Active Directory Migration Tool Best Practices

Previous page
Table of content
Next page

Active Directory Migration Tool (ADMT) is a simple and free way to move objects into an Active Directory. ADMT enables you to move users into a new domain without breaking access to their files in the old domain. ADMT can automate the process of moving multiple computer objects into a new domain. ADMT will even go as far as to remotely reboot the computers if you want. Depending on the situation in which it is used, there are many tricks to making ADMT work its best and many security implications that must be understood .

Using ADMT to Migrate Resources

ADMT version 2.0 offers the capability to migrate passwords along with the users. This feature was unavailable in version 1.0. To migrate the password, you must also set up the Password Export Server. Follow these steps:

  1. Create a key that encrypts the password list.

  2. Run ADMT.exe from the command line using the key option. The syntax for this command is ADMT.exe key Source_ Domain_Name folder : [ Password ] .

  3. Set the value of the AllowPasswordExport Registry entry (located in HKLM\SYSTEM\CurrentControlSet\Control\Lsa on the PES) to 1. You can disable a PES from supporting password migration by setting the value to 0.

  4. Add the Everyone group to the Pre-Windows 2000 Compatible Access group on the target domain. This will prevent ADMT from logging an Access Denied error.

  5. In the Active Directory Users and Computers snap-in, verify that permissions on the PES server object are set to allow the Pre-Windows 2000 Compatible Access group to Read All Properties on the following object: 

       
      CN=Server,CN=System,DC=<  domain_name  >

  6. If you are running ADMT on a server running Windows Server 2003, add ANONYMOUS LOGON to the Pre-Windows 2000 Compatible Access group on the target domain to prevent an Access Denied error.

This will allow the migrate password option in ADMT 2.0 to work properly.

Next you should install the pwdmig.exe password migrator.

After those are in place, the ADMT itself can be run. Simply select the wizard for the type of migration desired.

The Active Directory Migration Tool is covered in more depth in Chapter 14, "Migrating from Windows NT 4.0."

Implications of SID History

SID History is a field stored in a user 's account that references previous identities. SID History is a field used by the ADMT to allow newly migrated users to access previously accessible resources. In addition to the primary SID for an account, all previous SIDs for that account are stored as well.

When a user attempts to access a resource the system checks Access Control Lists on the resource and compares this to the SID value on the account trying to access the resource. If the SID has been granted access, the account will be able to use the resource. This is the standard behavior of Windows. SID history complicates this process slightly in that both the primary SID and the SID history are checked to see if they have rights. A clever administrator could use this feature to elevate their rights from a separate domain. ADMT checks to see if a SID already exists before it will migrate an account. If a domain were disconnected from the other domains and Global Catalogs, ADMT would not know that a SID was a duplicate. By creating accounts in an NT 4.0 domain an administrator could modify the domain SID prefix on the domain and generate accounts until a SID matched the SID of an administrator in another domain. NT 4.0 generates SIDs sequentially. This account could then be migrated into the administrator's domain via ADMT. The domain could then be reconnected to the rest of the forest and the newly migrated account would have a SID History entry that matched an administrator in another domain. This migrated account would have the same administrative privileges as the real administrator whose account was essentially cloned.

Cleaning Up SID History

If a user object is moved via ADMT it keeps a History of previous SIDs. Administrators can protect their networks by not allowing accounts with SID history to access resources. Because many legitimate accounts will be migrated and have a SID history, it is necessary to be able to remove the SID history from the accounts after their old resources have new ACLs applied to them that reference the primary account SID. Microsoft offers a Visual Basic Script that is designed to do just this.

Improvements in ADMT 2.0

Windows Server 2003 shipped with version 2.0 of the ADMT. This version offered several improvements over the version that came with Windows 2000. Perhaps the single most useful improvement is the ability to migrate the user's password along with the user object. This prevents confusion or insecurity by not requiring the user to learn a new password or resetting all passwords to be the same value. This function involves setting a permission on a Registry key on the PDC in the source domain and running an agent that gathers the passwords to move along with the account.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Visual C# 2005 How to Program (2nd Edition)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Information Dashboard Design: The Effective Visual Communication of Data
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy