Understanding Audit
- Thomas Farley (Deactivated)
Table of Contents
- 1 Running a Pre-Migration Audit
- 2 Audit Report Contents
- 2.1 Administrative Accounts
- 2.2 Blank Password Match
- 2.3 CPU Type
- 2.4 Cached Logons
- 2.5 COMPlus
- 2.6 Computer Name Test
- 2.7 Disk Configuration Test
- 2.8 Dock Intercept
- 2.9 Domain Controller
- 2.10 Domain Test
- 2.11 DotNet
- 2.12 FIPS
- 2.13 Firewall
- 2.14 Group Policies
- 2.15 IIS
- 2.16 LAN Manager
- 2.17 Network Identity Cards
- 2.18 OS Viable
- 2.19 Port
- 2.20 RAM
- 2.21 Remote Access
- 2.22 System Roots
- 2.23 System Types
- 2.24 Windows2k
Running a Pre-Migration Audit
Audit verifies whether the source and destination machines comply with the requirements listed in https://virtamove.atlassian.net/wiki/spaces/VDOC/pages/310706978. You can run the Audit check from the Administrative Console by clicking Run Audit before you find applications on the source machine, or from the CLI by executing virtaaudit.
For each pre-requisite, the Audit Report will indicate findings as follows:
Pass - the pre-requisite is met and migration can proceed.
Warning - an informational warning; the migration can proceed but identified issues may at some point prevent the successful migration of applications.
Blocked - the pre-requisite is not met, the issue is blocking and VirtaMove will not proceed with the migration. You must address and correct blocking issues and attempt the migration again.
You can view the Audit Report to determine what a problem is as follows:
Open the Audit Report in the appliance
ctrack/logfolder, orClick the Audit Report tab in the Appliance Logs tab in the Administrative Console.
Running Audit from the Administrative Console
Double-click the VirtaMove Administrative Console shortcut on your desktop.
Create a container:
Click Application on the Menu bar
Click "Create Empty VAA"
Click the Tether tab
Enter the source machine's information.
Click Run Audit.
To check the output, click the Appliance Logs tab and then click the Audit Report tab.
Audit Report Contents
Administrative Accounts
This is a blocking issue.
This section indicates whether VirtaMove Source Agent is running on the source machine.
This section indicates whether the user is logged in to the source machine as a member of the Administrators Group. If the VirtaMove Source Agent is installed, the Administrator check is not relevant because there is no user.
For assistance with setting administrator credentials, contact your system administrator.
The account that is being used to migrate must be part of the Distributed COM Users group.
Blank Password Match
This is a blocking issue.
This section identifies whether the LimitBlankPasswordUse registry key value on the source machine is the same on the destination. In the case of a mismatch, update the value on the destination machine to match the value on the source machine:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse CPU Type
This section identifies the bitness of the source machine (x86 or x64) and the model of the processor that is on the source and destination machine.
Example:
CPU Type: Pass
*Remote: x86
*Remote CPUs: 1
*Local CPUs: 2Cached Logons
This section specifies the number of cached logins on the source machine. This is a warning if the number is less than 10.
Automatic services that authenticate with a domain controller may not start on reboot because the number of cached logins set for the source machine is not sufficient or if cached logins are disabled (set to 0).
To change the number of cached logins, contact your system administrator.
COMPlus
This is a blocking issue.
Note: This check is not performed for Windows Server 2000 migrations.
This section indicates whether COM+ is enabled, COM+ access is enabled, and whether Remote COM+ Network is enabled.
Requirement | Description |
Registry key value | If the registry key value If Additionally, if RemoteAccessEnabled is disabled on the source machine, attempts to connect from the destination machine to the source machine and list COM+ applications on the source machine will result in an error. |
Membership in the Distributed COM Users Group | The account used to perform the export (the account specified in the tether credentials) must be a member of the Distributed COM Users group on the source machine. Otherwise, the export will fail. |
Configure your firewall to allow DCOM connections | You may need to configure your firewall to allow DCOM connections. For information, see: |
| For Windows Server 2003 Source Machines To ensure that VirtaMove can access COM/COM+ components related to your application, the Application Server Role must be installed and the following key must be enabled (set to 1) on the source server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\complusnetworkA reboot is not required after you change the value of this key. For Windows Server 2008 and Higher Source Machines For Windows Server 2008 and higher source machines, the |
Computer Name Test
This is a blocking issue.
This section indicates whether:
the hostname of the remote machine is longer than 15 characters
the hostname of the destination machine is shorter than 15 characters
If one or both of the above checks are true, this will cause issues with the Config-on-the-Fly process. The host name can be more than 15 characters. However, the netBIOS name is limited to 15 characters or less, which is why the host name and the netBIOS values are different if the name is longer than 15 characters.
Example:
Disk Configuration Test
This section provides information on how big the source machine and the destination machine drives are. A warning will be generated if the source machine drive is bigger than the destination machine drive.
This section indicates whether the system drives match on the destination and source machines.
If the system drives do not match, contact your system administrator.
Dock Intercept
This is a blocking issue.
This section indicated whether the sanity test has passed or not on the destination machine. VirtaMove requires the ability to intercept system calls between the application and the operating system on the destination machine. Certain conditions on an operating system may interfere with VirtaMove software and an attempt to dock a container, such as antivirus software or group account permissions.
The following error message may be displayed when Audit fails:
Domain Controller
This section indicates whether the source machine is a domain controller, a server that responds to authentication requests and verifies users on a Windows domain.
Domain Test
This section indicates the name of the source domain and the name of the destination domain. A warning is generated if the domains have different names.
DotNet
This is a blocking issue.
This section identifies whether .NET Framework version 4.0 or greater is installed on the source machine. If so, you must install .NET Framework 4.0 or 4.5 on the destination machine before you perform a migration. On Windows Server 2012 R2, it is not possible to install version 4.0: you must install version 4.5.
To download .NET Framework 4, go to http://www.microsoft.com/en-ca/download/details.aspx?id=17718
This section identifies whether .NET Framework 1.1 is installed on the source machine. If your application requires .NET Framework, you must install .NET Framework 1.1 on the destination machine.
To download .NET Framework 1.1, go to: http://www.microsoft.com/en-ca/download/details.aspx?id=26
FIPS
This is a blocking issue.
This section indicates whether the FIPS Level is enabled or disabled on the source and destination machine. Some IIS migrations and other application migrations may be affected by a Federal Information Processing standard (FIPS) setting. This setting may result in the error "Unable to validate data".
Firewall
This section indicates the firewall state of the three networking profiles (private, domain, public) on the destination and source machines. If the corresponding states differ between the two machines, a warning will be shown here.
This section may display *Unknown* for the firewall state. This may occur because the source machine is running an older version of Windows Server (2003 or earlier), which has only one network profile.
A firewall comparison tool is available if you want to compare firewall rule differences or troubleshoot firewall issues between the source and destination. See Comparing Group Policies between Source and Destination for more information.
Group Policies
This audit is not available on Windows 2000 or earlier. A group policy report will not be generated.
The group policy section in the audit report indicates whether group policy information was successfully collected from the source and destination machines. If the audit was successful, then you can perform a group policy comparison using the https://virtamove.atlassian.net/wiki/spaces/VE/pages/309297809/Group+Policy+Comparison+Tool?search_id=8befec8f-bb8f-4f46-ac1d-6efb11f17c83 from the Administrative Console. If the audit was not successful, the audit report will indicate why group policy information could not be collected.
IIS
This section indicates whether Microsoft Web Deploy is installed on the destination and source machines.
Web Deploy 3.5 or higher is required on the source machine for IIS web application migrations. Web Deploy is a tool that simplifies migration, management, and deployment of IIS web servers and web applications. You must install Web Deploy on the source machine, selecting "complete" or full mode at installation time. VirtaMove will automatically install Web Deploy on the destination machine.
If Web Deploy 3.0 was installed on the source server and you subsequently installed Web Deploy 3.5 or higher in order to successfully migrate your application after the source and destination machines are connected via VirtaMove Source Agent, you will need to run
on the destination server so that the destination server will recognize the new installation of Web Deploy on the source server. It indicates whether Web Deployment Agent is installed and started.
Microsoft IIS applications use port 80 by default. This section indicates whether port 80 is open on the source machine.
If a required port is not open, you must open the port. For information about how to open a port, see for example: How can I open or forward a port on my router?
LAN Manager
This section indicates whether the LAN Manager Authentication Level is defined on the destination machine.
The destination machine may require that the "LAN Manager authentication level" setting be set to "Send LM & NTLM responses". This setting may be required if:
A machine has been removed from the domain, OR
Active Directory is unavailable, AND
The source machine is Windows Server 2003
You can test whether this pre-requisite applies to your situation. From the destination machine, try to access the UNC path to the source machine (i.e., \\<sourcemachine>\c$). You will be prompted for credentials to connect to the source machine. If authentication is successful and you can see the C: drive of the source machine, then VirtaMove Tether connection will succeed and you may ignore this pre-requisite.
Change the setting as follows:
At the Start menu, type
secpol.mscin the search line and press Enter. The Local Security Policy editor opens.Double-click Local Policies.
Click Security Options.
Double-click Network Security: LAN Manager authentication level.
Select Send LM & NTLM responses, and then click OK.
Close the Local Security Policy editor.
Network Identity Cards
This section indicates how many Network Identity Cards (NICs) are on the source and destination machine.
OS Viable
This is a blocking issue.
This section indicates whether the operating system version of the destination machine is equal to or greater than the source operating system version.
If the versions of the operating systems are not viable, contact your system administrator.
Port
This section of the report indicates the status of the required ports on the source machine.
Check that there is connectivity end-to-end from the destination server to the source on port 445. This is a blocking issue if VirtaMove Source Agent is not being used and port 445 is not open. End-to-end means that the port is open at the Windows firewalls, at the cloud-instance firewalls, and at any perimeter firewalls between the two servers. If the use of port 445 is not permitted on the network or is a concern, use a virtual private network (VPN) to establish connectivity between the destination and source machines.
For IIS migrations, make sure that port 80 is open because it is required by Web Deploy.
For migrations that use VirtaMove Source Agent, make sure that port 9665 is open on the source machine. Port 9665 is required to establish a connection to the VirtaMove Source Agent on the source machine. Two inbound rules must be created on the source machine: one for the TCP and one for the UDP port (both 9665). See https://technet.microsoft.com/en-us/library/ms345310(v=sql.100).aspx for more information.
VirtaMove Source Agent communicates through TCP port number 9665 by default. You can configure the port number to a different number if required. See VirtaMove Source Agent for more information.
If the Audit Report indicates that a required port is closed, makes sure that external nodes between the destination machine and the source machine also permit communication across these ports (port 445, 9665, etc.). For example, if you are migrating to an Amazon Web Services (AWS) managed cloud server, make sure that AWS also has these ports opened.
Open Ports on the Destination Machine Firewall
Open appropriate ports on the destination machine firewall to ensure that the application can be reached once it is migrated. SQL Server, for example, requires port 1433 by default. Microsoft IIS applications use port 80 by default. Other applications or database servers may require different ports. For more information, consult application documentation and/or contact VirtaMove Support.
Remote services will not be retrieved if communication with the source machine is interrupted during the tethering process (for example, if the firewall on the source machine is enabled while tether is in progress).
RAM
This section identifies the amount of RAM available on the source and destination machine.
Remote Access
This is a blocking issue.
If the VirtaMove Source Agent is active, the Remote Access test is not performed.
Remote Access must be enabled to accept COM requests and may be required for DCOM.
To enable remote access, the registry key values Com+Enabled and RemoteAccessEnabled must be set to 1 in the HKLM\SOFTWARE\Microsoft\COM3 registry key on the source machine. The Remote Access enabled value is used in the COMPlus check. Enable the key as follows:
Start Registry Editor.
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3Set the registry key value
RemoteAccessEnabledto1Set the registry key value
Com+Enabledto1.Quit Registry Editor.
For less than Windows Server 2008
The following key must be set to 1 or undefined:
For Windows Server 2008 or higher
The Remote Account must be the built-in Administrator (not just an Administrator), or the following key must be set to 1 on both the source and destination machine:
Remote Administrative Shares Enabled
Remote administrative shares (such as c$, d$, etc.) must be enabled in the registry on the source machine. Administrative shares must be enabled to copy data over the network.
If remote administrative shares are disabled, contact your system administrator.
System Roots
This is a blocking issue.
This section indicates whether the system root drives match the destination and source machines, and identifies the drive letter on each machine.
IIS application migrations require that system root drives match the destination and source machines.
If the system root drives do not match, contact your system administrator.
System Types
This is a blocking issue.
The operating systems of the destination and source machines must both be server operating systems.
If the operating systems do not match (for example, one is a server and the other is a desktop system), contact your system administrator.
Windows2k
This section indicates whether the OS on the source machine is Windows 2000.