group or the single user to the following groups on Managed Microsoft AD:

  • Cloud Service Administrators
  • Cloud Service Migrate SID Administrators

Managed Microsoft AD delegates the permissions to users added to the global group or the single user, which in turn lets them migrate SID history from the on-premises domain using ADMT.

To add the global group or the user to the required Managed Microsoft AD groups and delegate the permissions, run the following commands in PowerShell:

Add-ADGroupMember -Identity 'Cloud Service Administrators' \
  -Members GROUP_OR_USER

Add-ADGroupMember -Identity 'Cloud Service Migrate SID Administrators' \
  -Members GROUP_OR_USER

Replace GROUP_OR_USER with the name of your global group or user. For example, migrate_domain_admins, my_user.

For more information, see Add-ADGroupMember.

After you complete these steps, you can use ADMT and migrate your existing domain from on-premises to Managed Microsoft AD with SID history.

What's next