2011 Mexico user account and mailbox migration

Handout for local administrators - DRAFT Tasklist - preliminary tasks ................................................................................................................................................................3 Make sure that the new DKXM user accounts can access applications in the NA domain.................3 Create migration table.........................................................................................................................3 Verify migration table..........................................................................................................................4 Make migration hand-out....................................................................................................................4 Translate migration hand-out to Spanish (optional).............................................................................4 Migration schedule planning...............................................................................................................4 Destine migration-target-dates for normal user migration...................................................................5 Destine migration-target-dates for special user migration ............................................................................................................................................................5 Inform users per mail about migration (optional).................................................................................5 Tasks at main migration ................................................................................................................................................................5 Overview - day by day migration.............................................................................................................6 Tasklist - day by day migration ................................................................................................................................................................7 Send out the invitation for migration to the users................................................................................7 Send remember-mail: remember user for daytime migration .............................................................8 Delete PST-passwords, if necessary..................................................................................................8 Record the user configuration.............................................................................................................8 Record Network Printers...............................................................................................................10 Record the Outlook Signature (optional).......................................................................................10 Record the Outlook PST-files information.....................................................................................11 Move the Outlook data files (PST-files) to the transfer directory.......................................................11 Change the domain membership of the client PCs to FS01..............................................................13 Deactivation of local security settings............................................................................................13 Deactivate HIPS............................................................................................................................13 Take the PC out of the NA domain ......................................................................................................................................................14 Rename the client to the name standard from FVWS...................................................................14 Join the PC to the FS01 domain ...................................................................................................16 Login with a FS01 account to verify the domain join......................................................................16 (Software deinstallation from the local PC)......................................................................................16 Shutdown the PC..............................................................................................................................16 Additionally operations for different user types..................................................................................17 VPN user.......................................................................................................................................17 VIP user.........................................................................................................................................17 Users with several clients..............................................................................................................18 Team PCs......................................................................................................................................18 Configure the user profile for the new environment ..........................................................................18 The user logs on with his new account..........................................................................................18 Configure the Outlook profile for the new environment..................................................................18 Configure Outlook for the Livelink Mail Archive.............................................................................20 Initialize the Blackberry device for Blackberry users......................................................................21 Change Connection Definition for VPN users................................................................................22 Reconfigure the printer connections..............................................................................................22 Run tests for verifying ......................................................................................................................................................22 Transfer of the users profile data ..........................................................................................................................................................28 Configure the Outlook Signature.......................................................................................................28 Hide and disable the old NA user account........................................................................................29 1

Make a feedback for every user in the migration table......................................................................29 Possible migration issues ..............................................................................................................................................................30 New Account.....................................................................................................................................30 Password Problems..........................................................................................................................30 Permissions Problems:.....................................................................................................................30 Network problem...............................................................................................................................30 Informational.........................................................................................................................................31 Information about Roaming Profiles for the users.............................................................................31 Information about changes at the logon script...................................................................................31 Logon with an account from Germany..............................................................................................32 In this hand-out are described the tasks for the local administrators at migration.

Tasklist - preliminary tasks

task / - subtask Create DKXM user accounts Move existing DKXM user to MX OU Add email addresses to DKXM users Add DKXM user to groups in FS01

who User Management I-SBU I-SBU SISTEMAS I-SBU

info done CW26 CW26, done

Make sure that the new DKXM user accounts can access applications in the NA domain Create migration table - Export user-information in the NA- and FS01 domain - Create Excel table Verify migration table Make migration hand-out Translate migration hand-out to Spanish (optional) Migration schedule planning - Destine migration-target-dates for normal user migration - Destine migration-target-dates for special user migration
Inform users per mail about migration (optional)

SISTEMAS I-SBU SISTEMAS

from German

one mail for all users

Make sure that the new DKXM user accounts can access applications in the NA domain
Because fresh new users are created in the FS01 domain, this users have no rights for applications in the NA domain (they have no group memberships). If its possible, convert the existing groups to domain local groups, than you can add members from the FS01 domain to the converted groups.

Create migration table

This is an example: Target date user 01.06.11 Wichtig, Willi 02.06.11 Benzzo, Mercedes 02.06.11 Diesolos, Pablo 03.06.11 Cuarto Kairo Sosa Scirocco, 03.06.11 Salvador type status comment VIP-user migrated no problems user needs full access on user migrated Cuarto_Seoul NB-user migrated OK room planned VPNuser planned user is in house for a meeting

mail willi.wichtig@vwfs.co

m.benz@vwb.com.m p.diesolos@vwfs.com ckairo@vwfs.com.mx

ssosa@vwb.com.mx

The migration table should store on a file share or Sharepoint where everyone participating at migration can access it.

Verify migration table

The migration table will created by I-SBU about one month before migration. Because the migration table is build from an AD-export it can be, that old mailboxes from not deleted users are planned for migration. User Management VWFSMX will mark all abandoned mailboxes in the migration table so they will not be migrated. After migration User Management VWFSMX can order TSM to delete these mailboxes. The type of user (normal-, VIP-, VPN-, notebook-user) cannot exactly extracted from AD groupmemberships. So the user management VWFSMX will take a look at this column. The grouping of users is very important, because there are problems with Outlook delegations between migrated and non-migrated users. The initial grouping is derived from the department, but which department works with each other isnt stored in the AD. So this is another task on verifying the migration table for the order of the department migration. About 10 users will migrate per day. The exact number can be defined after test imports.

Make migration hand-out

The migration hand-out describes the changes in the view of users. Points are: changes at the login account (DKX) and the new password changes of the email-address use of the Outlook-Cache by migration changes at the address book use of the email archive The hand-out is sent by mail to the user some days before migration by VWFSM. Its not necessary for everyone to have a printed version. The creation process is a hand in hand process with I-SBU, I-SBS and VWFSM.

Translate migration hand-out to Spanish (optional)

If not all colleagues can read Spanish it may be useful to translate the hand-out to Spanish. VWFSM will take care of this.

Migration schedule planning

The migration schedule planning is a one time work for initial planning the migration schedule for all accounts / mailboxes and its also a continuous process beside the main migration. A process for managing appointments has to be implemented. After the pilot migration should be clear if the line capacity or the support capacity defines the maximum number of users for daily migration.

Destine migration-target-dates for normal user migration

Normal user migrations are users, which do not need an invitation for the migration date. These accounts are: normal users user accounts for resource mailboxes The migration dates are predetermined. When the user is out of office at the predetermined date (seen by the out of office mail from Outlook), the migration date should rescheduled. My suggestion: send 20 to 25 invitations emails one week before target date, because of holidays or other reasons normally only 15 to 20 users will migrated. Information: The invitation to the users VW Bank will be send by T-Systems The migration plan will be inform by VWFS MX.

Destine migration-target-dates for special user migration

Special user migrations are users, which do need an invitation for the migration date. These accounts are normally: notebook user (field worker), because its helpful, when the user is in the office at migration VPN user (teleworker), because the line can be heavily loaded after migration (OL cache) VIP user In most migrations the migration dates are predetermined, but the user can made changes. VIP user This is also a special migration process, but some VIP user wants often self-determine the date because of the induction time for the new environment.

Inform users per mail about migration (optional)

In this mail, all users were informed about the beginning migration. This mail is normally send out about two weeks before the first user migration. In this mail you inform about: why this migration is needed what new functions the users have after migration what limitations exists at migration

Tasks at main migration

At migration day you have a group of users to migrate and a group of supporters for support at migration. Ideally, the user come to office shifted. So the supporters take all the users by hand at the first logon to the new environment and no one has to wait. The user and mailbox is migrated by I-SBU in the night (in Mexico). Next morning some changes are needed at the PC.

Overview - day by day migration

In rmu e p r m il a o t fo s rs e a b u m ra n ig tio B fo e re M ra n ig tio S T MS IS E A

R c rdth u e eo e s r c n u tio o fig ra n Ue sr

Inth e e in e vn g (s g e te ) ugs d

C a g th d m in hne e o a m m e h o th clie t e b rs ip f e n P stoF 0 C S 1 T-S s m y te s

A s o a p s ib s o n s o s le (inth n x d y e et as )

C p th u e P T -file to oy e sr S s th tra s r d c ry e n fe ire to T-S s m y te s

A h eth P Tfile toth rc iv e S s e L e in a h e iv L k rc iv I-S U B

Inth n h e ig t

M ra th u e m ilb x s ig te e s r a o e toB u s h e E c a g ra n c w ig x h n e S rv rs e e I-S U B

A tiv teB c b rryfo c a la k e r B ck e u e la b rry s rs HD u

M v th c m u r o je t o e e o p te b c in th ta e O to e rg t U I-S U B

Inth e m rn g o in

U e lo so w h n w s r g n ith is e ac ut con Ue sr

C n u th u e p file o fig re e s r ro fo th n we v n e t r e e n iro m n T-S s m y te s

Jsa r u t fte M ra n ig tio

C n u th o u e o fig re e ld s r a c u t inth N d m in con e Ao a T-S s m y te s

Tasklist - day by day migration

task / - subtask Inform users per mail about migration Send remember-mail: remember user for daytime migration Delete PST-passwords, if necassary Record the user configuration - make hardcopies of the network printers - make hardcopies of Outlook configuration Move the Outlook data files (PST-files) to the transfer directory Change the domain membership of the client PCs to FS01 - deactivation of local security settings - deactivate HIPS - take the PC out of the NA domain - rename the client to the name standard from FVWS - join the PC to the FS01 domain - login with a FS01 account to verify the domain join (Software deinstallation from the local PC) Shutdown the PC Move the computer object into the target OU Migrate the user mailboxes to BS Exchange Servers - delete the GAL contact object of the user - unhide the DKXM user object - run the preperation script - move the mailbox to Exchange Server BS - check the move-logs - send success mail to SISTEMAS Activate Blackberry for Blackberry users Configure the user profile for the new environment - the user logs on with his new account - configure Outlook for the new environment - configure Outlook for the Livelink Mail Archive - initialize the Blackberry device for Blackberry users - change Connection Definition for VPN users - reconfigure the printer connections - run tests for verifying Transfer of the users profile data Configure the Outlook Signature Configure the old user account in the NA domain - Hide the old user account in the NA domain - Deactivate the old user account in the NA domain Make a feedback for every user in the migration table Archive the PST files to the LiveLink archive - configure the import - importing the PST - checking and troubleshooting

who info SISTEMAS ~ weekly with user handout user user

daily for archiving (with help from T-Systems) ask the user, if all printers needed PST-paths, signatures maximum 500MB avoid conflicts with GPOs avoid GPO blocking config, reboot, login local config, reboot, login local config, reboot login in FS01 to check the computer migration Its not clear at this time, if this step is needed. ensures GPO execution next day

T-Systems

I-SBU

(30 MB mailbox)

HuD

perhaps, the mailbox is needed for configuration

T-Systems user T-Systems connection, signatues, rules, etc.

(not needed at Citrix connections)

(the user knows his printers) OL in Spanish, start important applications C:\Documents and Settings\OLDUSERNAME\Mis documentos

T-Systems
Check before, if the GAL-Sync has created an contact Otherwise, the user could log on on not migrated PCs.

I-SBU

(500MB PST)

Send out the invitation for migration to the users

7

You can send the handout together with the email invitations, but highlight the presence of an attachment. Perhaps remind user that its normally not necessary to have a printed version of the handout. The new account information (username and password) is normally send out by the remember mail. TSM will include in the invitation the handout users.

Send remember-mail: remember user for daytime migration

Because the logon-account name is new, its a good idea to remember the user to logon next day with his new account. Because the DKXM-account is in the fist time not so easy to remember, the user should print or write down the new account name (but not write down the password). For security reason you should send out one individual mail for each user. Also warn users from print out the remember mail. The VPN users will be scheduling his invitation in the VW Bank building.

Delete PST-passwords, if necessary

The archive server cannot import PST files with passwords set. The user has to delete the password, because he has only it. It would be nice to notify users that they must remove the password to PSTs.

Record the user configuration

8

For easy reconfiguration, a small protocol of user settings can be helpful; perhaps some simple hardcopies. Network printers Outlook signature Outlook PST-files

Its not possible to log in with an NA account to a FS01 PC. So its not possible to see the configuration after migration. Because the information is stored in the local registry, you can only record the settings with the logged in user.

If the user should record the configuration, make a user-guidance. At least the PST-file configuration should be saved.
Store the hardcopies on a easy accessible path, perhaps D:\Config .

Record Network Printers

Hardcopy with Keyboard-combination Alt-Prn, than open Word and press the Keyboard-combination Ctrl-V.

Record the Outlook Signature (optional)

Open the Windows Explorer and enter the path C:\Documents and Settings\User-ID`\Datos de programa\Microsoft :

10

Than copy the Signatures folder to the backup directory. If you transfer the whole user profile as a part of the migration, this step is not necessary.

Record the Outlook PST-files information

The names and path information are needed later for moving the PST-files to the transfer directory. Open the Archivos de datos de Outlook window and record for each PST-file the path information in a text file:

Move the Outlook data files (PST-files) to the transfer directory

The PST-files of the user which should imported in the LiveLink archive has to be moved to the appropriate transfer directory of the user. 1. Find the PST-files for archiving: use the recorded user configuration search on all volumes for *.PST, than use the latest file for each PST

2. Now you can move the PST-files to the to the appropriate transfer directory of the user. The path to the transfer directory is: \\10.42.168.19\fsmx_PST$ The associated groups are: FS01\MX-FS-PST-Transfer-FW-G NA\MX-FS-PST-Transfer-FW-G (for Admin accounts in the FS01 domain) (for Admin accounts in the NA domain)

11

Connection to the PST-share with an admin account:

(When you are logged in with your FS01 admin account, you should not asked for a username/password.) Please move the PST-files carefully into the correct destination directory. If the PST-file is in the wrong directory, the mails and other items are imported in to the wrong mailbox. The maximum archiving data per user is 500MB. If the user has more data, burn it on CD/DVD/BD. If the user has one big archive with more than 500MB, he has to split the archives:

In this example, the old archive is archived into the mailbox and the very old archive is burned to CD.

12

Change the domain membership of the client PCs to FS01

TSM will change the domain membership during migration of the PC. Source Domain: Destination Domain: na.vwg fs01.vwf.vwfs-ad

The Group FS01\MX-ADM-Client-S-G is added to the local group Administrators on each client by a Group Policy. In the situation, where you cannot logon to the local PC with your FS01 admin account after migration you can try to correct the problem with the command gpupdate /force . In addition, the GPO (Group Policy Object, a part of the AD) removes the local administrator from the administrators group. Also all NA-groups are deleted. Without further doing, the user gets a new profile at next logon.

Deactivation of local security settings

To avoid conflicts with GPOs in the FS01 domain, the local security settings (local policies) have to be deleted.

Deactivate HIPS
In our tests, the HIPS blocked domain GPO settings. So the deactivation of the HIPS is necessary. For deactivating, set the start type of the service McAfee Host Intrusion Prevention Service to disabled.

13

Take the PC out of the NA domain

The System Properties are opened with: Control Panel > System

(please use the domain name and account name from the correct source domain)

Rename the client to the name standard from FVWS

The name standard for clients in Puebla, Mexico is: FSMXPU<F>nnnnn .

<Computer Function Code F> (1 Character)

A Advanced Printer 14

C Client L Laptop M Monitor O Office communication devices B Thin Clients R Remote (Home Office Worker) W Workgroup 0-9 Standalone I Network Gear K Copy Machines F Fax G SAN- or SAN-attached storage component (X) P Printer (shortened list) nnnnn = (sequential) hexadecimal number Example: FSMXPUC00001 for the first Client you added to the FS01 domain.

Now the computer needs a restart

15

Join the PC to the FS01 domain

(please use your admin-Account in FS01, this account must be member of MX-ADMAddComputerToDomain-S-G)

(please excuse the use of German hardcopies) (This two part process is needed because you havent one account with both rights: the right to delete the computer account from the old domain and the right to add a computer to a domain.)

Login with a FS01 account to verify the domain join

If the login is successful, the domain join was successful, too.

(Software deinstallation from the local PC)

The following Software should remove from all Clients, because its not used in the VWFS environment: The list is not defined at this time. A test migration is needed. This list will be checked with I-SB*, TSM and the CISOs. Its not clear at this time, if this step is needed.

Shutdown the PC

16

Additionally operations for different user types

VPN user
Also its theoretically possible to migrate PCs over the VPN, its the easiest way that the user comes in house for migration.

VIP user
The only difference in migration is the level of special notice you do at migration (for example remember to synchronize Outlook by phone). Sometimes its difficult to say no to some special wishes:

Copy of the Internet Favourites

Right Click on the Windows Start field > Explore > Favourites > Copy. Make a backup directory and insert the favourites (for example d:\backup). After migration, copy the favourites back (to the fresh new user directory).

Desktop Settings

17

You can do the same as with copying the Internet Favourites but with the desktop folder.

Please remember that VWFS uses roaming profiles, so the data is copied over the network every time the user logs on or off the PC. Please move out big files to the users home directory (H:) and place a shortcut on the desktop.

Users with several clients

All clients belong to a user should change the domain membership when the user is migrated.

Team PCs
This is a pool of PCs with a group of users working on them (perhaps a call center). Every user can log on to every PC. In this case, migrate all PCs and users together. If this is not possible, make two stages. One possible migration plan: first change the domain of all PCs of a stage than migrate the user of a stage when they come; because of roaming user profiles, you need to make the adjustments only once per user

Configure the user profile for the new environment

The user logs on with his new account Configure the Outlook profile for the new environment Manual configuration of the Outlook-Profile
o o use the Cached-Mode of Exchange you can take this server for configuring: fsdebsxcas.fs01.vwf.vwfs-ad

18

Additional configuration: add connections to other mailboxes show the user how to add an Outlook signature

19

Reconfiguration access to other users or to a team mailbox:

(The hardcopies are made in the NA domain.)

Info: Dont include PST-Files in the Outlook-Profile. The archived PST-Files should be accessible at the next day(s) with the archive folder accessible directly in the mailbox.

Configure Outlook for the Livelink Mail Archive

Please go to Herramientas > Opciones > Otros > Opciones avanzadas > Formularios personalizados > Administrar formularios and then copy the two Open Text Forms from the Organization Forms FSDE to the Formularios personales .

20

Initialize the Blackberry device for Blackberry users

For Blackberry users, the Blackberry device has to configure for the new mailbox. Another manual exists for the doing (Settings BlackBerry_english.doc).

21

Change Connection Definition for VPN users Reconfigure the printer connections Run tests for verifying
At a standard PC, after the user has logged in (next morning), there are some tests to do for checking the migration.

Test the Outlook connection to Exchange (if the user can log on to his mailbox)
Because of the integrated authentication, there is no need for input the logon information. So when you get this box, something is fishy:

In this case, I-SBU should analyze the problem. Information to First Level Support UHD T-Systems: For further connection troubleshooting (for example slow response) you can get the Outlook connection status by pressing the Key Ctrl and a right click on the Outlook icon at the windows info bar:

22

Verify, that the Outlook folders are in the correct language

If the Outlook folders are in the wrong language, you should correct it:

The command is: outlook /resetfoldernames :

23

If this doesnt work, manual handwork is needed.

Test the standard dive letters for access to the network:

Drive Letter H: P: Q: R: S: T: W: Description User home Application_Data Transfer_Data Backups Areas (departments) Projects Share_Data (group data)

This looks OK: If there is a connection problem, the network drive isnt assigned by login:

24

Test, if the correct GPOs are used

Use the command: gpresult > gpresult.txt In the resulting text file, look for two things: GPOs There must be 7 GPOs in the List: FS01-ClientServer-RestrictedAccounts FS01-ClientServer-EnforcedSettings MX-Client-Desktop MX-Client-Machine FS01-Client-Machine FS01-Client-InternetExplorer Default Domain Policy-OLD AD-Site The correct AD-Site is: MXPU

25

Additionally, in the pilot migration, it was useful to look on the DNS Suffix Search List (because the HIPS sometimes blocks the execution):

If the Directiva de grupo local is listed, the deactivation of local security settings was not successful.

26

Test the important network applications of the user

Located in Germany: SAP T24 VOKUS PHAROS BERTHA CMIS CARAT

Located in VW Mexiko: Avaya Documentum Intranet Print Server in VWM Print Server in VW Bank Reuters See the application list documents.

Tests in the old file server RVS PLD INTRANET **** external treasury servers

Ask the user, if he needs help on new or changed functions

The changes are described in the user handout, but sometimes a user doesnt understand something. Possible questions about: how to use the new archive-function in Outlook

27

Transfer of the users profile data

The users profile data has to be transferred from the old account to the new account. You have two choices: You can move the data in the evening before migration to the temporary destination. And then move the data back after the first logon of the user. (You can move back the data as the logged in user or anl administrator.) You can directly copy the data to the destination folder after migration (logged in as an administrator) and then delete the original data. (Dont move the data at this moment because the old rights remain and the new user cannot access the old files.)

Source: C:\Documents and Settings\OLD-USERNAME\Mis documentos Suggested temporary destination: D:\Backup\USERNAME Destination: C:\Documents and Settings\NEW-USERNAME\Mis documentos (The destination folder is created by the first login of the user.) If the user has files stored on the desktop, you can use the same procedure with the folder C:\Documents and Settings\OLD-USERNAME\Escritorio .

Configure the Outlook Signature

After transferring the users profile data the signatures should be listed in Outlook. You only have to choose the signature in the list of signatures:

(You must logged in as the user, for this operation.)

28

Hide and disable the old NA user account

At this moment, the old user account is no longer used, so for security reasons the deactivation of the old account is needed. Because the address book Sync between VWAG and VWFS, a new contact object is created for the new FS01 user in the VWG forest. To avoid double entries for each user in the Outlook address book, the old NA user account should be disabled. The Sync needed some days; in this time, the user is not shown up in the NA address book.

Make a feedback for every user in the migration table

Make simply an OK or your comment:

Example user migration table

Target date user 01.06.11 Wichtig, Willi 02.06.11 Benzzo, Mercedes 02.06.11 Diesolos, Pablo 03.06.11 Cuarto Kairo Sosa Scirocco, 03.06.11 Salvador

type VIP-user user NB-user room

status comment migrated no problems user needs migrated Cuarto_Seoul migrated OK planned

mail willi.wichtig@vwfs.c full access on

m.benz@vwb.com. p.diesolos@vwfs.co ckairo@vwfs.com.m

VPN-user planned

user is in house for a meeting

ssosa@vwb.com.m

29

Possible migration issues

The communication between I-SBU and T-Systems user support is by mail and phone directly to the engineers doing the migration. Please remember the time shift between Mexico and Germany when waiting for an answer.

New Account
The user has not written down his new account information and he cannot login. One way to minimize the problem is to send out the account information table (without passwords) to all members of the daily migration in the remember mail. So the user can ask a colleague for his new account name. If the user is the first in the morning in the office, he has to call for help.

Password Problems
Depending on your password distribution process, issues are to be expected. User Management will provide a list of all DKXM accounts; password will be a standard password. User Management will send the DKXM account to the final users.

Permissions Problems:
Because new User Accounts are used, in applications with AD integrations (often Intranet applications like Sharepoint) permissions problems can happen.

Network problem
Another way for troubleshooting initial network drive letters assignment problems is at the command line. First open the path \\fs01\NETLOGON in the Explorer > one click on any file at will > type in the first keys of the filename (mexico.bat) > right click > Edit > search for the drive letter with problems > mark the appropriate command > open the CMD > copy the command In addition try to PING the destination:

30

(This is an example how to get the information, your server names differs.)

Informational
Information about Roaming Profiles for the users
VWFS uses Roaming Profiles. To configure Roaming Profiles you have to enter the network path for the user. The normal path is \\HOMESERVER\USERS\DKXMxxx\system.nt\profile . The profile paths are preconfigured for the users. In the time a user gets a new PC (VWFS standard, without a data partition D:), than it should be the best to copy the user data from the old PC to the users home drive H:.

Information about changes at the logon script

In the NA domain is only one logon-script for all the VWFS users (vwfs.bat). 31

In the FS01 domain has every user has its own logon script (initial all are the same). At the end of the user logon script is started the script POST_MAP.BAT which does the following: hard- and software-inventory installation of DameWare Remote Control client DeviceLocker (control of the USB-ports) update miscellaneous checks and configurations

Logon with an account from Germany

32