Print Page | Close Window

AzureAD Migration Troubleshooting Tips

Printed From: ForensiT
Category: ForensiT Support
Forum Name: Domain Migration
Forum Description: User Profile Wizard questions, suggestions, comments and bug reports
URL: https://forum.ForensiT.com/forum_posts.asp?TID=2112
Printed Date: 27 Nov 2021 at 5:59am
Software Version: Web Wiz Forums 12.03 - http://www.webwizforums.com


Topic: AzureAD Migration Troubleshooting Tips
Posted By: DarrenDK
Subject: AzureAD Migration Troubleshooting Tips
Date Posted: 19 Nov 2021 at 1:57pm
Hey guys, I've probably spent 80+ hours scripting profwiz for AzureAD Migrations and for you guys experiencing the dreaded Error 1317 or Error 1 codes, I wanted to share my observations in hopes it will save you time.
  • Version 24 notes
  • DO NOT PUT QUOTES AROUND ANY PARAMETERS
  • When reading profwiz output, the absense of "A user profile for IMMY-TEST\immy.bot was not found." entry appears to mean it successfully resolved the source user/profile
  • Using /SOURCEACCOUNT $SID appears to be reliable
  • Error 1317 was mitigated by not including the /TARGETACCOUNT switch (This isn't necessary since our config specifies an XML file with only one user)
  • Follow up to this, I ended up including /TARGETACCOUNT user@domain.com and it worked on Version 24
  • Error 1 can be mitigated by using /SOURCEACCOUNT instead of /SOURCEPROFILE (/SOURCEPROFILE is newer and evidently doesn't work)
  • The WorkingDirectory doesn't appear to matter for profwiz.exe it will always find profwiz.config if it's in the same directory as profwiz.exe
  • A CSV Mapping file isn't necessary for AzureAD migrations
  • A local user account with credentials isn't necessary if you're executing from the SYSTEM context (SCCM/RMM/Etc)
  • Error 1 could be because you must specify a non-empty value in profwiz.config for <Domain>Azure AD</Domain> <---This took me 8 hours to figure out since the logs simply say MIGRATION FAILS and profwiz exits with error code 1
  • The more frustrating thing about this error is that it appears that you can put literally any string in here and it will work, so the value obviously isn't necessary. 
  • The bare minimum config file looks like this:
<ForensiTUserProfileWizard xmlns=" http://www.ForensiT.com/schemas" rel="nofollow - http://www.ForensiT.com/schemas" >
  <Parameters>
    <Azure>True</Azure>
    <AzureObjectIDFile>C:\Temp\Profwiz-20211117-124301\ForensiTAzureID.xml</AzureObjectIDFile>
    <Domain>Azure AD</Domain>
    <Silent>True</Silent>
  </Parameters>
  <licensing>C3C08AE252...</licensing>
</ForensiTUserProfileWizard>



Replies:
Posted By: Support
Date Posted: 19 Nov 2021 at 2:52pm
Hi,

Many thanks for your feedback. It is much appreciated. There are a few points we need to make for anyone coming across this post.

Firstly, this is great advice for anyone running from the command line. It does not apply to if you are running a script generated by the Deployment Kit, or indeed if you are using the GUI. (If you had used the Deployment Kit to configure your Profwiz.config file, you wouldn’t have spent 8 hours trying to find a configuration error! The <Domain> value is there for future use.)

The /SOURCEPROFILE parameter does work.

More crucially, it is true you do not need a Computer CSV Mapping file, but generally you must specify a User CSV Mapping file - a lookup file. User Profile Wizard needs to find the Object ID of the user’s Azure AD user account in the ForensiTAzureID.xml file. It does that by looking for the UPN. The only way it can get the UPN for the user automatically, is by mapping the existing user name to the UPN of the Azure AD user account. This is one of top support issues, and it would be wrong to give the impression that a user lookup file is not normally required.

Can you share the command line you ended up using?




Posted By: DarrenDK
Date Posted: 22 Nov 2021 at 4:09pm
I ended up using 
C:\Temp\Profwiz-20211118-125007\profwiz.exe /SOURCEACCOUNT S-1-5-21-1111111111-11111111111-11111111-12345 /NOREBOOT /LOG C:\WINDOWS\TEMP\ImmyTemp-20211118-125037.log /TARGETACCOUNT immy.bot@domain.com

Regarding /SOURCEPROFILE, I made that note before I realized the absence of an error about not being able to map the user profile meant it was able to map the source profile, so it likely does work.

I'm a bit of a command line purist so I avoid UIs wherever possible, and I understand that this may have made my life a bit harder, but I'm really trying to get down to the bare minimum set of required parameters and I find the GUI adds a lot of unnecessary cruft to the config file. 

If it were up to me I'd add a clientid and clientsecret parameter to the command line and/or profwiz.config file so it can reach out to the Graph API to perform the user mapping real-time like it used to do with the domain credentials instead of having to generate the XML file in PowerShell.


Posted By: DarrenDK
Date Posted: 23 Nov 2021 at 12:40am
Ok, another update:
I re-ran it today and ran into the Error 1 again and this time after 3 more hours learned it was because I wasn't specifying 
<All>False</All>
<OldDomain>DOMAIN</OldDomain>

Honestly I have no idea how I got it to work the other day. Maybe I was specifying a CSV map? I was trying that all day today and then I regenerated a profwiz.config without the user map and saw the options above and started fiddling and got it working.

So ultimately what worked is 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ForensiTUserProfileWizard xmlns=" http://www.ForensiT.com/schemas" rel="nofollow - http://www.ForensiT.com/schemas" >
<Parameters>
<Azure>True</Azure>
<AzureObjectIDFile>C:\Temp\Profwiz-20211122-182926\ForensiTAzureID.xml</AzureObjectIDFile>
<!-- Corporate Edition Settings -->
<Silent>True</Silent>
<Domain>Azure AD</Domain>
<All>False</All>
<OldDomain>OLDDOMAIN</OldDomain>
</Parameters>
<licensing>C3C08AE2...</licensing>
</ForensiTUserProfileWizard>

No CSV user mapping
No Local Credentials
No Domain Credentials
Yes AzureMapping.xml

C:\Temp\Profwiz-20211122-182926\profwiz.exe /SOURCEACCOUNT S-1-5-21-111111111-11111111-111111111-11111 /NOREBOOT /LOG C:\WINDOWS\TEMP\ImmyTemp-20211122-183013.log /TARGETACCOUNT immy.bot@domain.com

Why does OldDomain matter?


Posted By: Support
Date Posted: 23 Nov 2021 at 9:25am
The <OldDomain> only matters if <All> is set to True and you are not using the command line. In those circumstances, User Profile Wizard will look for all profiles from <OldDomain> to migrate. However, the command line always over-rules Profwiz.config settings.


Posted By: DarrenDK
Date Posted: 23 Nov 2021 at 9:43pm
Further updates after more head slamming.

OldDomain definitely matters, and not only does it matter, it has to be the NETBIOS name of the domain. When I tried olddomain.local, it did not work.

Ironically, the log output shows that profwiz already has this information, yet it still fails unless I put it in the OldDomain XML property.


Posted By: DarrenDK
Date Posted: 23 Nov 2021 at 11:05pm
Ok, going back to /SourceProfile for a moment:

Running C:\Temp\Profwiz-20211123-161930\profwiz.exe /SOURCEPROFILE immy.bot /NOREBOOT /LOG C:\WINDOWS\TEMP\ImmyTemp-20211123-161945.log /TARGETACCOUNT immy.bot@mydomain.com
Streaming C:\WINDOWS\TEMP\ImmyTemp-20211123-161945.log
ForensiT User Profile Wizard 24.1.1285

Licensed to  (50 Seats) License No. 43A6FDE

Copyright (c) 2002-2021 ForensiT Ltd

http://www.ForensiT.com" rel="nofollow - www.ForensiT.com



23/11/2021 14:20:08.333 Creating migration service... Done.

23/11/2021 14:20:08.354 Starting migration service... Done.

23/11/2021 14:20:09.415 Target device: IMMY-TEST

23/11/2021 14:20:09.418 OS build 10.0.19042.1348. Version 20H2.

23/11/2021 14:20:09.418 Domain: MyDomain

23/11/2021 14:20:10.069 Migrating user account "immy.bot"

23/11/2021 14:20:11.384 Migration Fails.

WARNING: Profwiz returned non-success exit code 1

WARNING: C:\Temp\Profwiz-20211123-161930\ForensiTAzureID.xml
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='style.xsl'?>
<ForensiTAzureID ObjectId="6086eb37-149f-47ce-849b-11111111111111" Name="mydomain.onmicrosoft.com mydomain.mail.onmicrosoft.com mydomain.com" DisplayName="My Companies">
    <User>
        <UserPrincipalName>immy.bot@mydomain.com</UserPrincipalName>
        <ObjectId>b6a47336-ac11-4277-ac45-075d42d3d8b9</ObjectId>
        <DisplayName>Immy Bot Test</DisplayName>
    </User>
</ForensiTAzureID>
WARNING: C:\Temp\Profwiz-20211123-161930\profwiz.config
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ForensiTUserProfileWizard xmlns=" http://www.ForensiT.com/schemas" rel="nofollow - http://www.ForensiT.com/schemas" >
  <Parameters>
    <Azure>True</Azure>
    <AzureObjectIDFile>C:\Temp\Profwiz-20211123-161930\ForensiTAzureID.xml</AzureObjectIDFile>
    <!-- Corporate Edition Settings -->
    <Silent>True</Silent>
    <Domain>Azure AD</Domain>
    <All>False</All>
    <OldDomain>
    </OldDomain>
  </Parameters>
  <licensing>C3C08AE252...</licensing>
</ForensiTUserProfileWizard>



Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.03 - http://www.webwizforums.com
Copyright ©2001-2019 Web Wiz Ltd. - https://www.webwiz.net