Using Microsoft Active Directory Migration Tool

Previous page
Table of content
Next page

The Active Directory Migration Tool, also known as ADMT, is a powerful utility provided with the Windows Server 2003 operating system. ADMT allows Windows NT4 domain security principles to be migrated directly to Windows Server 2003 and Active Directory. The Active Directory Migration Tool provides wizards that enable you to perform the following:

  • Test migrations to identify any potential issues before you perform any actual migrations

  • User migrations to migrate user accounts from domain to domain, or forest to forest

  • User profile migrations to migrate user profile information from source to destination user account

  • Group migrations to move group and group membership information between source and destination domains or forests

  • Computer account migrations to migrate computer accounts from one domain or forest to another

  • Service account migrations to migrate the service account from one system or domain to another

  • Domain trust migrations to relink domain trusts from one domain to another domain

  • Password migrations to move user passwords when a user account is migrated from one domain or forest to another

After security principles are migrated to Active Directory, the ADMT also allows administrators to perform intraforest migrations of Active Directory objects. Objects can then also be moved between Active Directory domains and child domains as well as organizational units within the new Active Directory forest.

Installing the Active Directory Migration Tool

Before you install the Active Directory Migration Tool, make sure that your network meets the following requirements:

  • Domain trusts are established between Windows NT and Active Directory domains.

  • The Active Directory Administrator account is a member of the Windows NT4 Domain Administrators group.

  • The Windows NT4 Administrator account is a member of the Windows Server 2003 Local Administrators group.

The Active Directory Migration Tool can be installed from the Windows Server 2003 operating system CD-ROM. Use Windows Explorer to view the contents under the I386 directory of your installation CD. Launch the ADMIGRATION.MSI package file located in the ADMT folder to run the Active Directory Migration Tool Installation Wizard.

At the Welcome screen, click Next to continue. Accept the End User License Agreement and click Next to begin the installation of the ADMT. Click Next to accept the default folder for installation. Complete the installation and click Finish to close the Active Directory Migration Tool Installation Wizard.

Note

It is a good practice to install the ADMT utility on a domain controller located in the target domain. During the installation of the ADMT, the Setup Wizard will also make additional configuration changes within each domain being migrated. Review the README.DOC file in the ADMT installation directory to identify additional ADMT installation tasks and prerequisites.


Migrating Domain Accounts and Groups to Active Directory

Using the Active Directory Migration Tool to migrate accounts and groups to Active Directory requires that you configure several options. The following steps will guide you through the migration process for cloning user accounts, service accounts, and Windows NT domain groups to Active Directory:

1.

To run the Active Directory Migration Tool, launch ADMT from the program group on the Active Directory domain controller. Choose Start, Administration Tools, Active Directory Migration Tool.

2.

Choose Action, ADMT User Account Migration Wizard and then click Next. The Migration Wizard will then begin to migrate users to Active Directory.

Note

It is always a good practice to test any migration before actually migrating a user account. Do not continue with the migration unless you are ready to begin migrating users to Active Directory.

3.

To begin migrating user accounts, select the Migrate Now option and click Next to begin migrating users to Active Directory.

4.

The Domain Selection page allows you to choose the source and target domains for your migration. Use the drop-down box to select the domains for this migration and then click Next to continue.

Note

If the target domain is not in Native mode, an error dialog box will pop up. This error must be corrected immediately; otherwise, the process will not be able to proceed.

5.

Select the user account or accounts for this migration by clicking the Add button. You can enter the names manually or select multiple users at one time by clicking the Advanced button and searching for users. When you're done selecting, click OK to close the Advanced Select Users screen and return to the User Selection page. Ensure that all users have been selected and then click Next to continue.

6.

Use the Organizational Unit Selection page to identify the target OU location where the user accounts will be cloned. This is the organizational unit that will house the user's account for this migration. Select the Browse button to navigate to the proper OU in the target domain. Click OK to close the Browse the Container screen and return to the Organizational Unit Selection page. Click Next to continue.

7.

To enable the migration of user passwords from the NT Source domain, you must install an ADMT password export server. If no password server exists, review the ADMT help for information on password migrations for more info.

8.

Select the specific account options for each account being migrated. You can choose from the following Target Account State options:

  • Enable Target Account This option enables users to immediately log on to the new Active Directory domain after their accounts have been migrated.

  • Disable Target Account This option disables the newly created account, not allowing any users to log in to the new Active Directory domain.

  • Target Same As Source This option compares and sets the newly created account to whatever state the account is in the target domain.

  • Enable Target Account This option activates the target account after the migration process is completed.

  • Disable Source Account This option allows administrators to disable the migrated account in the source domain after the account is cloned to Active Directory. This option can also be used to set limits to the number of days an account should stay active after the migration is complete.

  • Days Until Server Accounts Expires Use this option to prevent users from accessing the source domain after an account has been migrated. This will prevent any account access in the source domain once the allotted time has expired.

9.

Select the Disable Source Account option for this migration. This will disable all accounts being migrated in the source domain.

10.

To migrate SID history for the account being migrated, select Migrate Users SID to Target Domain. This will migrate the account's SID attributes from the source domain to the new target domain.

The ADMT requires configuration changes be made before it can continue migrating users. When the error dialog boxes appear, follow the installation instructions in the following sections to perform additional tasks on both the source and target domains.

Migrating SID history requires auditing be enabled on the source and target domains. If auditing has not been enabled, an error dialog box will appear for both the source and target domain auditing.

11.

Select Yes to enable auditing on the source and target domain and continue with the migration.

12.

If you want to migrate a user's SID history, the local group NTDomain must exist on the source domain. If the group has not already been created, you can make the Migration Wizard create the group by selecting Yes when the error dialog box appears.

13.

Select Yes to add the TcpipClientSupport Registry key to the source domain.

14.

After the Registry change is made, select Yes to reboot the source domain PDC. Click OK and wait for the Windows NT domain PDC to finish rebooting before continuing.

15.

If your migration requires you to maintain a user's SID history, you must enter the username and password of an account with Administrator rights in the source domain. Enter the name of the source domain administrator and administrator password as well as the name of the Windows NT source domain.

By using the User Options described in Table 16.1, you can select and customize the user attributes of each user account being migrated.

Table 16.1. User Options

ADMT Options

Description

Translate Roaming Profiles

Use the Translate Roaming Profiles option if the user accounts you have selected are configured with roaming profiles on the Windows NT4 source domain. The Translate Roaming Profiles option copies the selected user account's roaming profile to the target domain and associates the profile with the account created in the target domain.

Update User Rights

If your migration plan requires that different systems coexist and Active Directory users will continue to access resources within the original source domain, select the Update User Rights option. This option copies the original user's rights to the new account created in the target domain, thus maintaining access to resources within the Windows NT4 source domain.

Migrate Associated User Groups

An effective way to migrate users is to use groups. When you select the Migrate Associated User Groups option, ADMT creates the groups associated with the user accounts you are migrating and maintains group membership in the target domain.

Update Previously Migrated Objects

Often when you're migrating in increments, user groups are already migrated when you continue to migrate accounts. The Update Previously Migrated Objects option associates group membership even if the group was previously migrated. Note that you can choose the Update Previously Migrated Objects option only if the Migrate Associated User Groups option is selected. Use the Select How All Migrated Accounts Should Be Named option to customize the way users will be viewed after they are migrated to the target domain and Active Directory.

Do Not Rename Accounts

The Active Directory Migration Tool migrates user accounts using the same information as in the source domain. You can use the Do Not Rename Accounts option if there are no user objects with names that conflict with accounts being migrated. Do not use this option as a method to resolve account name conflicts during the migration. Suffix and prefix options can be used to identify accounts after migrating to the target domain. An additional option will allow name conflict resolution later in the migration. The Naming Conflicts page in ADMT displays a list of names that have conflicts between user accounts being migrated and existing user accounts in the target domain.

Rename with Prefix

Use the Rename with Prefix option to add a prefix to user-names being migrated. This option can be used to prevent duplicate name conflicts in the target domain and is often used when consolidating account domains into an existing Active Directory forest.

Rename with Suffix

The Rename with Suffix option adds the specified suffix to the user accounts being migrated. As with the Rename with Prefix option, you should use this option if your target domain contains accounts that could conflict with account names being migrated.


Note

Review the ADMT options to determine which options will be used for your migration. It is best practice to test the migration options before actually performing a migration.

16.

After reviewing the selections on the User Options page, make sure that the proper selections have been made and click Next to continue.

17.

On the Naming Conflicts page, select the action that ADMT should perform to resolve naming conflicts if accounts in the target domain exist with the same name as accounts being migrated from the source domain.

Resolving Naming Conflicts

When duplicate account names exist in both the target and source domain, using the Ignore Conflicting Accounts and Don't Migrate option leaves accounts in the target domain intact and does not migrate any accounts that conflict from the source domain to the target domain.

When you replace existing accounts, each conflicting user account in the target domain will inherit the permissions and properties of the conflicting account name in the source domain. Essentially, any duplicate name being migrated will replace the duplicate account within Active Directory and also apply any SID changes configured for the source account domain.

If you choose to replace an existing account, you must decide whether the user rights to the conflicting account should be maintained. This option will ensure that conflicting accounts in the target domain do not have more user rights than the account being migrated from the target domain.

If you select Replace Conflicting Accounts, the Remove Existing Members of Groups Being Replaced option is enabled. This option compares and ensures members of migrated groups in the target domain are identical to group memberships in the source domain.

Similar to the Prefix and Suffix options on the User Options page, you should use the Rename Conflicting Accounts option to add a prefix or suffix to user accounts being migrated that conflict with accounts in the target domain. Adding a prefix to accounts that conflict can help you easily identify accounts that need correction after they are migrated.

Ensure that all options have been selected and are correct before continuing. Then click Next to continue. Use the scrollbar to review the Migration Wizard's task descriptions. Ensure that all options you have selected are identified before continuing. Click Finish to close the wizard and complete the migration. On the Migration Progress screen, you can view the results of your user migration. Select the View Log button to review the migration log and identify any errors. When you're done reviewing, click Close to shut the User Account Migration Wizard.

Migrating NT4 Groups into Active Directory

This section describes the options for merging or migrating Windows NT4 groups to Windows Server 2003 and Active Directory. This section also addresses options available when you're using ADMT to perform these task as well as the steps involved.

It is always a good practice to test any migration and review the results before actually migrating NT domain security principles. You can test the migration by selecting the Test the Migration Setting and Migrate Later from the Test or Make Changes page of the Group Migration Wizard. Launch the Group Account Migration Wizard from the Action menu to first test a group migration and then later perform the actual migration.

To perform an actual group account migration, do the following:

1.

From the Action menu, launch the Group Account Migration Wizard to begin the actual migration of Windows NT4 Groups.

2.

At the Welcome screen, click Next to continue. Select the Migrate Now option from the Test or Make Changes page and then click Next.

3.

On the Domain Selection page, use the drop-down box to select the source and target domains for this migration. Then click Next to continue.

4.

On the Group Selection page, enter the name or names of the groups in the source domain you want to migrate. Select the Add button to enter the group name and select Check Name to validate the group name. Click OK to add the group to the Group Selection page and then click Next to continue migrating.

5.

On the Organizational Unit Selection page, select the target OU to indicate where the group will be migrated. Use the Browse button to view the Active Directory tree and select the target domain and organizational unit that will host the migrated group. Click OK to finish the selection and then click Next to continue.

6.

When you're migrating Windows NT4 groups, options such as user rights and group membership can also be migrated. Review the group migration options on the Group Options page, as described in the following list, and choose the selections that best fit your migration needs:

  • Update User Right The Update User Right option copies a group's NT4 permission in the source domain to the new group in the target domain.

  • Copy Group Membership The Copy Group Membership option is essentially for organizations wanting to migrate to Windows Server 2003 one group at a time. This option allows ADMT to copy Windows NT source domain accounts that are members of the groups being migrated. Each account is then copied to the target domain and associated with the proper group membership. If you select Update Previously Migrated Objects, any existing accounts in the target domain will be updated with the proper group membership if those accounts existed within the target domain.

  • Fix Group Membership If members of the group being migrated exist in the source domain, the Fix Group Membership option will add migrated user accounts to the migrated group if they were members of the group in the target domain.

  • Migrate Group SID to Target Domain If your migration strategy requires access to resources in the target domain, select Migrate Group SID to Target Domain. This option adds the SID history to cloned users' accounts and groups after they are migrated to the target domain.

  • Do Not Rename Accounts The ADMT also migrates groups using the same group name as in the source domain. Use the Do Not Rename Accounts option if there are groups with the same group name that can conflict with the Windows NT4 groups being migrated. Groups are consolidated within the target domain if this option is selected.

  • Rename with Prefix Use the Rename with Prefix option to add a prefix to group names being migrated. This option can be used to avoid group name conflicts in the target domain.

  • Rename with Suffix The Rename with Suffix option adds the specified suffix to the group name being migrated. As with the Rename with Prefix option, you should use this option if your target domain contains group names that could conflict with the groups being migrated.

7.

Review the migration selection and ensure that the proper options have been checked. Click Next to continue migrating groups.

8.

If ADMT has not already been authenticated to the source domain, a login dialog box will appear.

9.

Use the Naming Conflicts page to configure actions ADMT should take to resolve conflicts with group names and group memberships. Review each of the following options before continuing the migration:

  • Ignore Conflicting Accounts and Don't Migrate The Ignore Conflicting Accounts and Don't Migrate option leaves accounts in the target domain unchanged and does not migrate any groups already existing in the target domain.

  • Replace Conflicting Accounts When you choose the Replace Conflicting Accounts option, each conflicting account in the target domain inherits the permissions and properties of the account being migrated from the source domain.

  • Remove Existing User Rights If you choose to replace an existing account, you must decide whether the user rights to conflicting accounts should be maintained. Selecting the Remove Existing User Rights option ensures that conflicting accounts in the target domain do not have more user rights than the account being migrated for the target domain.

  • Remove Existing Members of Groups Being Replaced If the Remove Existing Members of Groups Being Replaced option is selected, ADMT will compare and ensure that members of migrated groups in the target domain are identical to group memberships in the source domain. To enable this option, select Replace Conflicting Accounts.

  • Move Replaced Accounts to Specified Target Organizational Unit This option removes any existing account in the target domain that is the same as accounts being migrated.

  • Rename Conflicting Accounts by Adding the Following Similar to the prefix and suffix options, the Rename Conflicting Accounts options can be used to avoid conflicts with existing accounts in the target domain. You can add a prefix or suffix that the ADMT should use if conflicting group names are encountered. Then click Next to continue after options are set properly.

10.

Use the scrollbar to review the Migration Wizard task description. Ensure that all options you have selected are identified in the summary before clicking Finish to continue. The Migration Progress screen allows you to view the results of your group migration. You also can select the View Log button to review the migration log details for any errors. Exit the migration log and click Close to complete the Group Account Migration Wizard.

Migrating Computer Accounts to Active Directory

As well as migrating users and groups, you must migrate computer accounts for users to be able to authenticate to the new Windows Server 2003 Active Directory domain. Use the following steps to guide you through the Computer Migration Wizard for both testing and migrating computer accounts.

Note

When you're migrating computer accounts using the ADMT Computer Migration Wizard, ADMT will install an agent on each system in the source domain being migrated. This agent will restart the system after the Migration Wizard joins the computer account to the target domain.


1.

From the ADMT MMC, choose Action, Computer Migration Wizard to begin migrating computer accounts to Active Directory. Click Next to proceed past the Computer Migration Wizard Welcome screen.

2.

Select the Migrate Now option from the Test or Make Changes page and click Next to continue.

3.

On the Domain Selection page, use the drop-down box to select the source domain from which the computer accounts reside and the target domain where the computer accounts will be migrated to. After you select the domains, click Next to continue.

4.

On the Computer Selection page, enter the name or names of the computer accounts in the source domain you want to migrate. Click the Add button to enter and check the computer account names that will be migrated. Click Next to continue.

5.

On the Organizational Unit Selection page, select the target OU where the computer accounts will be migrated to. Use the Browse button to view the Active Directory tree and select the target domain and organizational unit that will host the computer accounts being migrated; then click Next to continue.

6.

Define the computer security associations to migrate on the Translate Objects page from the following list of options:

  • Files and Folders This option allows all local computer files and folder permissions to be translated to Active Directory after the computer accounts are migrated. If the computer being migrated hosts files accessed through Windows NT permissions, select this option to translate local security on files to Active Directory.

  • Local Groups ADMT can also migrate local security, and the computer local groups are migrated to Active Directory when you select this option.

  • Printers If there are shared printers located on the computer being migrated, this option translates all local rights to printer resources from Local Windows permission to Active Directory.

  • Registry This option migrates all security information from the local computer Registry being migrated.

  • Shares When you select this option, any configured shares and share permissions will be migrated to Active Directory.

  • User Profiles This option migrates all user profile security located on the local computer.

  • User Rights This option translates local user rights to Active Directory.

Note

Depending on the security options you select, you may see additional pages. Select the proper options and review each selection before continuing.

7.

For this computer migration, select the User Profiles option to translate the security of user profiles on the computers being migrated. Then click Next to continue.

8.

In the Security Translation Options window, define the security option for migrating computer accounts from one of the following options:

  • Replace This option replaces all account SID information with new SID information from the target domain. This option gives the computer account in the target domain the same permissions and access to resources as the account was configured in the source domain.

  • Add This option combines the SID information of the computer account in the target domain to all ACLs in the source domain, thus allowing the computer account to access resources within the Windows NT domain.

  • Remove This option removes all SID information for the computer account from all ACLs in the source domain. This option does not allow the computer account to access resources in the Windows NT4 domain after it has been migrated.

9.

Validate the action or actions you have selected on the Security Translation page and select Next to continue the computer migration process.

10.

On the Computer Options page, configure the restart time of the computer being migrated as well as the prefix and suffix to add to the computer name being migrated. Click Next to continue migrating computer accounts.

11.

Use the Naming Conflicts page to configure actions ADMT should take to resolve conflicts with computer accounts and membership in the target domain. Review each of the following options before continuing the migration:

  • Ignore Conflicting Accounts and Don't Migrate The Ignore Conflicting Accounts and Don't Migrate option leaves computer accounts in the target domain unchanged and does not migrate any computer accounts that already exist in the target domain.

  • Replace Conflicting Accounts When you replace existing computer accounts, each conflicting account in the target domain will inherit the permissions and properties of the computer account being migrated from the source domain.

  • Remove Existing User Rights If you choose to replace an existing account, you must decide whether the user rights to conflicting accounts should be maintained. Selecting this option ensures that conflicting computer accounts in the target domain do not have more user rights than the computer accounts being migrated from the target domain.

  • Remove Existing Members of Groups Being Replaced By selecting this option, you can compare and ensure members of migrated groups in the target domain are identical to computer group memberships in the source domain.

  • Move Replaced Accounts to Specified Target Organizational Units If you select this option, any existing computer accounts will be replaced by accounts being migrated to the target OU.

The Rename with Prefix and Rename with Suffix options can be used to avoid conflicts with existing computer accounts in the target domain. You can add the prefix or suffix that ADMT should use if conflicting computer names are encountered.

Review the Task Descriptions page to determine whether all your migration options are accurate. Use the scrollbar to see each option configured. Changes can be made before you continue by selecting the Back button. To use the settings shown and continue with the selected tasks, click Finish.

Migrating Service Accounts to Active Directory

When you need to perform an inplace upgrade as well as support applications that require service accounts such as Microsoft Exchange and other third-party products, the ADMT Service Account Migration Wizard can assist you in moving this account information to Active Directory.

1.

From the ADMT MMC, launch the Service Account Migration Wizard by choosing Action, Service Account Migration Wizard.

2.

Select the source domain from which the service accounts reside and the target domain where the service accounts will be migrated. Click Next when you are ready to continue.

3.

The Update Service Account Information page will gather service account information for the selected source's domain. If this is the first time you're using the Service Account Migration Wizard, select Yes, Update the Information. The No, Use Previously Collected Information option is not available if the wizard has not been run previously. This option allows you to migrate service accounts without collecting service account information each time the wizard is run.

4.

On the Service Account Selection page, enter the computer to host the service accounts you want to migrate. Click the Add button to enter and check the computer account names that host the service accounts being migrated. Click OK to continue.

5.

The Active Directory Migration Tool Monitor will appear. Review the status as the ADMT installs the agent on the computers selected.

6.

On the Service Account Information page, review the service accounts being migrated. Use the Skip/Include button to select or deselect accounts for this migration. You can choose the Update CSM Now option to update the service control entry. After you select the proper accounts, click Next to continue.

7.

The Service Account Migration Wizard summary will verify the tasks and results of the migration. Use the scrollbar to review the tasks of the service account migration. Click Finish to close the Service Account Migration Wizard.

The Active Directory Migration Tool can be used to migrate additional Windows NT4 domain resources to Active Directory. Always review the results of each migration and test permissions and functionality before continuing with any of these types of migrations.



Previous page
Table of content
Next page
Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499
Authors: Rand Morimoto, Michael Noel, Alex Lewis
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Oracle Developer Forms Techniques
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy