| The Active Directory Migration Tool version 2 (ADMT v2) is an effective way of migrating users, groups, and computers from a Windows 2000 domain to a Windows 2003 domain. It is robust enough to migrate Active Directory objects, permissions, and settings, and fully supports a rollback procedure in the event of migration problems. ADMT v2 is composed of several components as detailed here: -
ADMT Migration Wizards ADMT includes a series of wizards, each specifically designed to migrate specific components. Different wizards exist for migrating Users, Groups, Computers, Service Accounts, and Trusts. -
Low Client Impact ADMT automatically installs a service on source clients , which negates the need to manually install client software for the migration. In addition, after the migration is complete, these services are automatically uninstalled . -
SID History and Security Migrated Users will continue to maintain network access to file shares, applications, and other secured network services through migration of the SID History attributes to the new domain. This preserves the extensive security structure of the source domain. -
Test Migrations and Rollback Functionality An extremely useful feature in ADMT v2 is the ability to run a mock migration scenario with each migration wizard. This will help to identify any issues that might exist prior to the actual migration work. In addition to this functionality, the most recently performed user , computer, or group migration can be undone, providing for rollback in the event of migration problems. To begin, download the Active Directory Migration Tool from Microsoft and install the tool on a Windows 2003 domain controller in the target domain. Migrating Security and Distribution Groups When migrating, it is often best to migrate domain groups before user account Objects. The reason for this suggestion is the fact that if users are migrated first, their group membership will not transfer over unless selected. However, if the groups are migrated prior to user objects and exist before domain users are migrated, they will automatically find their place in the group structure when migrated. To migrate groups using ADMT v2, use the Group Account Migration Wizard, as detailed in the following steps: -
After you have completed testing your group migration, run the Group Migration Wizard. From the Action menu launch the Group Account Migration Wizard to begin the actual migration of Groups. At the Welcome screen, click Next to continue. Select the Migrate Now option from the Test or Make Changes Page and then click Next . Testing the Migration It is always a good practice to test any migration and review the results before actually migrating domain security principles. Testing the migration can be completed by selecting the Test the Migration Setting and Migrate Later from the Test or Make Changes page of the Group Migration Wizard. Open the Active Directory Migration Tool and launch the Group Migration Wizard from the Action menu to begin testing a group migration. -
On the Domain Selection page, use the drop-down box to select the source domain and target domain for this migration. Select, Next to continue. -
On the Group Selection page, enter the name or names of the groups in the source domain you want to migrate. Select the Add button to enter the group name and select Check Name to validate the group name. Click OK to add the group to the Group Selection page and select Next to continue migrating. -
On the Organizational Unit selection page, select the target Organizational Unit for where the group will be migrated. Use the Browse button to view the Active Directory Tree and select the target domain and Organizational Unit that will host the migrated group. Click OK to finish the selection and then click Next to continue. -
When migrating Windows Groups, options such as user rights and group membership can also be migrated. Review the group migration options on the Group options page and choose the selections that best fit your migration needs. -
When migrating, a target domain that contains group names could conflict with your groups' migration. -
Review the migration selection and ensure that the proper options have been checked. Select the Next option to continue migrating groups. -
To complete the migration, the ADMT will need to authenticate to the source domain. Enter the username and password of an account with administrative rights on the source domain and select Next. -
Use the Naming Conflicts page to configure actions ADMT should take to resolve conflicts with group names and group memberships. -
Use the scroll bar to review the Migration Wizard task description. Ensure that all options you have selected are identified in the summary before clicking Finish to continue. The Migration Progress screen enables you to view the results of your group migration as well as selecting the View Log button to review the migration log details for any errors. Exit the migration log and click Close to complete the Group Account Migration Wizard. Migrating Users Accounts The Active Directory Migration Tool version 2 (ADMT) also enables you to migrate user accounts with SID History, GUIDs, and passwords to the new Windows 2003 domain. This functionality fully enables Active Directory accounts the ability to access resources in the source domain during coexistence scenarios. To migrate users, follow these steps: -
Open the ADMT MMC Console and launch the User Migration Wizard from the Action menu to begin the migration of User Objects. At the Welcome screen, click Next to continue. Select the Migrate Now option from the Test or Make Changes page and then click Next. -
The next screen offers the option to test the migration before actually migrating the account. This is recommended because you can evaluate the overall results before performing the migration process. Select Migrate Now and then click Next to continue. -
Select the Source and Target domains and click Next to continue. -
The following screen allows user accounts to be chosen for migration. Click the Add button and select the user accounts that will be migrated. After all user accounts have been selected, click Next to continue. -
The next screen allows for a Target Organization Unit to be chosen for all created users. Choose the Organization Unit by clicking the Browse button. After the Organization Unit has been selected, click Next to continue. -
The new password migration functionality of ADMT v2.0 is enabled through the following screens. Migrating passwords require additional configuration. Review the password migration requirements and click Next to continue. -
On the Details screen select the options required for this user migration. For more information, click Help for an overview of each option. -
Enter the administrator username, password, and source domain. Click Next to continue. -
There are several migration options presented as part of the next screen. As before, clicking Help will elaborate on some of these features; enter the options selected and click Next to continue. -
At the next screen, any properties of the user object that should not be migrated should be specified here. Select the desired setting and click Next to continue. -
Object Naming conflicts are a procedure for dealing with duplicate accounts when migrating. Select the appropriate options for duplicate accounts and click Next to continue. -
Review the verification screen to determine if the settings chosen are correct before migrating. Verify each setting and select Next to begin migrating the account object. -
The Migration Progress status box will display the migration process as it occurs, indicating the number of successful and unsuccessful accounts created. After the process is complete, review the log by clicking View Log and verify the results of the migration.  |
