Deconstructing the Quest Resource Processing configuration file (vmover.ini)

Dell

For anyone that has worked with the Quest Migration Manager to perform Microsoft Active Directory Domain migrations, you find that one of the most critical components is the Resource Processing tasks. In a migration, one has the original environment (Source) and the destination environment (target). A migration consists of moving source users, groups, workstations, servers, applications, group policies, scripts, etc… to the target as per migration requirements. Resource Processing is, in simple terms, the process of adding access for target user and groups (security principals) to source computers and applications (resources). Additionally, with Quest, one has the option to update the identities of services, scheduled tasks, etc…

How does Quest pull off such a monumental task of updating all the resources? For computers, it is all based on a small binary (vmover.exe) and a configuration file – commonly known as vmover.ini. Let us now dive in and examine the INI configuration file.

Below is the top portion of the INI file. For the most part it is self explanatory. It is a list of resource processing options.

FileSystem=YesDCOM=YesLogFile=VMover.log
Shares=YesCOMPlus=YesStateFile=VMover.txt
LocalGroups=YesRoamingProfiles=YesVersion=400
UserPrivileges=YesInstallProfilesAgent=YesMaxCriticalErrors=1
Printers=YesClone=YesMaxRegUsage=95
IIS=YesCleanUp=NoProcessRegGroupOwner=No
Registry=YesUndo=NoUpdateStateSec=1
Profiles=YesAutoRemove=NoSetArchiveBit=No
Services=YesMaxErrors=10SharesExtendedLogging=Yes
ScheduledTasks=YesLogMask=15 

This is where it gets interesting. Following the options section, there are 1 or more domain pair sections. These sections contain a mapping of security principals between source and target. If you are unfamiliar with the concept of a Security Identifier or SID, I suggest you read ‘How to understand the anatomy of security identifiers‘. Everything in the domain pair sections is directly correlated to the SID. There are several great tools to help find the SID of objects such as PSGetSID from PSTools. For the sake of this post we only need to know two things about the SID – the domain Identifier and the Relative Identifier (RID). Given the SID ‘S-1-5-21-715486182-2557611466-615292504-1012’ the Domain Identifier would be ‘S-1-5-21-715486182-2557611466-615292504’ and the RID would be ‘1012’.

The first 3 lines of a domain pair section are as follows:

[]
SourceDomainName;S-1-5-21-SourceDomainIdentifier;SourceDomainDNSName
TargetDomainName;S-1-5-21-TagertDomainIdentifier;TargetDomainDNSName

Example Contoso domain migrating to Fabrikam domain:

[]
CONTOSO;S-1-5-21-715486182-2557611466-615292504;constoso.com
FABRIKAM;S-1-5-21-1960408961-3247738952-4268959921;fabrikam.com

The next line(s) in the configuration file define the source and target object mapping.

SourceRID;SourcesAMAccountName;TargetRID;TargetsAMAccountName;;;Object Type

Object Types defined:

Object TypeDescriptionSeries
1UserA
2Global Security GroupB
3Global Distribution GroupB
4Domain Local Security GroupB
5Domain Local Distribution GroupB
6Universal Security GroupB
7Universal Distribution GroupB
8ComputerB

Rules for the object mapping section:

  1. All object mapping entries are sorted by SourceRID (Ascending)
  2. The SourceRID value for the first object mapping entry in each series uses the actual SourceRID value.
  3. Subsequent object mapping entries in each series uses a calculated offset from the previous entry in the series for the SourceRID value.
  4. There are only 2 series of object mappings.
  5. The TargetsAMAccountName may be omitted if it is the same as the sourcesAMAccountName.

Example for a single user:

Scenario Information

SourceRIDSourcesAMAccountNameTargetRIDTargetsAMAccountNameObject Type
1012Jdoe23127john.doeUser
Object Mapping EntriesRules Applied – Notes
1012;jdoe;23127;john.doe;;;12- Source RID for the user or ‘A’ Series

So far, things are making sense. However, it gets tricky when you add more than 1 object mapping entry.

Example for multiple users:

Scenario Information (Sorted by SourceRID)

SourceRIDSourcesAMAccountNameTargetRIDTargetsAMAccountNameObject Type
1012Jdoe23127john.doeUser
1050Ssmith10345Sally.smithUser
1053lskywalker5038lskywalkerUser
Object Mapping EntriesRules Applied – Notes
1012;jdoe;23127;john.doe;;;11- All Source RIDS Sorted
2- Source RID for the user or ‘A’ Series
38;ssmith;10345;sally.smith;;;13- Source RID is current RID less the previous RID (1050-1012=38)
3;lskywalker;5038;;;;13- Source RID (1053-1050)
5- Target sAMAccountName is omitted

Example for multiple object types:

Scenario Information (Sorted by SourceRID)

SourceRIDSourceSAMTargetRIDTargetSAMObject Type
1012Jdoe23127john.doeUser
1015Accounting48885AccountingGlobal Sec. Group
1038ORION$45566ORION$Computer
1050Ssmith10345Sally.smithUser
1052AllEmps123445AllEmployeesGlobal Dist. Group
1053lskywalker5038lskywalkerUser
2034Sales44755SalesLocal Sec. Group
3123AppAccess476665AppAccessUniversal Sec. Group
Object Mapping EntriesRules Applied – Notes
1012;jdoe;23127;john.doe;;;12- Source RID for the user or ‘A’ Series
1015;Accounting;48885;;;;22- Source RID for the user or ‘B’ Series
5- Target sAMAccountName is omitted
23;ORION$;45566;;;;83- (B) Source RID is current RID less the previous RID (1038-1015=23)
38;ssmith;10345;sally.smith;;;13- (A) Source RID is current RID less the previous RID (1050-1012=38)
14;AllEmps;123445;AllEmployees;;;33- (B) Source RID is current RID less the previous RID (1052-1038=14)
3;lskywalker;5038;;;;13- (A) Source RID (1053-1050)
5- Target sAMAccountName is omitted
982;Sales;44755;;;;43- (B) Source RID is current RID less the previous RID (2034-1052=982)
5- Target sAMAccountName is omitted
1098;AppAccess;476665;;;;63- (B) Source RID is current RID less the previous RID (3123-2034=1098)
5- Target sAMAccountName is omitted

Domain section example completed:

[]
CONTOSO;S-1-5-21-715486182-2557611466-615292504;constoso.com
FABRIKAM;S-1-5-21-1960408961-3247738952-4268959921;fabrikam.com
1012;jdoe;23127;john.doe;;;1
1015;Accounting;48885;;;;2
23;ORION$;45566;;;;8
38;ssmith;10345;sally.smith;;;1
14;AllEmps;123445;AllEmployees;;;3
3;lskywalker;5038;;;;1
982;Sales;44755;;;;4
1098;AppAccess;476665;;;;6

With this information, you have the ability to generate your own INI configuration files. This gives you the ability to automate and fine-tune what vmover is actually doing in your environment.

Source article: Bellz Brain Dumps: Deconstructing the Quest Resource Processing Configuration File (vmover.ini) (disambigu8.blogspot.com)

Leave a Reply

Your email address will not be published.