Cross-forest Migrating Dynamic Access Control

Reading Time: 5 minutes

Six months ago, I wrote on 10 Things you need to be aware of before deploying Dynamic Access Control. As point 8, I told that the Active Directory Migration Tool (ADMT) does not support cross-forest migrating Dynamic Access Control (DAC).

As an Active Directory admin, ADMT, obviously, would be the first tool to look you can cross-forest migrate user accounts, groups and group memberships with it. Unfortunately, you cannot migrate Dynamic Access Control between Active Directory forests with it. The Data Classification Toolkit (DCT), however, can. It is PowerShell only.

About the Data Classification Toolkit (DCT)

The Data Classification Toolkit (DCT) is a free solutions accelerator from Microsoft. The latest version, Microsoft Data Classification Toolkit for Windows Server 2012, or version 2.1 supports Dynamic Access Control.

The Data Classification Toolkit for Windows Server 2012 works in conjunction with Windows Server 2008 R2 File Classification Infrastructure (FCI) and Dynamic Access Control in Windows Server 2012 to help IT pros gain insight into stored information, enforce access policies, and configure access policies for files based on claims.

    

Migrating Dynamic Access Control

So, in an Active Directory environment with multiple Domain Controllers, that you want to migrate stuff from, you might have Dynamic Access Control configured, this means you would have created:

  • Resource properties
  • Property lists
  • Central access rules
  • Central access policies

Additionally, you would have pushed resource properties to your file servers and deployed the central access policies through Group Policy. Of course, you’ve classified data and have enjoyed using Dynamic Access Control.

Note:
When you haven’t actually used file classification with Dynamic Access Control, you might not have any need to migrate the information from your Active Directory forest when you migrate to a new Active Directory forest…

Now, the above four types of information in Active Directory can be migrated with the Data Classification Toolkit, although you might have thought that you needed the Active Directory Migration Tool (ADMT) to do this.

Tip!
To cross-forest migrate Group Policy Objects (GPOs), you can use the Group Policy Management Console (GPMC) or other solutions, like the BackupGPO.wsf and ImportGPO.wsf scripts from the Group Policy Management Console sample scripts download.

The process to migrating the Dynamic Access Control configuration cross-forest is through export and import. This adds to the flexibility of the solution, since you don’t need to set up a trust or worry about network connectivity or time synchronization (unless you want to).

One down side of using the Data Classification Toolkit to importing and exporting the Dynamic Access Control configuration for a cross-forest migration, is that it is only available through PowerShell.

     

Download the Data Classification Toolkit

The Data Classification Toolkit for Windows Server 2012 is available as a free download from the Microsoft Download Center. Download it here.

     

Installing the Data Classification Toolkit

After you downloaded the Data Classification Toolkit, install it on a server in the source domain by double-clicking Microsoft Data Classification Toolkit.msi.

Installing the Microsoft Data Classification Toolkit, Step 1 (click for original screenshot)

Click on Next in the Welcome screen.

Installing the Microsoft Data Classification Toolkit, Step 2 (click for original screenshot)

Select the  I accept the terms in the License Agreement option and, then, click Next.

Installing the Microsoft Data Classification Toolkit, Step 3 (click for original screenshot)

Change… the location where you want to install the Microsoft Data Classification Toolkit or click Next regardless when you accept the default location in the 32bit Program Files folder.

Installing the Microsoft Data Classification Toolkit, Step 4 (click for original screenshot)

Click Install.

Installing the Microsoft Data Classification Toolkit, Step 5 (click for original screenshot)

Click Finish in the Completed the Microsoft Data Classification Toolkit for Windows Server 2012 Setup Wizard.

     

Exporting the Claims Configuration

As part of the Data Classification Toolkit installation, on the server where you’ve installed it, a Tools folder will be created underneath the installation path. In a default installation, this folder will be:

C:\Program Files (x86)\Microsoft\Data Classification Toolkit\Tools

In this folder you will find two PowerShell scripts:

  • Export-ClaimsConfiguration.ps1
  • Import-ClaimsConfiguration.ps1

We’ll use the first script to export the Claims Configuration from the source Active Directory environment. Start PowerShell from the taskbar or Start Screen. Then type the following commands:

Set-ExecutionPolicy Unrestricted

Export-ClaimsConfiguration -file C:\DAC.xml 
-server DC1.sourcedomain.tld -IncludeCentralAccessPolicies

Where C:\ClaimsExport\ClaimConfig.xml is the file to which you want to export the Dynamic Access Control (DAC) Configuration for the source Active Directory environment and where DC1.domain.tld is a Domain Controller in the source domain.

Note:
The server needs to be a Global Catalog in the source domain.

Tip!
The script will export dependent data types, unless you willingly specify the 
DontExportDependencies parameter.

Now, you will have an XML-based file with the Dynamic Access Control configuration:

Example of a XML-based Claims Export file (click for original screenshot)

    

Importing the Claims Configuration

Now, to import the Dynamic Access Control (DAC) Configuration in the target domain, we’ll need the XML file. Also, we’ll need the Import-ClaimsConfiguration.ps1 script from the Data Classification Toolkit folder.

Tip!
We can execute the command from the migration PC in the source Active Directory environment, or from any domain-joined Windows Server 2012-based server in the target Active Directory environment.

Tip!
On another server, don’t forget to run Set-ExecutionPolicy unrestricted, since both scripts are unsigned, although they originate from within Microsoft.

Within PowerShell, combine the two files within the following PowerShell command:

Import-ClaimsConfiguration.ps1 -file C:\DAC.xml -server DC1.targetdomain.tld -ProtectedFromAccidentalDeletion

Example of the output from a succesful Import-ClaimsConfiguration.ps1 execution (click for original screenshot)

      

Concluding

It’s easy, when you know how.

Related blogposts

10 Things you need to be aware of before deploying Dynamic Access Control    
New features in AD DS in Windows Server 2012, Part 20: Dynamic Access Control (DAC) 
Common Challenges when Managing Active Directory Domain Services, Part 2: Unnecessary Complexity and Token Bloat 

Related downloads

Data Classification Toolkit 
Group Policy Management Console Sample Scripts

Further reading

PowerShell – Data Classification Toolkit for Windows Server 2012 
TechNet Library – Data Classification Toolkit 
Important Information about the Data Classification Toolkit 
TechNet Blogs – The Data Classification Toolkit for Windows Server 2012 is now available!  
TechNet Blogs – Data Classification Toolkit for Windows Server 2008 R2-Now Available 
TechNet Blogs – Data Classification Toolkit for Windows Server 2008 R2 
Data Classification Toolkit for Windows Server 2008 R2  
Data Classification Toolkit for Windows Server 2012   
How to Use Microsoft’s Data Classification Toolkit 
Microsoft Solution Accelerators for the Datacenter and Private Cloud Module 6 Part 1 

Acknowledgements

Thanks to Nir Ben-Zvi for the tip.

Posted on December 30, 2013 by Sander Berkouwer in Active Directory, Dynamic Access Control, Microsoft Windows Server 2012, Microsoft Windows Server 2012 R2, Migration and Integration

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.