Quick Links
Popular Articles
Stay Connected
Author is a Microsoft Windows Server System - Exchange Server MVP
MS mvp

How to use Active Directory Migration Tool v2.0 to migrate from Windows 2000 to Windows Server 2003?

by Daniel Petri - January 7, 2009
Printer Friendly Version

This article describes how to set up the Active Directory Migration Tool (ADMT) to migrate from a Windows 2000-based domain to a Windows Server 2003-based domain.

Windows 2008 Active Directory 70-640 Training!

Have you seen the Microsoft Active Directory 70-640 Training video by Train Signal? I highly recommend this course, as you will learn much more than you will from any book. It includes new iPod/MP3 versions of the course (when you are on the go) and Transcender practice tests to help you prepare for certification. The instructors, Ed and Coach, do an amazing job not only preparing you to get Microsoft Certified but also showing you what tasks you need to perform on real Windows 2008 Servers, in the real world!

-Daniel Petri, Petri IT Knowledge Base

Watch Free Demo Video Here

Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can use ADMT to migrate users, groups, and computers from one domain to another, and analyze the migration affect before and after the actual migration process.

Note: This article assumes that the source domain is a Windows 2000-based domain, and that the target domain is a Windows Server 2003-based domain in Windows 2000 Native mode or later.

How to Set Up ADMT for a Windows 2000 to Windows Server 2003 Migration

You can install the Active Directory Migration Tool version 2 (ADMTv2) on any computer that is running Windows 2000 or later, including:

  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows XP Professional
  • Microsoft Windows Server 2003

The computer on which you install ADMTv2 must be a member of either the source or the target domain.

Intraforest Migration

Intraforest migration does not require any special domain configuration. The account you use to run ADMT must have enough permissions to perform the actions that are requested by ADMT. For example, the account must have the right to delete accounts in the source domain, and to create accounts in the target domain.

Intraforest migration is a move operation instead of a copy operation. These migrations are said to be destructive because after the move, the migrated objects no longer exist in the source domain. Because the object is moved instead of copied, some actions that are optional in interforest migrations occur automatically. Specifically, the sIDHistory and password are automatically migrated during all intraforest migrations.

Interforest Migration

ADMT requires the following permissions to run properly:

  • Administrator rights in the source domain.
  • Administrator rights on each computer that you migrate.
  • Administrator rights on each computer on which you translate security.

Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain, you must make some domain and security configurations. Computer migration and security translation do not require any special domain configuration. However, each computer you want to migrate must have the administrative shares, C$ and ADMIN$.

The account you use to run ADMT must have enough permissions to complete the required tasks. The account must have permission to create computer accounts in the target domain and organizational unit, and must be a member of the local Administrators group on each computer to be migrated.

User and Group Migration

You must configure the source domain to trust the target domain. Optionally, the target may be configured to trust the source domain. While this may ease configuration, it is not required to finish the ADMT migration.

Requirements for Optional Migration Tasks

You can complete the following tasks automatically by running the User Migration Wizard in Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT must be an Administrator in both the source and the target domains for the automatic configuration to succeed.

  1. Create a new local group in the source domain that is named %sourcedomain%$$$. There must be no members in this group.
  2. Turn on auditing for the success and failure of Audit account management on both domains in the Default Domain Controllers policy.
  3. Configure the source domain to allow RPC access to the SAM by configuring the following registry entry on the PDC Emulator in the source domain with a DWORD value of 1:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\LSA\TcpipClientSupport

You must restart the PDC Emulator after you make this change.

Note: For Windows 2000 domains, the account you use to run ADMTv2 must have domain administrator permissions in both the source and target domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more information, see Windows Server 2003 Help & Support.

You can turn on interforest password migration by installing a DLL that runs in the context of LSA. By running in this protected context, passwords are shielded from being viewed in cleartext, even by the operating system. The installation of the DLL is protected by a secret key that is created by ADMTv2, and must be installed by an administrator.

To install the password migration DLL:

  1. Log on as an administrator or equivalent to the computer on which ADMTv2 is installed.
  2. At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to create the password export key file (.pes). In this example, sourcedomain is the NetBIOS name of the source domain and path is the file path where the key will be created. The path must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or writable CD media. If you type the optional password at the end of the command, ADMT protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a password, and the system will not echo it as it is typed.
  3. Move the .pes file you created in step 2 to the designated Password Export Server in the source domain. This can be any domain controller, but make sure it has a fast, reliable link to the computer that is running ADMT.
  4. Install the Password Migration DLL on the Password Export Server by running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003 installation media, or the folder to which you downloaded ADMTv2 from the Internet.
  5. When you are prompted to do so, specify the path to the .pes file that you created in step 2. This must be a local file path.
  6. After the installation completes, you must restart the server.
  7. If you are ready to migrate passwords, modify the following registry key to have a DWORD value of 1. For maximum security, do not complete this step until you are ready to migrate.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\LSA\AllowPasswordExport

The Active Directory Migration Tool v2 is included in the I386\Admt folder on the Windows Server 2003 CD.

Download Active Directory Migration Tool v2.0 (4.7mb)

For more information about how to use ADMT to perform a migration, see ADMT Help. Start the Active Directory Migration Tool, click Help Topics on the Help menu, click the Contents tab, and then click Active Directory Migration Tool.

Links

Active Directory Migration Tool Overview

HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration - 325851

Related Articles


Sign Up For the Petri IT Knowledgebase Weekly Digest!
Sponsors
*