This page explains how to check if the permissions that are required to migrate an existing Active Directory domain from on-premises to Managed Service for Microsoft Active Directory with SID history are enabled. This page also explains how to disable these permissions after you complete the migration.
Before you begin
Make sure that you have any one of the following Identity and Access Management ( IAM) user roles:
- Google Cloud Managed Identities Domain Admin
(
roles/managedidentities.domainAdmin) - Google Cloud Managed Identities Admin (
roles/managedidentities.admin)
For more information, see Cloud Managed Identities roles.
Check permissions
You can check if the permissions that are required to migrate domains with SID history are available on a Managed Microsoft AD domain.
To validate the permissions, run the following gcloud CLI command:
gcloud beta active-directory domains migration check-permissions DOMAIN_NAME
Replace DOMAIN_NAME with the name of your Managed Microsoft AD
domain. For example, my-domain.com.
This operation validates if the Managed Microsoft AD has the Cloud Service
Migrate SID Administrators group created and the state of SID filtering on all
the trusted domains.
The response lists the SID filtering state of all the trusted domains and the state of permissions required in your Managed Microsoft AD domain:
onpremDomains: - name: domain-one.com sidFilteringState: ENABLED - name: domain-two.com sidFilteringState: DISABLED state: ENABLED
Your Managed Microsoft AD domain can have anyone of the following states:
| State | Description |
|---|---|
DISABLED |
Managed Microsoft AD domain doesn't have the permissions required to migrate the on-premises domain with SID history. SID filtering is enabled on all the trusted domains. |
ENABLED |
Managed Microsoft AD domain has the permissions required to migrate the on-premises domain with SID history. To check the SID filtering state, see the sidFilteringState field for all the trusted domains in the response. |
NEEDS MAINTENANCE |
Permissions seem to be in intermittent state for your Managed Microsoft AD domain. To reset the state, either enable permissions or disable permissions as you require. |
Disable permissions on the Managed Microsoft AD domain
After you complete the migration, you must disable the permissions provided for migrating your on-premises domain with SID history.
To disable the permissions, run the following gcloud CLI command:
gcloud beta active-directory domains migration disable DOMAIN_NAME
Replace DOMAIN_NAME with the name of your Managed Microsoft AD
domain. For example, my-domain.com.
This operation disables the permissions provided to your domain by deleting the
Cloud Service Migrate SID Administrators group from Managed Microsoft AD
and enables SID filtering on all the trusted domains.