Active Directory Migration,

Selective Authentication for Computer & Profile Migration

Windows® domain trusts are essential for enabling seamless access to resources across different domains in a network. They allow users from one domain to authenticate and access resources in another, promoting collaboration and simplifying administration. However, with increasing security concerns, selective authentication has become a critical tool for controlling which users or computers can access resources across domains.

This guide will walk you through configuring a Windows® domain trust with selective authentication using CopyRight2’s Computer and Profile Migration feature. Proper configuration is essential to avoid authentication errors during the migration process.

Table of Contents:

  1. Understanding Domain Trusts and Selective Authentication
  2. Migration Scenario
  3. Steps to Use Domain Trusts with Selective Authentication
  4. Conclusion

Understanding Domain Trusts and Selective Authentication

Before delving into the step-by-step guide, it’s crucial to understand what Windows® domain trust and selective authentication entail. A Windows® domain trust is a relationship established between two domains, allowing users in one domain (the trusted domain) to access resources in the other domain (the trusting domain).

Domain- or forest-wide authentication does allow all users of the trusted domain to authenticate and access resources of the trusting domain. Access will then be granted based on assigned permissions, either directly to users or group objects of the source domain or indirectly through a membership of a domain local resource group in the target domain.

Selective authentication, on the other hand, is an additional security measure that enables specific users or groups of the trusted domain to access resources in the trusting domain. It is a way to restrict access to resources, ensuring that only authorized users can access certain resources, thus, increasing the security of the domain network.

Migration Scenario

In this scenario CopyRight2 is installed on a system in the source domain. A user account of the source domain is being used, that is a member of the "Domain Admins" group of the source domain and that was made a member of the built-in "Administrators" group of the target domain. Being a member of "Domain Admins" grants access to the source computers to be migrated and additionally sufficient access to create the new computer objects in the target domain. This would usually be sufficient if domain-wide authentication was used.

In case of a trust with enabled selective authentication, there would occur an error when launching the migration job, during the computer account creation phase resulting in a prompt for authentication. If then the credentials of the prepared administrator account of the source domain are provided, a Windows® error 1935 will occur, which has the English translation of: "The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate to the computer".  The computer it fails to authenticate to, is the target domain controller.

Follow the steps below to grant permission to authenticate to the account used to launch the migration job and the computers from the source domain, to prevent this error from occurring.

Steps to Use Domain Trusts with Selective Authentication

Step 1: Establish a Trust Relationship

The first step in using a Windows® domain trust with selective authentication is establishing a trust relationship between the two domains. This can be done from the Active Directory Domains and Trusts console in the Microsoft Management Console (MMC). For the Computer and Profile Migration feature, it is recommended to configure either a one-way trust where the target domain trusts the source domain, or establish a two-way trust between the domains.

Step 2: Enable Selective Authentication

After creating the trust relationship, the next step is to enable selective authentication. This can be done from the properties of the trust relationship in the Active Directory Domains and Trusts snap-in. This needs to be configured on the trusting domain side of course. On the properties page, go to the Trusts tab, select the trust relationship, click on Properties, go to the Selective Authentication tab, and tick the 'Enable Selective Authentication' checkbox as below:

Step 3: Create a Domain Local Group in the Target Domain

To create a new local group in the target domain, which will later be used to grant permissions, use the Active Directory Users & Computers MMC snap-in. You can name the domain local group "AllowedToAuth" for example.

Step 4: Set Access Control on "Domain Controllers" OU or a Specific Domain Controller

The next step is to set access control for the resources in the trusting target domain. To do that, you need to use the Active Directory User & Computer snap-in and enable View -> Advanced Features.

There are two options: either grant the required permission on the "Domain Controllers" OU level, if you want to be able to target all domain controllers of the target domain or grant the permission on an individual domain controller basis.

a) If you want to grant the permission for all domain controllers select the "Domain Controllers" OU and click on Properties. Next open up the Security tab and click on Advanced. Then click on the "Add" button to add the permission. Select the local group created in step 3 as principal and then "Descendant Computer objects" as "Applies to". Finally search and select the "Allowed to authenticate" permission as below:



Click on OK three times to save the permissions.

or

b) If the permission should be instead granted for specific domain controllers that are being used as target of Computer and Profile Migration jobs, you could either put them in a dedicated OU and use the same approach as above. Alternatively, you can grant the permission individually on each domain controller. This works analog to a) but you can use the pre-selected "This object and all descendant objects" for "Applies to" instead.

Step 5: Add Source Domain Accounts to Local Group for Authentication

Next, add the account of the source domain, being used to launch the job, to the local group previously created in step 3. To grant access to the computers being migrated, there are two possibilities based on how restrictive you want the permissions to be and whether all computers or only a subset should be migrated:

a) You can add the "Domain Computers" global group of the source domain to the domain local group in the target domain.

or

b) You can add the individual computer accounts of the source domain that should be migrated to the domain local group in the target domain.

Step 6: Sign out and Sign in Again

After making those changes, you need to sign out and sign in again with the account being used to launch the job.

Step 7: Test the Configuration

Finally, after setting up selective authentication and access control, it's essential to verify the configuration to ensure everything works as expected. The job should now execute without any errors.

Conclusion

Using a Windows® domain trust with selective authentication is an effective way to manage and control access to resources across domains, significantly enhancing network security. By following the steps outlined in this guide, you can successfully configure selective authentication and use the Computer and Profile Migration feature without encountering the mentioned authentication errors. If you need further assistance, feel free to contact Sys-Manage support for help.