The Active Directory Migration Tool is a core tool for use in both an intra-forest and an inter-forest restructure. In this lesson, you'll learn how to obtain it and you'll use it to perform an inter-forest migration.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
ADMT is currently the most comprehensive GUI-based migration tool from Microsoft. It contains several wizards that implement migration functions and is supplied as an MMC snap-in. You can use it to do the following:
ADMT can be downloaded from the Windows 2000 Web site at http://www.microsoft.com/windows2000. It has been licensed by Microsoft from NetIQ (www.netiq.com) for use in the migration process. The ADMT program can also be found in the Tools folder of the Supplemental Course Materials CD provided with this book.
For ADMT to be able to clone users and groups, the source and destination domains must be prepared as described in the practice in the previous lesson.
ADMT provides a one-stop shop in that it can perform all migration functions from a single MMC snap-in. Its graphical environment and wizard-based user interface make it easy to use. However, you are limited by the options that the wizards provide. If there are complex, specific issues (for example, to move all the users whose names start with INT to the trainkit.microsoft.com domain), you can't use ADMT.
One of the limitations of ADMT is that it can initially be quite overwhelming because of its large number of options. These options vary too, depending on the type of migration you're doing. For example, using ADMT in an inter-forest migration, you must enter a new password for the user account that will be created in the destination domain. This password can be the same name as the user's current logon name, or ADMT can generate a new, complex password for the user. If it generates a password, it will place the password in an output file that you can then pass to the user later. In an intra-forest restructure, however, the password of a user can be retained.
Other important options the tool will allow you to select include the following:
The Active Directory Migration Tool is not supplied with the Windows NT system, nor is it in the Microsoft Windows 2000 Server Resource Kit. Instead, it must be downloaded from the Microsoft Web site and installed. A copy of ADMT is supplied in the Tools folder on the CD-ROM supplied with this book. You'll install ADMT on trainkit1.trainkit.microsoft.com, which is operating as a Windows 2000 server in native mode.
IMPORTANT
It is essential that you install Microsoft Windows NT Service Pack 4 or later on MIGRATE1 prior to proceeding further with this practice. Otherwise the migration will fail.
To install ADMT on TRAINKIT1
You should have installed the tools from the Supplemental Course Materials CD-ROM in an earlier practice.
The Active Directory Management Tool is now available from the Administrative Tools folder.
Now you'll clone users from the MIGRATE domain into the trainkit.microsoft.com domain using ADMT. Before you perform this practice, you must have performed all the steps in the previous lessons. The two computers MIGRATE1 and TRAINKIT1 must be running and connected via a suitable network.
To clone users from MIGRATE to trainkit.microsoft.com using ADMT
On the User Selection page of the wizard, you select the users to be migrated. You're going to migrate just one user, mig1.
NOTE
The Account Transition Options dialog box gives you the option to disable the source account, disable the target account (so you can enable it later), or leave both accounts open. You can also set the number of days after which the source account will expire automatically.
This option will allow the user to log on in both domains and still have access to the resources in the source domain. Figure 9.12 shows the settings to use.
Figure 9.12 Account transition options
Because you're attempting to update the SIDhistory attributes, you'll be asked for a user account and password in the destination domain.
Figure 9.13 User Options in the ADMT User Account Migration Wizard
ADMT now needs to know what to do if an existing user name is encountered with the same name as the source. The existing one can be overwritten with the new one, or a prefix or suffix can be automatically added if a duplicate occurs.
Figure 9.14 Naming conflicts
NOTE
If a conflict occurs, you can use ADMT to resolve it by selecting the options shown in Figure 9.14 to control whether the rights and group memberships of the existing user are replaced by the new duplicate user.
The Migration Progress page appears and will show the progress of the migration.
Now you'll test whether the logon account has been successfully cloned.
When the logon succeeds you should find that all the desktop settings should have been retained. To open the picture file you created you will have to open My Computer and navigate to the Mig1 user's mapped home folder because the shortcut will likely no longer work. The reason for this is that Windows 2000 now maps a user's home folder to a root drive (in this case H:\) whereas Windows NT mapped the home folder to a path (that is, H:\mig1). The shortcut will still reflect the Windows NT folder path.
Notice that the logon script is also missing. In order for the script to work, you will need to manually copy the script to the Netlogon share in Windows 2000 or use the Lbridge.cmd technique shown in Chapter 6.
NOTE
If you'd like to experiment further with ADMT, from the C:\Tools folder, run the batch file Moreusrs.bat (log on as Administrator before running the script). The batch file will add 20 more users and two groups containing ten Press users and ten Publicity users. Whenever you create your test facilities, you should script as many of the setups as possible because you will likely be tearing down and recreating your installation several times. However, please don't use the Intra group users created by the batch file for any experimentation because they'll be used in the last lesson of this chapter.
If the migration failed, you should check the ADMT migration log file to indicate the point of failure. If you're concerned about part of the migration failing, the Test Settings option can be used to check all the stages of a migration without moving any users.
Possible reasons for failure include the following:
In this lesson, you learned how the Active Directory Migration Tool can be used in both an intra-forest migration and an inter-forest migration. You installed a copy of ADMT and saw that it is limited only by the fact that it can't be scripted. You also used ADMT to clone a user and the associated profile from a source domain into a new environment (which could be a pristine environment). You saw all the settings that are required prior to the migration itself. You also saw that, once migrated, the user still has access to the profiles and resources in the source domain.