Understanding Audit

Table of Contents

Running a Pre-Migration Audit

Audit verifies whether the source and destination machines comply with the requirements listed in https://virtamove.atlassian.net/wiki/spaces/VDOC/pages/310706978. You can run the Audit check from the Administrative Console by clicking Run Audit before you find applications on the source machine, or from the CLI by executing virtaaudit.

For each pre-requisite, the Audit Report will indicate findings as follows:

  • Pass - the pre-requisite is met and migration can proceed.

  • Warning - an informational warning; the migration can proceed but identified issues may at some point prevent the successful migration of applications.

  • Blocked - the pre-requisite is not met, the issue is blocking and VirtaMove will not proceed with the migration. You must address and correct blocking issues and attempt the migration again.

You can view the Audit Report to determine what a problem is as follows:

  • Open the Audit Report in the appliance ctrack/log folder, or

  • Click the Audit Report tab in the Appliance Logs tab in the Administrative Console.

Running Audit from the Administrative Console

  1. Double-click the VirtaMove Administrative Console shortcut on your desktop.

  2. Create a container:

    1. Click Application on the Menu bar

      Click "Create Empty VAA"

  3. Click the Tether tab

  4. Enter the source machine's information.

  5. Click Run Audit.

  6. To check the output, click the Appliance Logs tab and then click the Audit Report tab.

Audit Report Contents

Administrative Accounts

This is a blocking issue.

This section indicates whether VirtaMove Source Agent is running on the source machine.

This section indicates whether the user is logged in to the source machine as a member of the Administrators Group. If the VirtaMove Source Agent is installed, the Administrator check is not relevant because there is no user.

For assistance with setting administrator credentials, contact your system administrator.

The account that is being used to migrate must be part of the Distributed COM Users group.

Blank Password Match

This is a blocking issue.

This section identifies whether the LimitBlankPasswordUse registry key value on the source machine is the same on the destination. In the case of a mismatch, update the value on the destination machine to match the value on the source machine:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse 

CPU Type

This section identifies the bitness of the source machine (x86 or x64) and the model of the processor that is on the source and destination machine.

Example:

CPU Type: Pass   *Remote: x86 *Remote CPUs: 1 *Local CPUs: 2

Cached Logons

This section specifies the number of cached logins on the source machine. This is a warning if the number is less than 10.

Automatic services that authenticate with a domain controller may not start on reboot because the number of cached logins set for the source machine is not sufficient or if cached logins are disabled (set to 0).

To change the number of cached logins, contact your system administrator.

COMPlus

This is a blocking issue.

Note: This check is not performed for Windows Server 2000 migrations.

This section indicates whether COM+ is enabled, COM+ access is enabled, and whether Remote COM+ Network is enabled.

 

Requirement

Description

Registry key value Com+Enabled

If the registry key value Com+Enabled in the HKLM\SOFTWARE\Microsoft\COM3 registry key is set to 0 (disabled) on the source machine, attempts to connect from the destination machine to the source machine and list COM+ applications on the source machine will result in an error.

If Com+Enabled is disabled on the destination machine, it will not be possible to list COM+ applications on the destination machine or install COM+ applications on the destination machine, which means that containers that have COM+ application packages will fail to dock.

Additionally, if RemoteAccessEnabled is disabled on the source machine, attempts to connect from the destination machine to the source machine and list COM+ applications on the source machine will result in an error.

Membership in the Distributed COM Users Group

The account used to perform the export (the account specified in the tether credentials) must be a member of the Distributed COM Users group on the source machine. Otherwise, the export will fail.

Configure your firewall to allow DCOM connections

You may need to configure your firewall to allow DCOM connections. For information, see:

How to Configure the Firewall to Allow DCOM Connections

complusnetwork registry key

For Windows Server 2003 Source Machines

To ensure that VirtaMove can access COM/COM+ components related to your application, the Application Server Role must be installed and the following key must be enabled (set to 1) on the source server:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\complusnetwork

A reboot is not required after you change the value of this key.

For Windows Server 2008 and Higher Source Machines

For Windows Server 2008 and higher source machines, the complusnetwork key does not exist. However, port 135 must be open to allow VirtaMove access to COM/COM+ components. For more information, see: https://technet.microsoft.com/en-us/library/cc731967(v=ws.11).aspx.

 

Computer Name Test

This is a blocking issue.

This section indicates whether:

  • the hostname of the remote machine is longer than 15 characters

  • the hostname of the destination machine is shorter than 15 characters

If one or both of the above checks are true, this will cause issues with the Config-on-the-Fly process. The host name can be more than 15 characters. However, the netBIOS name is limited to 15 characters or less, which is why the host name and the netBIOS values are different if the name is longer than 15 characters.

Example:

Disk Configuration Test

This section provides information on how big the source machine and the destination machine drives are. A warning will be generated if the source machine drive is bigger than the destination machine drive.

This section indicates whether the system drives match on the destination and source machines.

If the system drives do not match, contact your system administrator.

Dock Intercept

This is a blocking issue.

This section indicated whether the sanity test has passed or not on the destination machine. VirtaMove requires the ability to intercept system calls between the application and the operating system on the destination machine. Certain conditions on an operating system may interfere with VirtaMove software and an attempt to dock a container, such as antivirus software or group account permissions.

The following error message may be displayed when Audit fails:

Domain Controller

This section indicates whether the source machine is a domain controller, a server that responds to authentication requests and verifies users on a Windows domain.

Domain Test

This section indicates the name of the source domain and the name of the destination domain. A warning is generated if the domains have different names.

DotNet

This is a blocking issue.

This section identifies whether .NET Framework version 4.0 or greater is installed on the source machine. If so, you must install .NET Framework 4.0 or 4.5 on the destination machine before you perform a migration. On Windows Server 2012 R2, it is not possible to install version 4.0: you must install version 4.5.

To download .NET Framework 4, go to http://www.microsoft.com/en-ca/download/details.aspx?id=17718

This section identifies whether .NET Framework 1.1 is installed on the source machine. If your application requires .NET Framework, you must install .NET Framework 1.1 on the destination machine.

To download .NET Framework 1.1, go to: http://www.microsoft.com/en-ca/download/details.aspx?id=26

FIPS

This is a blocking issue.

This section indicates whether the FIPS Level is enabled or disabled on the source and destination machine. Some IIS migrations and other application migrations may be affected by a Federal Information Processing standard (FIPS) setting. This setting may result in the error "Unable to validate data".

Firewall

This section indicates the firewall state of the three networking profiles (private, domain, public) on the destination and source machines. If the corresponding states differ between the two machines, a warning will be shown here.

This section may display *Unknown* for the firewall state. This may occur because the source machine is running an older version of Windows Server (2003 or earlier), which has only one network profile.

A firewall comparison tool is available if you want to compare firewall rule differences or troubleshoot firewall issues between the source and destination. See Comparing Group Policies between Source and Destination for more information.

Group Policies

This audit is not available on Windows 2000 or earlier. A group policy report will not be generated.

The group policy section in the audit report indicates whether group policy information was successfully collected from the source and destination machines. If the audit was successful, then you can perform a group policy comparison using the https://virtamove.atlassian.net/wiki/spaces/VE/pages/309297809/Group+Policy+Comparison+Tool?search_id=8befec8f-bb8f-4f46-ac1d-6efb11f17c83 from the Administrative Console. If the audit was not successful, the audit report will indicate why group policy information could not be collected.

IIS

This section indicates whether Microsoft Web Deploy is installed on the destination and source machines.

Web Deploy 3.5 or higher is required on the source machine for IIS web application migrations. Web Deploy is a tool that simplifies migration, management, and deployment of IIS web servers and web applications. You must install Web Deploy on the source machine, selecting "complete" or full mode at installation time. VirtaMove will automatically install Web Deploy on the destination machine.

If Web Deploy 3.0 was installed on the source server and you subsequently installed Web Deploy 3.5 or higher in order to successfully migrate your application after the source and destination machines are connected via VirtaMove Source Agent, you will need to run

on the destination server so that the destination server will recognize the new installation of Web Deploy on the source server. It indicates whether Web Deployment Agent is installed and started.

Microsoft IIS applications use port 80 by default. This section indicates whether port 80 is open on the source machine.

If a required port is not open, you must open the port. For information about how to open a port, see for example: How can I open or forward a port on my router?

LAN Manager

This section indicates whether the LAN Manager Authentication Level is defined on the destination machine.

The destination machine may require that the "LAN Manager authentication level" setting be set to "Send LM & NTLM responses". This setting may be required if:

  • A machine has been removed from the domain, OR

  • Active Directory is unavailable, AND

  • The source machine is Windows Server 2003

You can test whether this pre-requisite applies to your situation. From the destination machine, try to access the UNC path to the source machine (i.e., \\<sourcemachine>\c$). You will be prompted for credentials to connect to the source machine. If authentication is successful and you can see the C: drive of the source machine, then VirtaMove Tether connection will succeed and you may ignore this pre-requisite.

Change the setting as follows:

  1. At the Start menu, type secpol.msc in the search line and press Enter. The Local Security Policy editor opens.

  2. Double-click Local Policies.

  3. Click Security Options.

  4. Double-click Network Security: LAN Manager authentication level.

  5. Select Send LM & NTLM responses, and then click OK.

  6. Close the Local Security Policy editor.

Network Identity Cards

This section indicates how many Network Identity Cards (NICs) are on the source and destination machine.

OS Viable

This is a blocking issue.

This section indicates whether the operating system version of the destination machine is equal to or greater than the source operating system version.

If the versions of the operating systems are not viable, contact your system administrator.

Port

This section of the report indicates the status of the required ports on the source machine.

  • Check that there is connectivity end-to-end from the destination server to the source on port 445. This is a blocking issue if VirtaMove Source Agent is not being used and port 445 is not open. End-to-end means that the port is open at the Windows firewalls, at the cloud-instance firewalls, and at any perimeter firewalls between the two servers. If the use of port 445 is not permitted on the network or is a concern, use a virtual private network (VPN) to establish connectivity between the destination and source machines.

  • For IIS migrations, make sure that port 80 is open because it is required by Web Deploy.

  • For migrations that use VirtaMove Source Agent, make sure that port 9665 is open on the source machine. Port 9665 is required to establish a connection to the VirtaMove Source Agent on the source machine. Two inbound rules must be created on the source machine: one for the TCP and one for the UDP port (both 9665). See https://technet.microsoft.com/en-us/library/ms345310(v=sql.100).aspx for more information.

VirtaMove Source Agent communicates through TCP port number 9665 by default. You can configure the port number to a different number if required. See VirtaMove Source Agent for more information.

If the Audit Report indicates that a required port is closed, makes sure that external nodes between the destination machine and the source machine also permit communication across these ports (port 445, 9665, etc.). For example, if you are migrating to an Amazon Web Services (AWS) managed cloud server, make sure that AWS also has these ports opened.

Open Ports on the Destination Machine Firewall

Open appropriate ports on the destination machine firewall to ensure that the application can be reached once it is migrated. SQL Server, for example, requires port 1433 by default. Microsoft IIS applications use port 80 by default. Other applications or database servers may require different ports. For more information, consult application documentation and/or contact VirtaMove Support.

Remote services will not be retrieved if communication with the source machine is interrupted during the tethering process (for example, if the firewall on the source machine is enabled while tether is in progress).

RAM

This section identifies the amount of RAM available on the source and destination machine.

Remote Access

This is a blocking issue.

If the VirtaMove Source Agent is active, the Remote Access test is not performed.

Remote Access must be enabled to accept COM requests and may be required for DCOM.

To enable remote access, the registry key values Com+Enabled and RemoteAccessEnabled must be set to 1 in the HKLM\SOFTWARE\Microsoft\COM3 registry key on the source machine. The Remote Access enabled value is used in the COMPlus check. Enable the key as follows:

  1. Start Registry Editor.

  2. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3

  3. Set the registry key value RemoteAccessEnabled to 1

  4. Set the registry key value Com+Enabled to 1.

  5. Quit Registry Editor.

For less than Windows Server 2008

The following key must be set to 1 or undefined:

For Windows Server 2008 or higher

The Remote Account must be the built-in Administrator (not just an Administrator), or the following key must be set to 1 on both the source and destination machine:

Remote Administrative Shares Enabled

Remote administrative shares (such as c$, d$, etc.) must be enabled in the registry on the source machine. Administrative shares must be enabled to copy data over the network.

If remote administrative shares are disabled, contact your system administrator.

System Roots

This is a blocking issue.

This section indicates whether the system root drives match the destination and source machines, and identifies the drive letter on each machine.

IIS application migrations require that system root drives match the destination and source machines.

If the system root drives do not match, contact your system administrator.

System Types

This is a blocking issue.

The operating systems of the destination and source machines must both be server operating systems.

If the operating systems do not match (for example, one is a server and the other is a desktop system), contact your system administrator.

Windows2k

This section indicates whether the OS on the source machine is Windows 2000.