This article describes how to set up the Active Directory Migration Tool (ADMT) to migrate from a Windows 2000-based domain to a Windows Server 2003-based domain.
Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
You can use ADMT to migrate users, groups, and computers from one domain to another, and analyze the migration affect before and after the actual migration process.
Note: This article assumes that the source domain is a Windows 2000-based domain, and that the target domain is a Windows Server 2003-based domain in Windows 2000 Native mode or later.
How to Set Up ADMT for a Windows 2000 to Windows Server 2003 Migration
You can install the Active Directory Migration Tool version 2 (ADMTv2) on any computer that is running Windows 2000 or later, including:
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server
• Microsoft Windows XP Professional
• Microsoft Windows Server 2003
The computer on which you install ADMTv2 must be a member of either the source or the target domain.
Intraforest Migration
Intraforest migration does not require any special domain configuration. The account you use to run ADMT must have enough permissions to perform the actions that are requested by ADMT. For example, the account must have the right to delete accounts in the source domain, and to create accounts in the target domain.
Intraforest migration is a move operation instead of a copy operation. These migrations are said to be destructive because after the move, the migrated objects no longer exist in the source domain. Because the object is moved instead of copied, some actions that are optional in interforest migrations occur automatically. Specifically, the sIDHistory and password are automatically migrated during all intraforest migrations.
Interforest Migration
ADMT requires the following permissions to run properly:
• Administrator rights in the source domain.
• Administrator rights on each computer that you migrate.
• Administrator rights on each computer on which you translate security.
Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain, you must make some domain and security configurations. Computer migration and security translation do not require any special domain configuration. However, each computer you want to migrate must have the administrative shares, C$ and ADMIN$.
The account you use to run ADMT must have enough permissions to complete the required tasks. The account must have permission to create computer accounts in the target domain and organizational unit, and must be a member of the local Administrators group on each computer to be migrated.
User and Group Migration
You must configure the source domain to trust the target domain. Optionally, the target may be configured to trust the source domain. While this may ease configuration, it is not required to finish the ADMT migration.
Requirements for Optional Migration Tasks
You can complete the following tasks automatically by running the User Migration Wizard in Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT must be an Administrator in both the source and the target domains for the automatic configuration to succeed.
1. Create a new local group in the source domain that is named %sourcedomain%$$$. There must be no members in this group.
2. Turn on auditing for the success and failure of Audit account management on both domains in the Default Domain Controllers policy.
3. Configure the source domain to allow RPC access to the SAM by configuring the following registry entry on the PDC Emulator in the source domain with a DWORD value of 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport
You must restart the PDC Emulator after you make this change.
Note: For Windows 2000 domains, the account you use to run ADMTv2 must have domain administrator permissions in both the source and target domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more information, see Windows Server 2003 Help & Support.
You can turn on interforest password migration by installing a DLL that runs in the context of LSA. By running in this protected context, passwords are shielded from being viewed in cleartext, even by the operating system. The installation of the DLL is protected by a secret key that is created by ADMTv2, and must be installed by an administrator.
To install the password migration DLL:
1. Log on as an administrator or equivalent to the computer on which ADMTv2 is installed.
2. At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to create the password export key file (.pes). In this example, sourcedomain is the NetBIOS name of the source domain and path is the file path where the key will be created. The path must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or writable CD media. If you type the optional password at the end of the command, ADMT protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a password, and the system will not echo it as it is typed.
3. Move the .pes file you created in step 2 to the designated Password Export Server in the source domain. This can be any domain controller, but make sure it has a fast, reliable link to the computer that is running ADMT.
4. Install the Password Migration DLL on the Password Export Server by running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003 installation media, or the folder to which you downloaded ADMTv2 from the Internet.
5. When you are prompted to do so, specify the path to the .pes file that you created in step 2. This must be a local file path.
6. After the installation completes, you must restart the server.
7. If you are ready to migrate passwords, modify the following registry key to have a DWORD value of 1. For maximum security, do not complete this step until you are ready to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\AllowPasswordExport
To comment on this articles, please click here
Kazeem Adegboyega provides consulting services to companies. He also regularly instructs in workshops on courses such as CCNA, MCSE, Oracle and other technical courses. Feel free to drop him a line at kazman@theikons.com.
To go back to article page, click here
To order for theikons cbt series click here |
