Lesson 5: Using ADMT

The Active Directory Migration Tool is a core tool for use in both an intra-forest and an inter-forest restructure. In this lesson, you'll learn how to obtain it and you'll use it to perform an inter-forest migration.

After this lesson, you will be able to

• Identify when to use ADMT.
• List the strengths and weaknesses of the tool.

Estimated lesson time: 30 minutes

ADMT is currently the most comprehensive GUI-based migration tool from Microsoft. It contains several wizards that implement migration functions and is supplied as an MMC snap-in. You can use it to do the following:

• Perform inter-forest clones or intra-forest moves.
• Migrate user, group, and computer accounts from one domain to another and populate the SIDhistory attribute of security principals in the destination domain.
• Resolve any related file, directory, and share security issues for copied accounts by adjusting the permissions on resources that remain in the source domain.
• Test migration scenarios before actually performing them and obtain reports on the proposed action.

ADMT can be downloaded from the Windows 2000 Web site at http://www.microsoft.com/windows2000. It has been licensed by Microsoft from NetIQ (www.netiq.com) for use in the migration process. The ADMT program can also be found in the Tools folder of the Supplemental Course Materials CD provided with this book.

Preparing for Restructure Using ADMT

For ADMT to be able to clone users and groups, the source and destination domains must be prepared as described in the practice in the previous lesson.

When to Use the Active Directory Migration Tool

ADMT provides a one-stop shop in that it can perform all migration functions from a single MMC snap-in. Its graphical environment and wizard-based user interface make it easy to use. However, you are limited by the options that the wizards provide. If there are complex, specific issues (for example, to move all the users whose names start with INT to the trainkit.microsoft.com domain), you can't use ADMT.

Options for Inter-Forest and Intra-Forest Restructures

One of the limitations of ADMT is that it can initially be quite overwhelming because of its large number of options. These options vary too, depending on the type of migration you're doing. For example, using ADMT in an inter-forest migration, you must enter a new password for the user account that will be created in the destination domain. This password can be the same name as the user's current logon name, or ADMT can generate a new, complex password for the user. If it generates a password, it will place the password in an output file that you can then pass to the user later. In an intra-forest restructure, however, the password of a user can be retained.

Other important options the tool will allow you to select include the following:

• Whether to translate roaming profiles, in which case the user will retain the desktop preferences of the source user.
• Whether to update user rights in the destination domain with the user's rights from the source domain.
• Whether to migrate associated groups. If associated groups are migrated, they can be used to update objects that have already been copied.
• Whether to add a prefix or suffix to user names that you migrate, to implement a new naming policy if duplicate users are found.

Practice: Installing and Using ADMT

The Active Directory Migration Tool is not supplied with the Windows NT system, nor is it in the Microsoft Windows 2000 Server Resource Kit. Instead, it must be downloaded from the Microsoft Web site and installed. A copy of ADMT is supplied in the Tools folder on the CD-ROM supplied with this book. You'll install ADMT on trainkit1.trainkit.microsoft.com, which is operating as a Windows 2000 server in native mode.

IMPORTANT

---

It is essential that you install Microsoft Windows NT Service Pack 4 or later on MIGRATE1 prior to proceeding further with this practice. Otherwise the migration will fail.

To install ADMT on TRAINKIT1

1. Log on to TRAINKIT1 as Administrator with the password secret.

   You should have installed the tools from the Supplemental Course Materials CD-ROM in an earlier practice.

2. In the Tools folder, double-click ADMT, and click Next on the opening screen.
3. Accept the license agreement and click the Next buttons on each screen.
4. When you come to the Finish button, click it to finalize the installation.

   The Active Directory Management Tool is now available from the Administrative Tools folder.

Now you'll clone users from the MIGRATE domain into the trainkit.microsoft.com domain using ADMT. Before you perform this practice, you must have performed all the steps in the previous lessons. The two computers MIGRATE1 and TRAINKIT1 must be running and connected via a suitable network.

To clone users from MIGRATE to trainkit.microsoft.com using ADMT

1. On MIGRATE1, log on as Mig1 with a password of secret.
2. Once you've logged on, open the Paint program from the Accessories menu.
3. Create a drawing and save it using the path and name h:\mig1\piccy.bmp.
4. Close Paint.
5. Right-click the desktop and select Properties from the shortcut menu.
6. On the Background tab, change the pattern to Critters.
7. Log off and log back on again.
8. Verify that the settings have been retained and that you can load your artistic creation. Create a shortcut on your desktop to your picture. Log off MIGRATE1.
9. On TRAINKIT1, open Active Directory Migration Tool from the Administrative Tools folder.
10. Open the Action menu and select User Migration Wizard.
11. When the User Account Migration Wizard opens, click Next.
12. On the Test Or Make Changes page of the wizard, select Migrate Now and click Next.
13. On the Domain Selection page, select MIGRATE as the source domain and TRAINKIT as the target domain. Click Next.

    On the User Selection page of the wizard, you select the users to be migrated. You're going to migrate just one user, mig1.

14. Click the Add button to open the Select Users dialog box, and select mig1 from the list of users.
15. Click Add, click OK, and then click Next to move on to the Organizational Unit Selection page.
16. Now enter the destination OU for the user to be migrated, mig1. You can either type in the full path of the OU, or you can click Browse to display a list of OUs on TRAINKIT. Click Browse and select the Migrate OU. Click OK, and then click Next.
17. On the Password Options page, select Same As User Name and click Next.

    NOTE

    ---

    The Account Transition Options dialog box gives you the option to disable the source account, disable the target account (so you can enable it later), or leave both accounts open. You can also set the number of days after which the source account will expire automatically.

18. Select Leave Both Accounts Open and set the check mark for Migrate User SIDs To Target Domain to migrate the SID values of the source account into the destination domain.

    This option will allow the user to log on in both domains and still have access to the resources in the source domain. Figure 9.12 shows the settings to use.

    

    Figure 9.12 Account transition options

    Because you're attempting to update the SIDhistory attributes, you'll be asked for a user account and password in the destination domain.

19. Enter the user name Administrator and the password secret and click Next.
20. On the User Options page, select Translate Roaming Profiles and Update User Rights, and leave the bottom selection as Do Not Rename Accounts, as shown in Figure 9.13.

    

    Figure 9.13 User Options in the ADMT User Account Migration Wizard

21. Click Next.

    ADMT now needs to know what to do if an existing user name is encountered with the same name as the source. The existing one can be overwritten with the new one, or a prefix or suffix can be automatically added if a duplicate occurs.

22. Select Ignore Conflicting Accounts And Don't Migrate, as shown in Figure 9.14, and then click Next.

    

    Figure 9.14 Naming conflicts

    NOTE

    ---

    If a conflict occurs, you can use ADMT to resolve it by selecting the options shown in Figure 9.14 to control whether the rights and group memberships of the existing user are replaced by the new duplicate user.

23. When the summary page appears, click Finish to start the migration.

    The Migration Progress page appears and will show the progress of the migration.

24. Once the cloning has completed, click View Log and review the migration log for user Mig1.
25. If there are no errors in the log, close it and close ADMT.

    Now you'll test whether the logon account has been successfully cloned.

26. Log off TRAINKIT1 and log back on TRAINKIT1 as the new cloned user Mig1 from the TRAINKIT domain. Use the password mig1. You'll be asked to change the password for this user the first time you log on, so set it to secret.

    When the logon succeeds you should find that all the desktop settings should have been retained. To open the picture file you created you will have to open My Computer and navigate to the Mig1 user's mapped home folder because the shortcut will likely no longer work. The reason for this is that Windows 2000 now maps a user's home folder to a root drive (in this case H:\) whereas Windows NT mapped the home folder to a path (that is, H:\mig1). The shortcut will still reflect the Windows NT folder path.

Notice that the logon script is also missing. In order for the script to work, you will need to manually copy the script to the Netlogon share in Windows 2000 or use the Lbridge.cmd technique shown in Chapter 6.

NOTE

---

If you'd like to experiment further with ADMT, from the C:\Tools folder, run the batch file Moreusrs.bat (log on as Administrator before running the script). The batch file will add 20 more users and two groups containing ten Press users and ten Publicity users. Whenever you create your test facilities, you should script as many of the setups as possible because you will likely be tearing down and recreating your installation several times. However, please don't use the Intra group users created by the batch file for any experimentation because they'll be used in the last lesson of this chapter.

Troubleshooting the Practice

If the migration failed, you should check the ADMT migration log file to indicate the point of failure. If you're concerned about part of the migration failing, the Test Settings option can be used to check all the stages of a migration without moving any users.

Possible reasons for failure include the following:

• If reverse lookup isn't enabled on the DNS server for the namespace or the DNS server for either of the systems isn't correctly configured, the migration will fail with an error message that the DNS server refused the request. Ensure that the systems are configured to use the correct DNS server and that it has reverse lookup enabled. Note that the default Windows 2000 installation for DNS doesn't set up any reverse lookup zones.
• If the TcpipClientSupport registry key isn't set up correctly on a source Windows NT, the attempts to set up the SIDhistory records will fail.
• If the migration succeeds but the user can't log on, the user doesn't have the Log On Locally right on TRAINKIT1. You should grant this right to the Authenticated Users group.
• If the user is unable to access any resources in the source domain, you should ensure that in step 13 in the previous procedure, the Migrate User SIDs To Target Domain option is set.

Lesson Summary

In this lesson, you learned how the Active Directory Migration Tool can be used in both an intra-forest migration and an inter-forest migration. You installed a copy of ADMT and saw that it is limited only by the fact that it can't be scripted. You also used ADMT to clone a user and the associated profile from a source domain into a new environment (which could be a pristine environment). You saw all the settings that are required prior to the migration itself. You also saw that, once migrated, the user still has access to the profiles and resources in the source domain.