Implementing and Securing Password Migrations | Microsoft Windows Server 2003 Insider Solutions

The Active Directory Migration Tool is a comprehensive tool for migrating user accounts, computer accounts, and groups. One area this tool does not complete without additional configuration is the migration of user passwords to the new Active Directory domain. This feature is important when organizations require users to maintain passwords for access to the source domain as well as migrating service accounts to active directory.

Implementing a secure Password Export Server (PES) into the migration design enables you to focus on migration tasks without spending excessive time supporting user password changes when migrating accounts. Also, with the password migration utility, single sign-on requirements can be maintained and supported by preserving Windows NT 4.0 account user passwords in the newly migrated Active Directory domain.

Setting Up an ADMT Password Migration Server

To migrate passwords, select or install a backup domain controller in the source Windows NT 4.0 domain to act as the Secure Password Export server. This server will communicate with the Active Directory Migration Tool (ADMT) Server in the Target Domain. To provide secure password migrations and ensure no issues with the installation of the Password DLL, a Password Export server should be added to the network during the migration process.

Enhancing Security on your Password Server

Password migrations are sensitive and information about user's password are being sent over the network and are stored on the password server.

Enabling security and encryption on the Password Export server and Active Direction Migration Tool server in the target domain is a good practice. Ensure that the following requirements are met before installing the Password Export Server and migrating with ADMT:

Install 128 Bit Encryption Service Pack 6a on the Password Export server
Install 128 Bit Encryption on the ADMT server
Create an encryption key to install on the Password Export server

Using an Encryption Key on the Password Export Server

The Password server encryption key is a key created on the ADMT server and is required to complete the installation of the Password Export Server. The encryption key can be created and stored in one or both of the following methods , by copying to the local floppy disk drive for transport to the password export server or by storing the encryption key in a folder on the local hard drive.

To create the Password Encryption key, begin by opening a command dialog box on the ADMT server in the target domain and do the following:

Storing the Key

Regardless of which methods are used to store the password encryption key, it must reside on the local server hard drive. Mapped network drives and shares cannot be used for this purpose and will prevent the installation of the Password Export server.

From the command line type the following to create a PES encryption key and create a password: ADMT.exe key Source Domain Name Folder: [Password]

(For example, C:\ADMT.exe DunePoint A: Zip&Harley123)
After the encryption key has been created, copy the key to a floppy disk and insert the disk into the floppy drive of the PES server.
On the PES server, run the Password Migration installation from D:\I386\ADMT\PWDMIG.exe where D: represents the drive of the CD-ROM. Type in the password and complete the setup process.
To enable password migrations the AllowPasswordExport Registry key value on the Password Export server must be set. Open the Registry editor on the PES server by typing regedit from the run command dialog box. Open the HKLM\SYSTEM\CurrentControlSet\Control\Lsa key in the Registry. Modify the Registry key to allow password migrations by adding the value of 1 to the key. This enables password migration on the source domain's backup domain controller.

For Maximum Security

For maximum security when migrating passwords, always disable the Registry entry functionality for migrating password on the PES. Use the Registry value of 0 to disable password migrations when not being used.

Configuring Permissions to Enable Password Migrations

After the installation of the PES is complete, the next step is to set domain permission to allow password migrations between the target domain and source domain. Perform the following steps:

Add the Everyone group to the Pre-Windows 2000 Compatible Access group in the target domain. This must be completed using the command line by typing the following: NET LOCALGROUP "Pre-Windows 2000 Compatible Access" Everyone /ADD .
Add anonymous access to domain controllers in the target domain. From the ADMT domain controller, open the group policy editor and choose Default Domain Controllers Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options, Additional Restrictions for Anonymous Connections.
Ensure that Rely on Default Permissions or Not Defined is set. This setting must be present to allow password migration to complete.
Add Anonymous Logon user to the Pre-Windows 2000 Compatible Access group using the command line by typing the following: NET LOCALGROUP "Pre-Windows 2000 Compatible Access" Anonymous Logon /ADD .

Test Migration

Perform a test migration to ensure that proper rights have been configured and password migration functionality is present before performing migrations of domain users.

Additional information about password migrations and password server installations can be located on the Windows Server 2003 CD under I386\ADMT\readme.doc.