The Active Directory Migration Tool is a comprehensive tool for migrating user accounts, computer accounts, and groups. One area this tool does not complete without additional configuration is the migration of user passwords to the new Active Directory domain. This feature is important when organizations require users to maintain passwords for access to the source domain as well as migrating service accounts to active directory. Implementing a secure Password Export Server (PES) into the migration design enables you to focus on migration tasks without spending excessive time supporting user password changes when migrating accounts. Also, with the password migration utility, single sign-on requirements can be maintained and supported by preserving Windows NT 4.0 account user passwords in the newly migrated Active Directory domain. Setting Up an ADMT Password Migration ServerTo migrate passwords, select or install a backup domain controller in the source Windows NT 4.0 domain to act as the Secure Password Export server. This server will communicate with the Active Directory Migration Tool (ADMT) Server in the Target Domain. To provide secure password migrations and ensure no issues with the installation of the Password DLL, a Password Export server should be added to the network during the migration process. Enhancing Security on your Password ServerPassword migrations are sensitive and information about user's password are being sent over the network and are stored on the password server. Enabling security and encryption on the Password Export server and Active Direction Migration Tool server in the target domain is a good practice. Ensure that the following requirements are met before installing the Password Export Server and migrating with ADMT:
Using an Encryption Key on the Password Export ServerThe Password server encryption key is a key created on the ADMT server and is required to complete the installation of the Password Export Server. The encryption key can be created and stored in one or both of the following methods , by copying to the local floppy disk drive for transport to the password export server or by storing the encryption key in a folder on the local hard drive. To create the Password Encryption key, begin by opening a command dialog box on the ADMT server in the target domain and do the following: Storing the Key Regardless of which methods are used to store the password encryption key, it must reside on the local server hard drive. Mapped network drives and shares cannot be used for this purpose and will prevent the installation of the Password Export server.
For Maximum Security For maximum security when migrating passwords, always disable the Registry entry functionality for migrating password on the PES. Use the Registry value of 0 to disable password migrations when not being used. Configuring Permissions to Enable Password MigrationsAfter the installation of the PES is complete, the next step is to set domain permission to allow password migrations between the target domain and source domain. Perform the following steps:
Test Migration Perform a test migration to ensure that proper rights have been configured and password migration functionality is present before performing migrations of domain users. Additional information about password migrations and password server installations can be located on the Windows Server 2003 CD under I386\ADMT\readme.doc. |