Active Directory Domain Migration Using ADMT Tool1

Magnamious Systems Pvt. Ltd

Active Directory Domain Migration

Manual Using Microsoft

ADMT 3.0


Author- Bhavesh Liya


Active Directory Domain migration using ADMT Tool Project Summary – To test Windows 2003 Active Directory Domain migration using Microsoft Active Directory Migration Tool in test environment Example Customer : Nitco Tiles Goals :

1. Users, Computers & Groups migration to new domain keeping old SID intact along with new SID(using SID History).This will allow access to old domain resources (Like file server, SQL server Access etc) along with new domain.

2. Migrate users passwords.

3. Automatic migration of users’ domain membership & profile without going to users’

desk. 4. Migrate existing server account membership along with service accounts.

Test LAB configuration – Microsoft Virtual Server environment used for testing. Microsoft Hyper-V used as virtual platform for virtual servers. Microsoft ADMT 3.0 is used for migration. Migration Setup details –

1. Old Windows 2003 Active Directory Domain name – “nitcowrl.com” 2. Microsoft SQL 2005 Server which is member of “nitcowrl.com” domain 3. 5 desktop clients with windows XP SP3 which are members of “nitcowrl.com” Domain 4. New Windows 2003 Active Directory Domain name – “nitco.local” 5. Migration server with ADMT 3.0 installed which is member of “nitco.local” Domain


Aim – Migrate users (with passwords), Computers & Groups from “nitcowrl.com” domain to “nitco.local” Domain. Migrate SQL server service account to “nitco.local” domain. Change member ship of SQL server & XP clients from “nitcowrl.com” domain to “nitco.local” domain Migration Steps – Migration should be done in 2 steps

1. Prepare domains for migration 2. Migrate objects from old domain to new domain

Migration steps in brief –

Preparing domains for migration –

1. Create new Active Directory domain. 2. Install Windows Support Tools on both servers. 3. Add DNS forwarders in both servers for each other. 4. Raise domain functional level to windows 2000 Native mode if not done. 5. Create 2 Way trust between both domains. 6. Create independent migration server for migration (ADMT 3.0). 7. Migration server should be member of new domain. Windows 2003 recommended as

OS for migration server. 8. Install Password Export Server Service on old server. 9. Disable SID filtering on old server. 10. Create one Migration OU on both servers. 11. Create Group policy to disable Windows firewall on old Domain & apply to migration

OU. 12. Create Group Policy to add “Migration Account” (which is on new domain) to clients

“Local Administrators” Group. 13. Move All Clients Computers to "Migration OU”. 14. Add Target Domain Administrator account to source domain “Builtin Administrators”

Group. Migration –

1. Migrate Users & passwords to new domain. 2. Migrate Groups to new domain. 3. Migrate Computers to new domain. 4. Change computers membership to new domain. 5. Run “Security Translation” wizard to migrate users profile. 6. Migrate “Service Account” & servers to new domain. 7. Change servers membership to new domain. 8. Run “Security Translation” wizard to migrate servers profile.


Migration Steps in Details

Preparing for Migration –

Adding DNS forwarders on domain – Logon to Respective DCs and Open DNS Management - This step must be done on both servers.


Go to server’s properties – Click on forwarders – Click on New.

Enter new domain FQDN in “DNS domain” option & click “OK”.


Enter IP Address for new domain & click “Add” – Click “Apply” – “OK”.

New Domain

DNS Server

for new

Domain

Old Domain Controller


Creating 2 way Trust between domains – Logon to any of the Domain – Open “Active Directory Domains and Trusts” in Administrative Tools.


Go to properties of Domain


Select Trusts & click on “New Trust”



Type the name of the domain to be trust


Select Two-Way


Select “Both this domain and the specified domain”


Enter specified domain Administrator username & password




After successfully creating trust, it will give message that by default SID Filtering is enabled. We have to manually disable SID Filtering after words


Install Password Export Server Service on old server – Creating .pes file for password export server service –

Logon to ADMT Migration server with Administrator Account & create “.pes” file which will be used to create “Password Export Server Service” on old domain controller. Run following command on migration server.

Note – Install ADMT 3.0 prier to run this command

Admt key /opt:create /sd:old /kf:c:\ Old = old domain name

This will create .pes file in c:\ of ADMT server. Copy .pes file to old domain controller


Installing Password Export Server Service on old domain controller –

1. Logon to old domain controller 2. Download and run “pwdmig.msi” file on old server


Click “Browse” & mention “.pes” file path which was copied



Reboot the server after successful installation.


Work not complete yet. We need to modify following registry entry to “1” after installation. HKEY_LOCALMACHINE\System\CurrentcontrolSet\Control\LSA\AllowPasswordExport



By default “Password Export Server Service” set to Manual startup. We need to start the service

Disable SID History –

To allow the users & groups SID to pass back & forth between the domain, we need to disable a security feature called SID filtering on the source domain. From a DC on the old domain, type the following command “Netdom trust old /domain:new /quarantine:No /UserD:Administrator /PasswordD:password”

Old = old domain FQDN New = New domain FQDN Password = Old server Administrator password


We can verify SID of an object before & after migration using ADSIEDIT tool SID before migration –

Open property of object


In Attribute Editor, click “Show only attributes that have values


SID After migration –

Object shows new SID as well as old domain SID (sIDHistory)

SID for New Domain

SID from old domain


Creating OU & Group Policy for migration – Create a new OU for migration on both servers. We created OU named “Migration OU” Move all computers to that OU on source server. We need to disable firewall on all XP clients & add migration account (new domain’s Administrator Account) to Local Administrators group on all source domain computers Note – Create Firewall Disable Group policy on both domains OU No need to create Local Admin Group policy on New Domain Creating Group policy to disable firewall – Logon to old Domain – Open Active Directory Users and Computers – open Migration OU Properties


Create new group policy called “Migration Group Policy” & then Click Edit


Go to Computer Configuration – Administrative Templates – Network – Network Connections – Windows Firewall – Domain Profile And disable Windows “Firewall: Protect all network connections”


Go to Computer Configuration – Administrative Templates – Network – Network Connections – Windows Firewall – Standard Profile And disable Windows “Firewall: Protect all network connections”


Creating Group policy to add target administrator to local Admin account on source computers – Note – Before creating this group policy, create a security group called “migraton” on New domain controller and add new domain Administrator to this group Go to Computer Configuration - Windows Settings – Security Settings – Restricted Groups – right click & click “Add Group”


By default it will show old domain in locations option, change to new domain. & select “migration” group which was created & click Ok

Click OK


Click Add to add member of this group

In Locations change to new domain & add Administrator then click OK


After adding members, in “This group is a member of:” option click Add


Do not click “Browse”, manually type Administrators & click OK

Click Apply & OK


Close Group Policy Editor


Add new domain Administrator account to old domain Builtin Administrators Group Note – This is very important task & must be perform before starting migration. Logon to old domain controller – Open “Active Directory Users and Computers” Click on Builtin & open Administrators Group Properties


Click Add

In Locations option, select new domain & select Administrator & click OK


Servers & clients preparation is completed. Now we are ready for migration. Important Note - 1. If Old Domain controller OS is Windows 2000 then sometimes it may give problem to migrate SID. In this case it is recommended to add additional DC of 2003 in old domain forest & transfer FSMO roles to Windows 2003 DC & then do migration 2. If new Domain controller OS is windows 2008 then we must Enable following Group Policy in "Default Domain Controller Policy"

"Allow cryptography algorithms compatible with Windows NT 4.0" Check following Microsoft Article -

http://support.microsoft.com/kb/942564

New Domain

Administrator Account


Migration –

Users Migration – We can migrate multiple users at a time but it is recommended to move 1 user at first time & check. Logon to migration server using administrator account & open “Active Directory Migration Tool”


Right click on ADMT & run “User Account Migration Wizard”


Select Source & Target domain & click “Next”



Select User to migrate & click “Next”

In select Target OU select “Migration OU”, which was created on new server.


Select “Migrate passwords”. Password migration source DC will be selected automatically which was already configured on old DC. Click “Next”


Select Target same as source. It is recommended to disable source accounts so that users can not logon to old domain again It is very important to select “Migrate user SIDs to target domain”


Enter source domain Administrator username & password, and then click “Next”


“Select Update user rights” & “Fix user’s group memberships” and then click “Next”



Migration status will be displayed. You can view migration log. Click close.


Groups Migration – Right click on ADMT & run “Group Account Migration Wizard”


Select Source & Target domain / domain controller & click “Next”




Select Target OU & then click “Next”


Enter source domain Administrator username & password, and then click “Next”




Computer Migration – Note – Client Computer must be Online while running Computer migration wizard, because at the end of migration wizard, it will change computers domain membership automatically & remotely reboot the computer. If computer is off while running wizard then we have to MANUALLY change computers domain membership. Do not logon to computer after rebooted by ADMT wizard, because we need to run “Security Translation” wizard to automatic users profile migration to new domain. If by mistake client logs to new domain without completing Security Translation wizard then logon to computer using local admin account & delete new domain profile. Again run “Security Translation” wizard & then logon to computer again. Following are the steps for computer & profile migration –

1. Run computer migration wizard & migrate computer 2. At the end of the wizard, change computers domain membership 3. It will reboot computer remotely 4. Wait till computer reboots & then close wizard 5. Do not logon to migrated computer 6. Run Security Translation wizard 7. Logon to computer to new domain. 8. Clients old profile will be appear in new profile. No need to manually copy profile


Detailed Steps – Right click on ADMT & run “Computer Migration Wizard”





Do not select any “Translate objects”. “Translation wizard” should be run after completing computer migration wizard





Run Pre-check before running agent operation (Changing computers domain membership)



Select “Run pre-check and agent operation” & click start


After successful agent operation, computers will automatic reboot. After computer reboots properly post-check will also show successful. Wait till Post-check task shows successful


Click “Close”


Security Translation Wizard – Right click on ADMT & run “Security Translation Wizard”





Select All Objects & click “Next”



Select “Run pre-check” & click “Start”. Wait until pre-check shows “Passed”


Select “Run pre-check and agent operation” & click “Start”. Wait until “Agent Operation” shows “Successful”. Then click “Close”

After completing this task, please logon to new domain from client’s computer. You will find clients old domain profile migrated to new domain profile.


Servers Migration – Migration of server account is similar to desktop computers. Only difference is that we have to Migrate “Service Account” using “Service Account Migration Wizard”. Steps to Migrate Servers to new domain –

1. Migrate Server computer account using “Computer Migration Wizard” 2. Migrate service account using “Service Account Migration Wizard” 3. Migrate Service account user using “User Migration Wizard” 4. Run “Security Translation Wizard” to migrate profile


Service Account Migration – Right click on ADMT & run “Service Account Migration Wizard”





Select “Run pre-check” & click “Start”. Wait until “pre-check” shows passed


Select “Run pre-check and agent operations” & click “Start”. Wait until “Agent Operation” Shows “successful”

Click “Close” after completing operation. Migrate all users, Groups, Computers, servers & service accounts to new domain.


Post Migration tasks – After successful migration do following tasks

1. Shutdown old domain controller & check functionality 2. If entire network working fine then restart old domain controller 3. Change all clients & Servers DNS settings to new DNS server, if not changed 4. Remove trust between old & new domain. 5. Shutdown & remove old domain from organization

Documents

Active Directory Domain Migration Using ADMT Tool1