This page explains how to check if the permissions that are required to migrate an existing Active Directory ___domain from on-premises to Managed Service for Microsoft Active Directory with SID history are enabled. This page also explains how to disable these permissions after you complete the migration.
Before you begin
Make sure that you have any one of the following Identity and Access Management ( IAM) user roles:
- Google Cloud Managed Identities Domain Admin
(
roles/managedidentities.domainAdmin) - Google Cloud Managed Identities Admin (
roles/managedidentities.admin)
For more information, see Cloud Managed Identities roles.
Check permissions
You can check if the permissions that are required to migrate domains with SID history are available on a Managed Microsoft AD ___domain.
To validate the permissions, run the following gcloud CLI command:
gcloud beta active-directory domains migration check-permissions DOMAIN_NAME
Replace DOMAIN_NAME with the name of your Managed Microsoft AD
___domain. For example, my-___domain.com.
This operation validates if the Managed Microsoft AD has the Cloud Service
Migrate SID Administrators group created and the state of SID filtering on all
the trusted domains.
The response lists the SID filtering state of all the trusted domains and the state of permissions required in your Managed Microsoft AD ___domain:
onpremDomains: - name: ___domain-one.com sidFilteringState: ENABLED - name: ___domain-two.com sidFilteringState: DISABLED state: ENABLED
Your Managed Microsoft AD ___domain can have anyone of the following states:
| State | Description |
|---|---|
DISABLED |
Managed Microsoft AD ___domain doesn't have the permissions required to migrate the on-premises ___domain with SID history. SID filtering is enabled on all the trusted domains. |
ENABLED |
Managed Microsoft AD ___domain has the permissions required to migrate the on-premises ___domain with SID history. To check the SID filtering state, see the sidFilteringState field for all the trusted domains in the response. |
NEEDS MAINTENANCE |
Permissions seem to be in intermittent state for your Managed Microsoft AD ___domain. To reset the state, either enable permissions or disable permissions as you require. |
Disable permissions on the Managed Microsoft AD ___domain
After you complete the migration, you must disable the permissions provided for migrating your on-premises ___domain with SID history.
To disable the permissions, run the following gcloud CLI command:
gcloud beta active-directory domains migration disable DOMAIN_NAME
Replace DOMAIN_NAME with the name of your Managed Microsoft AD
___domain. For example, my-___domain.com.
This operation disables the permissions provided to your ___domain by deleting the
Cloud Service Migrate SID Administrators group from Managed Microsoft AD
and enables SID filtering on all the trusted domains.