Lesson 1: Domain Restructure Tools

A restructure requires moving or copying objects from one environment into another. To proceed, you will require a number of tools to help perform the migration. This lesson looks at the tools that you'll use to perform the restructure.

After this lesson, you will be able to

  • Identify and understand the usefulness of the restructure tools that are provided to aid a migration.
  • Specify the tools to be applied during a restructure to implement a required design.

Estimated lesson time: 20 minutes

Tools for the Job

A variety of tools are used to perform the restructure. You can use some for both intra-forest move and inter-forest copy operations, while others have more specific uses.

Four main tools are available from Microsoft that you can use for inter-forest and intra-forest migrations: Netdom, ADMT, ClonePrincipal, and MoveTree. Their features are compared in Table 9.1.

Table 9.1 Comparison of ADMT, ClonePrincipal, MoveTree, and Netdom Migration Tools

Feature ADMT ClonePrincipal MoveTree Netdom
Performs inter-forest copy Yes Yes No Yes
Performs inter-forest move Yes No Yes Yes
Updates SIDhistory that use resources Yes Yes Yes No
Provides graphical user interface Yes No No No
Can be script-driven No Yes Yes Yes
Preserves passwords Yes No Yes Doesn't move user account
Preserves GUIDs Yes—in intra-forest No Yes Doesn't move such migrations resources
Migrates users Yes Yes Yes No
Migrates groups Yes Yes Yes No
Migrates computers Yes No No Yes
Migrates trusts Yes No No Yes
Migrates OUs No No Yes No
Migrates user profiles Yes No No No
Migrates service accounts Yes No No No
Updates access control lists (ACLs) on resources Yes No No No
Synchronizes time over domains No No No Yes

Each of the tools listed in this table are covered in greater depth in the rest of this chapter.

Migration Support Tools

All of the tools described next are supplied in compressed format on the Microsoft Windows 2000 Server and Advanced Server CDs in the Support folders. The tools described here are a subset of those on the CD but are more useful to you in helping with an inter-forest or intra-forest restructure.


SIDWalker is a set of utilities designed to help system administrators manage access-control policies on Windows 2000 and Windows NT systems. These utilities are distributed as the following files: Sidwalk.exe, Showaccs.exe, and Msvcrt50.dll. These utilities are used to assess and redesign the ACLs of all resources (such as the registry, file and folder shares, printer shares, and so on) on a server.

A three-phase approach is required when using SIDWalker tools to modify the access control lists of an object. Each phase can take up to a day or longer to complete and verify, depending on the objects you're changing access controls on. The phases are as follows:

  • Assessment. Use the Showaccs.exe file to find out exactly which ACLs are held on a server's resources. You can then use Showaccs to create a .CSV file of ACLs on an object such as the registry or folder shares.
  • Planning. Use an application such as Microsoft Excel (or even Wordpad) to modify the mapping file. The modifications will be based on your decision about whether to delete old, unused security identifiers or to replace them with corresponding new SIDs, such as new security groups.
  • Converting ACLs. Using the Sidwalk.exe program to implement the conversion of a system's security identifiers to the corresponding new SIDs from the information contained in the mapping file.

For help on using these utilities once they have been installed, open a command prompt and type showaccs /? or sidwalk /?.

The easiest tool to use is Showaccs because it examines only your system ACLs. For example, if you type showaccs report.txt /s, a file called Report.txt will be created and will contain a list of your network shares on TRAINKIT1. (Don't try this until you install the tool in the next practice.) The file would then need to be edited to work with SIDWalker.

There is also an MMC snap-in component that can be used to map new SID entries onto older ones so that newly created security objects can be given access to resources used by the original SIDs. You can run the snap-in by typing sidwalk.msc at the run command on the Start menu; however, you would be better off reading the documentation that comes with the Windows 2000 support tools to help you understand how to use it.

SIDWalker tools are useful for the following operations:

  • Regular monitoring of security access control lists on specific Windows 2000 and Windows NT systems by scheduling the process. (However, note that this operation can be quite CPU-intensive.)
  • General maintenance and cleanup of access control for Windows 2000 and Windows NT file systems after a migration.
  • Updating and cleaning up the ACLs of merged groups after an intra-forest or inter-forest migration.


Ldp is a support tool that can interact with any Lightweight Directory Access Protocol (LDAP) directory such as Windows 2000 Active Directory directory services. It provides a graphical interface to Active Directory, enabling you to view and modify Active Directory objects along with their attributes, and to check whether the objects have been updated and replicated across domain controllers.


Because the Ldp tool can be used to modify and delete entries to Active Directory, it's essential that you back up your system before performing any of these operations. Read the documentation that comes with Ldp if you'd like to understand the various LDAP commands that Ldp supports.


ADSI Edit is another support tool that you can use to view and potentially edit the contents of Active Directory. It is implemented as a Microsoft Management Console (MMC) snap-in. It can be used to search Active Directory and view, change, or delete objects. The searching process can be restricted to particular parts of Active Directory.


The Domain Controller Diagnostic tool can be used to analyze the state of domain controllers in a forest. You can create a framework by which tests are to be performed. The tests available include connectivity, replication, logon rights, and trust verification.


The Dsastat command-line program can be used to compare domain naming contexts. It can give information about the relative numbers of objects in two domains. It can be used in the migration planning phase to determine the size of domains.


The Secedit command-line program can be used to apply templates and analyze system security. It can also be used to force an update on a domain where the security policies have been changed.

Practice: Installing Support Tools for the Restructure

During the migration, you'll be using support tools included on the Windows 2000 Advanced Server CD-ROM and the Microsoft Windows 2000 Server Resource Kit. These tools aren't installed by default. You will first install these programs on TRAINKIT1. To perform this practice, you'll need the Windows 2000 Advanced Server CD-ROM. You'll install the tools into the C:\Tools folder. You should have already copied this folder from the Supplemental Course Materials CD-ROM in Chapter 8.

To install the support tools for Windows 2000 on TRAINKIT1

  1. Start up TRAINKIT1 (PC1).

    It should be running as a Windows 2000 domain controller in the trainkit.microsoft.com domain.

  2. Log on to TRAINKIT1 as Administrator with the password secret.
  3. Insert the Windows 2000 Advanced Server CD-ROM.
  4. If the CD's Autorun program runs, click Browse This CD; otherwise, double-click My Computer on the desktop and then double-click the CD-ROM icon.
  5. Double-click the Support folder to open it. In the Support folder, open the Tools folder.
  6. Double-click the Setup icon to run the Windows 2000 Support Tools setup wizard.
  7. Follow the on-screen instructions to install the support tools.
  8. When you get to the page asking whether you would like typical or custom settings, select Custom and then click Next.
  9. When the Custom Installation page is displayed, click the Browse button.

    The Windows 2000 Support Tools Installation dialog box appears.

  10. Type the destination path for the tools as c:\tools, click OK, and then click Next twice.
  11. When the tools have installed, click Finish to close the wizard.
  12. From the Start button, select Programs.

    You should now see an entry for Windows 2000 Support Tools on the Programs menu.

Lesson Summary

In this lesson, you were introduced to the tools required for a restructure. You installed the tools from the Support folder of the Windows 2000 Advanced Server CD-ROM. You also installed the tools from the Tools folder of the Supplemental Course Materials CD-ROM, many of which come from the Microsoft Windows NT Server Resource Kit and the Microsoft Windows 2000 Server Resource Kit. You were introduced to the four main tools provided by Microsoft for performing migrations: ADMT, ClonePrincipal, MoveTree, and Netdom. A table compared the features of these programs, showing that you can use Netdom to create trust relationships and add computers to the new destination domain, that you can use ClonePrincipal for only inter-forest migrations, that you can use MoveTree for only intra-forest migrations, and that you can use ADMT as a GUI tool for both inter-forest and intra-forest migrations. These tools will be discussed in detail in later lessons of this chapter. You also briefly surveyed other tools that can be useful in performing migrations and administering Active Directory, including Nslookup, Ldp, Secedit, and SIDWalker.

MCSE Training Kit (Exam 70-222. Migrating from Microsoft Windows NT 4. 0 to Microsoft Windows 2000)
MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
ISBN: 0735612390
EAN: 2147483647
Year: 2001
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net