MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
The ClonePrincipal utility is a core tool for use in inter-forest restructures. In this lesson, you'll learn how to obtain and use it. ClonePrincipal is supplied on the Windows 2000 Server CD-ROM as one of the support tools.
After this lesson, you will be able to
- Identify when to use the ClonePrincipal tool.
- Identify the strengths and weaknesses of the tool.
Estimated lesson time: 30 minutes
ClonePrincipal can copy Windows NT user attributes onto objects in a Windows 2000 domain and is used only with an inter-forest restructure. The cloning procedure works by reading the objects in the source domain, so it doesn't change any of the objects in any way. It has the following set of attributes:
- It is provided as a COM object that's driven by a set of Visual Basic scripts. These scripts allow developers to create custom cloning tools for specific requirements.
- It can add the SID of a source object to the SIDhistory attribute of an object in the target domain.
- It can be used to combine multiple groups into a single group in the destination.
- It is also used by ADMT.
There's no ClonePrincipal program as such. Instead, the actual files that make up the ClonePrincipal tool are Clonepr.dll, Adssecurity.dll, and Adserror.dll. You can control the ClonePrincipal object from scripts or programs that you write. The heart of ClonePrincipal is Clonepr.dll, which implements the DSUtils.ClonePrincipal COM object.
ClonePrincipal COM Object
The ClonePrincipal COM object provides the ICloneSecurityPrincipal interface, which can be accessed via three methods:
- Connect. This method sets up connections to the source and destination domain controllers. It accepts four parameters—the names of the source domain controller, source domain, destination domain controller, and destination domain, respectively. If the connection succeeds, the method call returns the S_OK value. For example,
Dim clonepr Set clonepr = CreateObject("DSUtils.ClonePrincipal") clonepr.Connect "Chaicodc1", "chaico", "Michaelis", "milesco"
This code would create an object and then connect to the CHAICO and MILESCO domains so that items can be copied from a computer called chaicodc1 in Chaico into Michaelis in Milesco.
- CopyDownlevelUserProperties. This method copies the Windows NT properties of a user to the destination given. It accepts three parameters: the name of the object in the source domain, the name of the object in the destination domain, and a flag value (which is presently unused). It returns S_OK if the copy succeeds. For example:
clonepr.CopyDownlevelUserProperties "ChaicoRobM", "MilescoRobM", 0
The properties of user ChaicoRobm are copied to user MilescoRobm. The user ChaicoRobm must exist in the source domain. If the user MilescoRobm doesn't exist, it's created. If the user MilescoRobm already exists, the properties (in other words, group memberships and SIDhistory information) of ChaicoRobm are added to it. This method can be used to combine a number of different accounts into a single one, with permissions in a number of source domains. When a user is copied in this way, the password is set to a null string and the account is disabled.
- AddsIDHistory. This method copies the SID of a source principal to the SIDhistory of an existing destination principal in a different forest. SIDhistory can then be added to cloned users to allow them to access resources in the original source domain. It accepts three parameters: the name of the source object, the name of the destination object, and a flag value (which is presently unused). It returns S_OK if the copy succeeds.For example:
clonepr.AddSidHistory "chaicoRobm", "milescorobm", 0
The SID value of chaicorobm is added to the SIDhistory property of milescorobm.
The command can also allow you to assign a collection of SIDhistory attributes from a variety of source objects to any user in the destination domain.
ClonePrincipal Scripts
The sample scripts that are provided with ClonePrincipal are shown in Table 9.9.
Table 9.9 ClonePrincipal Scripts
| Script File | Function |
|---|---|
| Sidhist.vbs | Used to copy the SID of a source object into the SIDhistory of an existing security principal. If required, it can aggregate the SIDs of multiple users from a source domain into one user account on the destination. |
| Clonepr.vbs | Clones a single object. It creates the destination object (user, global group, or domain local group) if it doesn't already exist, copies the properties of the source principal to the destination principal, then copies the source SID to the SIDhistory of the destination. When cloning a global group or user, it establishes group memberships in the destination domain to reflect the memberships in the source domain. When cloning a shared or domain local group, it copies the entire source membership list to the destination local group. |
| Clonegg.vbs | Clones all global groups in a domain. |
| Cloneggu.vbs | Clones all global groups and users in a domain. |
| Clonelg.vbs | Clones all "shared" or domain local groups in a domain. |
The scripts are executed by Windows Script Host using the Cscript command.
When to Use ClonePrincipal
The power of ClonePrincipal lies in the fact that it can be driven from user-written scripts. The implication for custom migrations is that specific requirements on the filtering and management of how objects are cloned can be implemented as programs. For general management, it isn't recommended because it must be driven from a script file.
Cloning a User
Using the default ICloneSecurityPrincipal::CopyDownlevelUserProperties method, the following Windows NT 4.0 user properties are copied from the source account to the destination account. These will overwrite existing properties on the destination account:
- General properties
- Full name
- Description
- Password/account flags (with exceptions noted)
- Profile properties
- User profile: profile path; logon script
- Home directory: local path; connect drive and location
- Dial-in properties
- RAS access (allow/deny/control through policy)
- Verify caller ID
- Callback options (no callback/set by caller/callback to number)
- Static IP address
- Static routes (table of destination:network mask:hops)
- File and print for netware properties
- Terminal server properties
- Other third-party application properties that are returned in user parameters
The following properties are explicitly set on the destination user:
- Account is disabled
- User must change password at next logon
- Password is set to NULL
Hence, once migrated, you'll need to reenable the user accounts and let the users know that a blank password has been set on their account.
NOTE
User properties unique to Windows 2000 aren't copied by ClonePrincipal, even if the source domain is Windows 2000.
For more detailed information, read the clonepr.doc file in the Tools folder.
Practice: Using ClonePrincipal
In this practice, you'll perform an inter-forest copy using the ClonePrincipal tool. You'll use a single command to invoke the tool and clone the Mig2 user in the MIGRATE domain. It's important that the source and destination domains be properly configured for the command to work. Ensure that the premigration tasks that were detailed earlier in this chapter for ADMT have been completed. All command-line operations must be performed on TRAINKIT1.
- Log on to TRAINKIT1 as Administrator with the password secret.
- Open a command prompt and switch to the Tools folder; remember that you installed the Support Tools into the C:\Tools folder. The batch files you'll be using in this chapter depend on the tools being located there.
- On TRAINKIT1, issue the command to clone the Mig2 user in the MIGRATE domain by typing the entire command as shown. Don't press Enter until you reach the very end of the final line shown. If you're concerned about typing it correctly, start Notepad and type the command into a batch file and then run the batch file. If you get any errors, edit your typing until it's correct. If you partially migrate Mig2, you might find that the script refuses to work the second time, so be careful, or if necessary, create another user on MIGRATE1 and then try to migrate that user (adjust the /srcsam and /dstsam parameters to reflect the name of the new user).
cscript clonepr.vbs /srcdc:migrate1 /srcdom:migrate /srcsam:mig2 /dstdc:trainkit1 /dstdom:trainkit.microsoft.com /dstsam:mig2x /dstdn:CN=mig2x,OU=migrate,DC=trainkit, DC=microsoft,DC=com
TIP
If you have problems typing the command accurately, you can use the script named Clonescript.bat provided in the Tools folder.The command uses the Clonepr.vbs script to copy the user Mig2 from the domain MIGRATE into the user Mig2x in the Migrate OU in the trainkit.microsoft.com domain.
- Open Active Directory Users And Computers. Double-click the Migrate OU and note that a user named Mig2x is now present. If the OU is already open, press F5 to refresh the display.
NOTE
When ClonePrincipal clones a user, it is set as disabled, which is why there is a red X over the user name icon. - Once Mig2 has been successfully migrated across, right-click Mig2x and select Enable Account.
Now test the Mig2x account by logging on and off TRAINKIT1, using the Mig2x account without any password. When prompted to change the password, type secret.
NOTE
This lesson completes all practices you'll be doing with an inter-forest migration. You might want to experiment some more with user and group cloning before moving on to the practice on intra-forest migration in Lesson 8, where you'll reconfigure the MIGRATE domain into the MIGKIT domain and then use the MIGKIT domain for an intra-forest migration.
Lesson Summary
In this lesson, you learned that ClonePrincipal is a set of scripts that can be installed from your Windows NT Server CD-ROM. You also learned that you can use it to aid with scripting an inter-forest restructure, and finally, you used the ClonePrincipal tool to stage an incremental migration (in other words, migrating a single user).