/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsIn a large network infrastructure there can be times when there is a requirement to migrate objects from one active directory domain to another. The reasons for this could be adding a new child domain and moving appropriate objects into that, or renaming of an existing domain and moving objects into the new one or merging of two domains due to company takeover. These are, of course, just sample scenarios and there could be many other reasons why you might wish to do this.
When such a task needs to be undertaken, there are a number of critical things one must do to ensure that the migration is smooth. The ADMT (Active Directory Migration Tool) is an MMC-based application that lets you perform the various tasks that are required in a phased and easy-to-use manner using a GUI. For the purposes of this article, let us assume that you wish to move objects from a Win NT 4.0 or Win 2000 domain called OldDomain to a Win 2003 domain called
NewDomain. We'll assume that the domain controllers are set up and can see each other over the network.
|
You can install the ADMT tool on a Win 2000 machine which is part of either domain. We recommend that you install the ADMT tool on the PDC of the NewDomain itself. You'll also need to know the Enterprise Admin administrator login details for both domains to complete the process. The first thing to do is to create a two-way trust relationship between the two domains. On the NewDomain PDC, start up the 'Active Directory Domains & Trusts' console and add the entry for OldDomain in both the Trusting and Trusted sections. Supply the OldDomain's admin user and password when prompted. Similarly perform the same step on the OldDomain
PDC.
This time add the NewDomain and supply the appropriate login credentials. You must be able to verify the trusts from both sides by pressing the Verify button in this window. Now you need to decide whether the users who move to the new domain will retain their passwords from the older domain or a new password will be assigned to them. If you decide for the latter, there is nothing more you really need to do at this stage. However, if you wish your users to retain their passwords, there is an additional step that you will need to take. It involves installing a Password Export Server on the OldDomain PDC. This should be done at a time when there is no load on the server and no outside access to the DC is allowed. This is because the passwords of all the users will be exposed (albeit over secure RPC calls) for reading. To do this, login to the machine where ADMT is installed. Open a command prompt and browse to the folder where the files were copied. Here, issue this:
ADMT KEY
It creates a new file with PES extension in the folder you specified in the Path. You will be prompted for a password before it gets created. Make sure you remember this password exactly.
Now copy the file across the OldDomain PDC. Install the Password Migration DLL (for the Export Server) by running the PwMig.exe tool that came as part of the ADMT installer.
|
/pcq/media/post_attachments/4a95585c4e177fd75bc305d4e6c85ced370dd2a09fcc9bc889b1cf5486750181.jpg)
You will be prompted for the location of the .PES file as well as the password to read it. Supply both and wait for the installation to complete. Restart the OldDomain PDC when done. When the PDC is up and running and you are ready to start the migration, open the registry and browse over to the key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport
Change the value of this setting to 1. You are now completely ready to start the migration. To do the first step of migration, run ADMT from the 'Administrative Tools' folder on the NewDomain PDC. When the tool starts up, you'll only see a folder with this name and a sub link called Reports. Right click on the folder in the console to get a large menu of tasks that you can perform.
In this article details two such most common and differing tasks. The rest of the tasks in this menu follow a similar methodology. All tasks allow you to test the migration first before actually performing it. This is useful in case there are errors that you need to resolve before actually committing to the migration. We very highly recommend that you perform a test migration for each task before you actually undertake it.
The first thing we'll do is migrating the users from the old to the new domain. Choose the appropriate task from the menu. Once the wizard starts, follow the steps making sure to answer the questions as you require them. Some of the important points of note are: migration rule for usernames-whether to remain the same or change with a prefix or suffix; the action to take if there is already a user with that name; whether to migrate the password (in which case the password server must be chosen). Once the wizard is complete, it will perform the migration (or the test, if that was chosen). In case there are any errors, you can view the log and correct it as need be.
Another important thing to do is move computer accounts to the new domain. For this, first close the ADMT. Now go to Start>Administrative Tools. Press the Shift key and right click on the ADMT link. Select 'Run As...' from the menu and when the pop up comes, login as the administrator of the OldDomain and not the NewDomain. Now start the computer migration wizard and follow the steps as before. Once the wizard completes, and you see the computers migrated, close the window. Immediately a new window pops up that will deploy a computer migration agent to all the computers. The status of the deployment and the agents are displayed in this window.
Once the agents are deployed and are running on the machines, their domain membership will automatically be changed to the NewDomain. The machines will reboot into the new domain. Logged in users will be given a time limited warning to save their work before the restart is forced. When the machine starts up again, they will be part of the new domain you decided.
In a nutshell, ADMT is a great tool to perform the complex tasks of migrating ADS objects from one domain to another while retaining important information such as passwords and changing the client computers domain membership as well.
Vinod Unny, Enterprise InfoTech