Manage permissions required for migrating an on-premises domain

This page explains how to check if the permissions that are required to migrate an existing Active Directory domain from on-premises to Managed Service for Microsoft Active Directory with SID history are enabled. This page also explains how to disable these permissions after you complete the migration.

Before you begin

Make sure that you have any one of the following Identity and Access Management ( IAM) user roles:

Google Cloud Managed Identities Domain Admin (roles/managedidentities.domainAdmin)
Google Cloud Managed Identities Admin (roles/managedidentities.admin)

For more information, see Cloud Managed Identities roles.

Check permissions

You can check if the permissions that are required to migrate domains with SID history are available on a Managed Microsoft AD domain.

To validate the permissions, run the following gcloud CLI command:

gcloud beta active-directory domains migration check-permissions DOMAIN_NAME

Replace DOMAIN_NAME with the name of your Managed Microsoft AD domain. For example, my-domain.com.

This operation validates if the Managed Microsoft AD has the Cloud Service Migrate SID Administrators group created and the state of SID filtering on all the trusted domains.

The response lists the SID filtering state of all the trusted domains and the state of permissions required in your Managed Microsoft AD domain:

onpremDomains:
- name: domain-one.com
  sidFilteringState: ENABLED
- name: domain-two.com
  sidFilteringState: DISABLED
state: ENABLED

Your Managed Microsoft AD domain can have anyone of the following states:

State	Description
`DISABLED`	Managed Microsoft AD domain doesn't have the permissions required to migrate the on-premises domain with SID history. SID filtering is enabled on all the trusted domains.
`ENABLED`	Managed Microsoft AD domain has the permissions required to migrate the on-premises domain with SID history. To check the SID filtering state, see the `sidFilteringState` field for all the trusted domains in the response.
`NEEDS MAINTENANCE`	Permissions seem to be in intermittent state for your Managed Microsoft AD domain. To reset the state, either enable permissions or disable permissions as you require.

Disable permissions on the Managed Microsoft AD domain

After you complete the migration, you must disable the permissions provided for migrating your on-premises domain with SID history.

To disable the permissions, run the following gcloud CLI command:

gcloud beta active-directory domains migration disable DOMAIN_NAME

Replace DOMAIN_NAME with the name of your Managed Microsoft AD domain. For example, my-domain.com.

This operation disables the permissions provided to your domain by deleting the Cloud Service Migrate SID Administrators group from Managed Microsoft AD and enables SID filtering on all the trusted domains.