David Everett here again. I’ve had a couple customers contact me wanting to migrate an Authorization Manager (Azman) store and I thought others wishing to do the same might find this useful. This need typically arises when someone has been testing AzMan in a test domain and they want to preserve all of the time and effort by moving the AzMan store to their production domain, or they may find they want to run AzMan using an XML file instead of Active Directory. For those who are not aware of what Authorization Manger is, it is a role-based access control (RBAC) framework which applications can use to perform Role Based authentication. Role-based authentication grants permissions to users who have been assigned to certain roles to perform job functions allowing them to perform related tasks within the application. Azman.msc is the MMC snap-in used to manage these roles which can be stored in an XML file or in Active Directory. Follow this link to learn more about AzMan.
While there is no production tool meant to provide this, the developers for AzMan have created an un-supported sample application called azmigrate.exe which is in the Windows SDK. This tool can export the AzMan store allowing migrations from AD to XML or from XML to AD. The exported content retains all SIDs currently assigned to a role and can be imported to a new Active Directory domain or loaded right from the XML file that was generated from the export.
To get azmigrate.exe you must download the Windows SDK and once it is installed you need to:
1) Compile the AzMigrate project using Visual Studio:
a. Select File > Open > Project/Solution.
b. Change the Solutions Configurations drop-down in the toolbar from Debug to Release.
c. Select AzMigrate.vcproj located under %programfiles%\Microsoft SDKs\Windows\v6.1\Samples\Security\Authorization\AzMan\AzMigrate.
NOTE: If you are prompted to run the Conversion Wizard, do so
2) In Visual Studio select Build > Build Solution, then click Build > Build AzMigrate and get the compiled binary from %Program Files%\Microsoft SDKs\Windows\v6.1\Samples\Security\Authorization\AzMan\AzMigrate\Win32\Release.
NOTE: If you encounter issues while compiling please refer to Visual Studio Help documentation.
Once you’ve compiled azmigrate.exe, here’s the syntax needed to export the AzMan store from Active Directory to an XML file in the C:\Temp folder:
AzMigrate.exe “msxml://C:/ Temp/AzmanStore.xml” “msldap://dc0.contoso.com:389/CN=AzmanStore,CN=Program Data,DC=contoso,DC=com” /o /l=C:\temp\export.log /v
NOTE: you need to get the correct DN for your AzMan store and modify the string above. To do this open azman.msc and view the Properties of the AzMan store then copy the DN from the Name field.
The exported XML file can now be loaded in azman.msc directly from the XML file or you can import the file to another Active Directory domain where the Domain Function Level has been raised to Windows Server 2003 by running using this command:
AzMigrate.exe “msldap://dc0.contoso.com:389/CN=AzmanStore,CN=Program Data,DC=child,DC=contoso,DC=com” “msxml://C:/ Temp/AzmanStore.xml” /o /l=C:\temp\import.log /v
Note that the export and import LDAP paths cited above target a specific DC. If when importing you encounter an error containing “More data is available” in the error string you may be importing the file from a member computer that is not joined to the same domain as the DN listed in the msldap:// string specified on your import command. When this occurs the import is unsuccessfully attempted against a DC belonging to the domain of the computer you are logged onto instead of a DC in the domain specified in the DN. When this occurs the import command looked like this:
AzMigrate.exe “msldap://CN=AzmanStore,CN=Program Data,DC=child,DC=contoso,DC=com” “msxml://C:/ Temp/AzmanStore.xml” /o /l=C:\temp\import.log /v
This can be avoided by specifically targeting a DC in the domain you want to import to using the desired LDAP port as shown in the second example above.
Finally, one other error you might encounter when importing is “FAILED.ERROR MSG:The specified server cannot perform the requested operation.” If you encounter this error make sure the Domain Function Level has been raised to Windows Server 2003.
– David “You’re the Azman!” Everett