Migrating Accounts Using the Active Directory Migration Tool

When the target domain structure has been finalized, built, and "burnt in" as part of a pilot, and ADMT has been installed, the process of migrating the user , computer, and other accounts can begin. As previously mentioned, the built-in wizards in ADMT streamline the process and give a great deal of flexibility regarding migration options.

Migrating Groups Using ADMT

In most cases, the first objects to be migrated into a new domain should be groups. The reason for this suggestion is the fact that if users are migrated first, their group membership does not transfer. However, if the groups exist before the users are migrated , they automatically find their place in the group structure. To migrate groups using ADMT v2, use the Group Account Migration Wizard:

1. Open the ADMT MMC snap-in (Start, All Programs, Administrative Tools, Active Directory Migration Tool).

2. Right-click on Active Directory Migration Tool in the left pane and choose Group Account Migration Wizard.

3. Click Next to continue.

4. On the next screen, illustrated in Figure 14.7, the option to test the migration is available. As previously mentioned, the migration process should be thoroughly tested before actually being done in production. In this example, however, the migration will be done. Choose Migrate now and click Next to continue.

   Figure 14.7. ADMT test run options.

   

5. Select the source and destination domains and click Next to continue.

6. The subsequent screen allows for the group accounts from the source domain to be selected. Select all required by using the Add button and selecting the objects manually. After the groups have been selected, click Next to continue.

7. Enter the destination OU for the accounts from the source domain by clicking Browse and selecting the OU created in the prerequisite steps outlined above. Click Next to continue.

8. On the following screen, several options appear that will determine the nature of the migrated groups. Clicking the Help button details the nature of each setting. In the sample migration, the settings detailed in Figure 14.8 are chosen . After choosing the appropriate settings, click Next to continue.

   Figure 14.8. Group options in ADMT.

   

9. If auditing has not been enabled on the source domain, the prompt illustrated in Figure 14.9 will appear, which gives the option to enable auditing. This is required for migration of the SIDHistory. Click Yes to continue.

   Figure 14.9. The enable auditing dialog box.

   

10. Another prompt might appear if auditing is not enabled on the target domain. Enabling auditing is required for migration of SIDHistory and can be disabled after the migration. Click Yes to enable and continue.

11. A local group named SOURCEDOMAIN$$$ is required on the source domain for migration of SIDHistory. A prompt asking to create this group will be displayed at this point, as illustrated in Figure 14.10, if it has not been created beforehand. Click Yes to continue.

    Figure 14.10. Local group creation for ADMT.

    

12. Another dialog box may appear asking to create a Registry key named TcpipClientSupport in the source domain. This is also required for SIDHistory migration. Click Yes to continue.

13. If the Registry key was created, an additional prompt is displayed asking whether the PDC in the source domain will require a reboot. In most cases, it will, so click Yes to continue.

14. The next prompt, illustrated in Figure 14.11, exists solely to stall the process while the reboot of the source PDC takes place. Wait until the PDC is back online and then click OK to continue.

    Figure 14.11. Waiting for the source domain PDC to reboot.

    

15. The subsequent screen allows for the exclusion of specific directory-level attributes from migration. If the need arises to exclude any attributes, they can be set here. In this example, no exclusions are set. Click Next to continue.

16. A user account with proper administrative rights on the source domain should now be entered in the screen shown in Figure 14.12. After it's entered, click Next to continue.

    Figure 14.12. Naming conflict options.

    

17. Naming conflicts often arise during domain migrations. In addition, different naming conventions may apply in the new environment. The screen illustrated in Figure 14.12 allows for these contingencies. In the example illustrated, any conflicting names have the XYZ- prefix attached to the account names. After the settings have been defined, click Next to continue.

18. The verification screen is the last wizard screen before any changes have been made. Ensure that the procedure has been tested before running it, because ADMT will henceforth write changes to the target Windows Server 2003 Active Directory environment. Click Finish when ready to begin group migration.

19. The Group migration process will then commence. Changing the refresh rate, as illustrated in Figure 14.13, allows a quicker analysis of the current process. When the procedure is complete, the log can be viewed by clicking on View Log. After you complete these steps, click the Close button to end the procedure.

    Figure 14.13. The group account migration process.

    

Migrating User Accounts Using ADMT

User accounts are the bread and butter of domain objects, and are one of the most important components . The biggest shortcoming of ADMT v1 was its inability to migrate passwords of user objects, which effectively limited its use. However, ADMT v2 does an excellent job of migrating users, their passwords, and the security associated with them. To migrate users, follow this procedure:

1. Open the ADMT MMC Console (Start, All Programs, Administrative Tools, Active Directory Migration Tool).

2. Right-click on Active Directory Migration Tool and choose User Account Migration Wizard, as indicated in Figure 14.14.

   Figure 14.14. Starting the user account migration process.

   

3. Click Next at the welcome screen.

4. The next screen offers the option to test the migration before actually performing it. As previously mentioned, this is a recommended process; in this example, the full migration will be performed. Select Migrate Now and then click Next.

5. Select the source and target domains in the subsequent screen and click Next to continue.

6. The following screen enables you to choose user accounts for migration; click the Add button and select the user accounts to be migrated. After all user accounts have been selected, click Next to continue.

7. The next screen enables you to choose a target OU for all created users. Choose the OU by clicking the Browse button. After the OU has been selected, similar to what is shown in Figure 14.15, click Next to continue.

   Figure 14.15. Selecting the organization unit in the migration wizard.

   

8. The new password migration functionality of ADMT v2 is enacted through the following screen. Select Migrate passwords and select the server in the source domain that had the Password Migration DLL installed in previous steps. Click Next to continue.

9. The subsequent screen deals with security settings in relation to the migrated users. Click Help for an overview of each option. In this example, the settings illstrated in Figure 14.16 are chosen. Click Next to continue.

   Figure 14.16. Account transition options.

   

10. Enter the username, password, and domain of an account that has Domain Admin rights in the source domain. Click Next to continue.

11. Several migration options are presented as part of the next screen. As before, press Help to learn more about some of these features. In this example, the options illustrated in Figure 14.17 are selected. Click Next to continue.

    Figure 14.17. User options in ADMT.

    

12. The next screen is for setting exclusions. Any property of the user object that should not be migrated should be specified here. In this example, no exclusions are set. Click Next to continue.

13. Naming conflicts for user accounts are common. A procedure for dealing with duplicate accounts should be addressed in advance and can be designated in the next wizard screen, as illustrated in Figure 14.18. Select the appropriate options for duplicate accounts and click Next to continue.

    Figure 14.18. Naming conflict settings.

    

14. The following verification screen presents a summary of the procedure that will take place. This is the last screen before changes are written to the target domain. Verify the settings and click Next to continue.

15. The Migration Progress status box displays the migration process as it occurs, indicating the number of successful and unsuccessful accounts created. When the process is complete, review the log by clicking View Log and verify the integrity of the procedure. A sample log file from a user migration is illustrated in Figure 14.19. Click Close when finished.

    Figure 14.19. A sample user migration log.

    

Migrating Computer Accounts Using ADMT

Another important set of objects that must be migrated is also one of the trickier ones. Computer objects must not only be migrated in AD, they must also be updated at the workstations themselves so that users can log in effectively from their consoles. ADMT seamlessly installs agents on all migrated computer accounts and reboots them, forcing them into their new domain structures. This process is outlined in the following steps:

1. Open the ADMT MMC Console (Start, All Programs, Administrative Tools, Active Directory Migration Tool).

2. Right-click on Active Directory Migration Tool and choose Computer Migration Wizard.

3. Click Next at the welcome screen.

4. As in the previous wizards, the option for testing the migration is given at this point. It is highly recommended to test the process before migrating computer accounts. In this case, a full migration will take place and Migrate now is chosen. Click Next to continue.

5. Type the names of the source and destination domains in the drop-down boxes of the next screen and click Next to continue.

6. In the following screen, select the computer accounts that will be migrated by clicking the Add button and picking the appropriate accounts. Click Next to continue.

7. Select the OU to which the computer accounts will be migrated and click Next to continue.

8. The next screen enables for the specification of which settings on the local computers will be migrated. Click the Help button for a detailed description of each item. In the example, all items are checked, as illustrated in Figure 14.20. Click Next to continue.

   Figure 14.20. Specifying settings to be migrated.

   

9. The subsequent screen prompts you to choose whether existing security will be replaced, removed, or added on to. In this example, the security will be replaced . Click Next to continue.

10. A prompt is displayed informing you that the user rights translation will be performed in Add mode only. Click OK to continue.

11. The next screen is important. It enables an administrator to specify how many minutes a computer will wait before restarting itself. In addition, the naming convention for the computers can be defined, as illustrated in Figure 14.21. After choosing options, click Next to continue.

    Figure 14.21. Computer timing options.

    

12. As in the previous wizards, exclusions for specific attributes may be set in the following wizard. Select any exclusions desired and click Next to continue.

13. Naming conflicts are addressed in the subsequent screen. If any specific naming conventions or conflict resolution settings are desired, enter them here. Click Next to continue.

14. The completion screen lists a summary of the changes that will be made. Review the list and click Finish when ready. All clients that will be upgraded will subsequently be rebooted.

15. After the migration process has completed, the migration log will be available for viewing by clicking the View Log button. After all settings have been verified , click Close.

16. The client agents will be distributed to all clients that have been migrated. Each agent is installed automatically, and counts down until the designated time limit that was set during the configuration of the migration wizard. The dialog box illustrated in Figure 14.22 appears on each workstation.

    Figure 14.22. The automatic workstation restart.

    

17. Click Close on the Migration Console to end the wizard.

Migrating Service Accounts Using ADMT

With the combination of performing an in-place upgrade and the need to support applications that require service accountssuch as Microsoft Exchange and other third-party productsthe ADMT Service Account Migration Wizard can assist in moving this account information to Active Directory. To migrate these service accounts, perform the following steps:

1. From the ADMT management console, launch the Service Account Migration Wizard by selecting Action.

2. Select the source domain from which the service accounts reside and the target domain where the service accounts will be migrated. Select the Next button when ready to continue.

3. The Update service account information page gathers service account information for the selected sources domain. If this is the first time you are using the Service Account Migration Wizard, select Yes, update the information.

4. The No, use previously collected information option is not available if the wizard has not been run previously. This option enables the migration of service accounts without collecting service account information each time the wizard is run.

5. On the Service Account Selection page, enter the computer that will host the service accounts that are being migrated. Click the Add button to enter and check the computer account names that host the services accounts being migrated. Click OK to continue.

6. The Active Directory Migration Tool Monitor will appear. Review the status as the ADMT installs the agent on the computers selected.

7. On the Service Account Information page, review the service account being migrated. Use the Skip/Include button to select or deselect accounts for this migration. The Update CSM now option updates the service control entry. After the proper accounts have been selected, choose Next to continue.

The Service Account Migration Wizard summary verifies the tasks and results of the migration. Use the scrollbar to review the tasks of the service account migration. Click Finish to close the Service Account Wizard.

The Active Directory Migration Tool can be used to migrate additional Windows NT4 Domain resources to Active Directory. Always review the results of each migration and test permissions and functionality before continuing with any of the migrations.

Migrating Other Domain Functionality

In addition to the group, user, and computer migration wizards, several other wizards exist that can migrate specific domain-critical components. These wizards operate using the same principles that the wizards previously presented use, and are as straightforward in their operation. The following is a list of the additional wizards included in ADMT v2:

• Security Translation Wizard

• Reporting Wizard

• Exchange Directory Migration Wizard

• Retry Task Wizard

• Trust Migration Wizard

• Group Mapping and Merging Wizard

Virtually all necessary functionality that needs to be replaced when migrating from one domain to another can be transferred by using ADMT v2. It has proven to be a valuable tool that gives administrators an additional option to consider when migrating and restructuring Active Directory environments.