Six months ago, I wrote on 10 Things you need to be aware of before deploying Dynamic Access Control. As point 8, I told that the Active Directory Migration Tool (ADMT) does not support cross-forest migrating Dynamic Access Control (DAC).
As an Active Directory admin, ADMT, obviously, would be the first tool to look you can cross-forest migrate user accounts, groups and group memberships with it. Unfortunately, you cannot migrate Dynamic Access Control between Active Directory forests with it. The Data Classification Toolkit (DCT), however, can. It is PowerShell only.
About the Data Classification Toolkit (DCT)
The Data Classification Toolkit (DCT) is a free solutions accelerator from Microsoft. The latest version, Microsoft Data Classification Toolkit for Windows Server 2012, or version 2.1 supports Dynamic Access Control.
The Data Classification Toolkit for Windows Server 2012 works in conjunction with Windows Server 2008 R2 File Classification Infrastructure (FCI) and Dynamic Access Control in Windows Server 2012 to help IT pros gain insight into stored information, enforce access policies, and configure access policies for files based on claims.
Migrating Dynamic Access Control
So, in an Active Directory environment with multiple Domain Controllers, that you want to migrate stuff from, you might have Dynamic Access Control configured, this means you would have created:
- Resource properties
- Property lists
- Central access rules
- Central access policies
Additionally, you would have pushed resource properties to your file servers and deployed the central access policies through Group Policy. Of course, you’ve classified data and have enjoyed using Dynamic Access Control.
When you haven’t actually used file classification with Dynamic Access Control, you might not have any need to migrate the information from your Active Directory forest when you migrate to a new Active Directory forest…
Now, the above four types of information in Active Directory can be migrated with the Data Classification Toolkit, although you might have thought that you needed the Active Directory Migration Tool (ADMT) to do this.
To cross-forest migrate Group Policy Objects (GPOs), you can use the Group Policy Management Console (GPMC) or other solutions, like the BackupGPO.wsf and ImportGPO.wsf scripts from the Group Policy Management Console sample scripts download.
The process to migrating the Dynamic Access Control configuration cross-forest is through export and import. This adds to the flexibility of the solution, since you don’t need to set up a trust or worry about network connectivity or time synchronization (unless you want to).
One down side of using the Data Classification Toolkit to importing and exporting the Dynamic Access Control configuration for a cross-forest migration, is that it is only available through PowerShell.
Download the Data Classification Toolkit
The Data Classification Toolkit for Windows Server 2012 is available as a free download from the Microsoft Download Center. Download it here.
Installing the Data Classification Toolkit
After you downloaded the Data Classification Toolkit, install it on a server in the source domain by double-clicking Microsoft Data Classification Toolkit.msi.
Click on Next in the Welcome screen.
Select the I accept the terms in the License Agreement option and, then, click Next.
Change… the location where you want to install the Microsoft Data Classification Toolkit or click Next regardless when you accept the default location in the 32bit Program Files folder.
Click Finish in the Completed the Microsoft Data Classification Toolkit for Windows Server 2012 Setup Wizard.
Exporting the Claims Configuration
As part of the Data Classification Toolkit installation, on the server where you’ve installed it, a Tools folder will be created underneath the installation path. In a default installation, this folder will be:
C:\Program Files (x86)\Microsoft\Data Classification Toolkit\Tools
In this folder you will find two PowerShell scripts:
We’ll use the first script to export the Claims Configuration from the source Active Directory environment. Start PowerShell from the taskbar or Start Screen. Then type the following commands:
Export-ClaimsConfiguration -file C:\DAC.xml
-server DC1.sourcedomain.tld -IncludeCentralAccessPolicies
Where C:\ClaimsExport\ClaimConfig.xml is the file to which you want to export the Dynamic Access Control (DAC) Configuration for the source Active Directory environment and where DC1.domain.tld is a Domain Controller in the source domain.
The server needs to be a Global Catalog in the source domain.
The script will export dependent data types, unless you willingly specify the
Now, you will have an XML-based file with the Dynamic Access Control configuration:
Importing the Claims Configuration
Now, to import the Dynamic Access Control (DAC) Configuration in the target domain, we’ll need the XML file. Also, we’ll need the Import-ClaimsConfiguration.ps1 script from the Data Classification Toolkit folder.
We can execute the command from the migration PC in the source Active Directory environment, or from any domain-joined Windows Server 2012-based server in the target Active Directory environment.
On another server, don’t forget to run Set-ExecutionPolicy unrestricted, since both scripts are unsigned, although they originate from within Microsoft.
Within PowerShell, combine the two files within the following PowerShell command:
Import-ClaimsConfiguration.ps1 -file C:\DAC.xml -server DC1.targetdomain.tld -ProtectedFromAccidentalDeletion
It’s easy, when you know how.
10 Things you need to be aware of before deploying Dynamic Access Control
New features in AD DS in Windows Server 2012, Part 20: Dynamic Access Control (DAC)
Common Challenges when Managing Active Directory Domain Services, Part 2: Unnecessary Complexity and Token Bloat
Data Classification Toolkit
Group Policy Management Console Sample Scripts
PowerShell – Data Classification Toolkit for Windows Server 2012
TechNet Library – Data Classification Toolkit
Important Information about the Data Classification Toolkit
TechNet Blogs – The Data Classification Toolkit for Windows Server 2012 is now available!
TechNet Blogs – Data Classification Toolkit for Windows Server 2008 R2-Now Available
TechNet Blogs – Data Classification Toolkit for Windows Server 2008 R2
Data Classification Toolkit for Windows Server 2008 R2
Data Classification Toolkit for Windows Server 2012
How to Use Microsoft’s Data Classification Toolkit
Microsoft Solution Accelerators for the Datacenter and Private Cloud Module 6 Part 1
Thanks to Nir Ben-Zvi for the tip.