Active Directory Domain Migration Using ADMT Tool1

Active Directory Domain Migration Manual Using Microsoft ADMT 3.
Magnamious Systems Pvt. Ltd
Author- Bhavesh Liya
Active Directory Domain migration using ADMT Tool

Project Summary To test Windows 2003 Active Directory Domain migration using Microsoft Active Directory Migration Tool in test environment Example Customer : Nitco Tiles Goals : 1. Users, Computers & Groups migration to new domain keeping old SID intact along with new SID(using SID History).This will allow access to old domain resources (Like file server, SQL server Access etc) along with new domain. 2. Migrate users passwords.
3. Automatic migration of users domain membership & profile without going to users desk. 4. Migrate existing server account membership along with service accounts.
Test LAB configuration Microsoft Virtual Server environment used for testing. Microsoft Hyper-V used as virtual platform for virtual servers. Microsoft ADMT 3.0 is used for migration. Migration Setup details 1. 2. 3. 4. 5. Old Windows 2003 Active Directory Domain name nitcowrl.com Microsoft SQL 2005 Server which is member of nitcowrl.com domain 5 desktop clients with windows XP SP3 which are members of nitcowrl.com Domain New Windows 2003 Active Directory Domain name nitco.local Migration server with ADMT 3.0 installed which is member of nitco.local Domain
Aim Migrate users (with passwords), Computers & Groups from nitcowrl.com domain to nitco.local Domain. Migrate SQL server service account to nitco.local domain. Change member ship of SQL server & XP clients from nitcowrl.com domain to nitco.local domain Migration Steps Migration should be done in 2 steps 1. Prepare domains for migration 2. Migrate objects from old domain to new domain
Migration steps in brief

Preparing domains for migration Create new Active Directory domain. Install Windows Support Tools on both servers. Add DNS forwarders in both servers for each other. Raise domain functional level to windows 2000 Native mode if not done. Create 2 Way trust between both domains. Create independent migration server for migration (ADMT 3.0). Migration server should be member of new domain. Windows 2003 recommended as OS for migration server. 8. Install Password Export Server Service on old server. 9. Disable SID filtering on old server. 10. Create one Migration OU on both servers. 11. Create Group policy to disable Windows firewall on old Domain & apply to migration OU. 12. Create Group Policy to add Migration Account (which is on new domain) to clients Local Administrators Group. 13. Move All Clients Computers to "Migration OU. 14. Add Target Domain Administrator account to source domain Builtin Administrators Group. Migration 1. 2. 3. 4. 5. 6. 7. 8. Migrate Users & passwords to new domain. Migrate Groups to new domain. Migrate Computers to new domain. Change computers membership to new domain. Run Security Translation wizard to migrate users profile. Migrate Service Account & servers to new domain. Change servers membership to new domain. Run Security Translation wizard to migrate servers profile. 1. 2. 3. 4. 5. 6. 7.
Migration Steps in Details

Preparing for Migration
Adding DNS forwarders on domain Logon to Respective DCs and Open DNS Management - This step must be done on both servers.
Go to servers properties Click on forwarders Click on New.
Enter new domain FQDN in DNS domain option & click OK.
Enter IP Address for new domain & click Add Click Apply OK.
Old Domain Controller
New Domain
DNS Server for new Domain
Creating 2 way Trust between domains Logon to any of the Domain Open Active Directory Domains and Trusts in Administrative Tools.
Go to properties of Domain
Select Trusts & click on New Trust
Type the name of the domain to be trust
Select Two-Way
Select Both this domain and the specified domain
Enter specified domain Administrator username & password
After successfully creating trust, it will give message that by default SID Filtering is enabled. We have to manually disable SID Filtering after words
Install Password Export Server Service on old server

Creating .pes file for password export server service Logon to ADMT Migration server with Administrator Account & create .pes file which will be used to create Password Export Server Service on old domain controller. Run following command on migration server.
Note Install ADMT 3.0 prier to run this command
Admt key /opt:create /sd:old /kf:c:\ Old = old domain name
This will create .pes file in c:\ of ADMT server. Copy .pes file to old domain controller
Installing Password Export Server Service on old domain controller 1. Logon to old domain controller 2. Download and run pwdmig.msi file on old server
Click Browse & mention .pes file path which was copied
Reboot the server after successful installation.
Work not complete yet. We need to modify following registry entry to 1 after installation. HKEY_LOCALMACHINE\System\CurrentcontrolSet\Control\LSA\AllowPasswordExport
By default Password Export Server Service set to Manual startup. We need to start the service
Disable SID History

To allow the users & groups SID to pass back & forth between the domain, we need to disable a security feature called SID filtering on the source domain. From a DC on the old domain, type the following command Netdom trust old /domain:new /quarantine:No /UserD:Administrator /PasswordD:password Old = old domain FQDN New = New domain FQDN Password = Old server Administrator password
We can verify SID of an object before & after migration using ADSIEDIT tool SID before migration
Open property of object
In Attribute Editor, click Show only attributes that have values
SID After migration
SID for New Domain
SID from old domain
Object shows new SID as well as old domain SID (sIDHistory)
Creating OU & Group Policy for migration Create a new OU for migration on both servers. We created OU named Migration OU Move all computers to that OU on source server. We need to disable firewall on all XP clients & add migration account (new domains Administrator Account) to Local Administrators group on all source domain computers Note Create Firewall Disable Group policy on both domains OU No need to create Local Admin Group policy on New Domain Creating Group policy to disable firewall Logon to old Domain Open Active Directory Users and Computers open Migration OU Properties
Create new group policy called Migration Group Policy & then Click Edit
Go to Computer Configuration Administrative Templates Network Network Connections Windows Firewall Domain Profile And disable Windows Firewall: Protect all network connections
Go to Computer Configuration Administrative Templates Network Network Connections Windows Firewall Standard Profile And disable Windows Firewall: Protect all network connections
Creating Group policy to add target administrator to local Admin account on source computers Note Before creating this group policy, create a security group called migraton on New domain controller and add new domain Administrator to this group Go to Computer Configuration - Windows Settings Security Settings Restricted Groups right click & click Add Group
By default it will show old domain in locations option, change to new domain. & select migration group which was created & click Ok
Click OK
Click Add to add member of this group
In Locations change to new domain & add Administrator then click OK
After adding members, in This group is a member of: option click Add
Do not click Browse, manually type Administrators & click OK
Click Apply & OK
Close Group Policy Editor
Add new domain Administrator account to old domain Builtin Administrators Group Note This is very important task & must be perform before starting migration. Logon to old domain controller Open Active Directory Users and Computers Click on Builtin & open Administrators Group Properties
Click Add
In Locations option, select new domain & select Administrator & click OK
New Domain Administrator Account
Servers & clients preparation is completed. Now we are ready for migration. Important Note 1. If Old Domain controller OS is Windows 2000 then sometimes it may give problem to migrate SID. In this case it is recommended to add additional DC of 2003 in old domain forest & transfer FSMO roles to Windows 2003 DC & then do migration 2. If new Domain controller OS is windows 2008 then we must Enable following Group Policy in "Default Domain Controller Policy"
"Allow cryptography algorithms compatible with Windows NT 4.0"

Check following Microsoft Article -
http://support.microsoft.com/kb/942564
Migration
Users Migration We can migrate multiple users at a time but it is recommended to move 1 user at first time & check. Logon to migration server using administrator account & open Active Directory Migration Tool
Right click on ADMT & run User Account Migration Wizard
Select Source & Target domain & click Next
Select User to migrate & click Next
In select Target OU select Migration OU, which was created on new server.
Select Migrate passwords. Password migration source DC will be selected automatically which was already configured on old DC. Click Next
Select Target same as source. It is recommended to disable source accounts so that users can not logon to old domain again It is very important to select Migrate user SIDs to target domain
Enter source domain Administrator username & password, and then click Next
Select Update user rights & Fix users group memberships and then click Next
Migration status will be displayed. You can view migration log. Click close.
Groups Migration Right click on ADMT & run Group Account Migration Wizard
Select Source & Target domain / domain controller & click Next
Select Target OU & then click Next
Enter source domain Administrator username & password, and then click Next
Computer Migration Note Client Computer must be Online while running Computer migration wizard, because at the end of migration wizard, it will change computers domain membership automatically & remotely reboot the computer. If computer is off while running wizard then we have to MANUALLY change computers domain membership. Do not logon to computer after rebooted by ADMT wizard, because we need to run Security Translation wizard to automatic users profile migration to new domain. If by mistake client logs to new domain without completing Security Translation wizard then logon to computer using local admin account & delete new domain profile. Again run Security Translation wizard & then logon to computer again. Following are the steps for computer & profile migration 1. 2. 3. 4. 5. 6. 7. 8. Run computer migration wizard & migrate computer At the end of the wizard, change computers domain membership It will reboot computer remotely Wait till computer reboots & then close wizard Do not logon to migrated computer Run Security Translation wizard Logon to computer to new domain. Clients old profile will be appear in new profile. No need to manually copy profile
Detailed Steps Right click on ADMT & run Computer Migration Wizard
Do not select any Translate objects. Translation wizard should be run after completing computer migration wizard
Run Pre-check before running agent operation (Changing computers domain membership)
Select Run pre-check and agent operation & click start
After successful agent operation, computers will automatic reboot. After computer reboots properly post-check will also show successful. Wait till Post-check task shows successful
Click Close
Security Translation Wizard Right click on ADMT & run Security Translation Wizard
Select All Objects & click Next
Select Run pre-check & click Start. Wait until pre-check shows Passed
Select Run pre-check and agent operation & click Start. Wait until Agent Operation shows Successful. Then click Close
After completing this task, please logon to new domain from clients computer. You will find clients old domain profile migrated to new domain profile.
Servers Migration Migration of server account is similar to desktop computers. Only difference is that we have to Migrate Service Account using Service Account Migration Wizard. Steps to Migrate Servers to new domain 1. 2. 3. 4. Migrate Server computer account using Computer Migration Wizard Migrate service account using Service Account Migration Wizard Migrate Service account user using User Migration Wizard Run Security Translation Wizard to migrate profile
Service Account Migration Right click on ADMT & run Service Account Migration Wizard
Select Run pre-check & click Start. Wait until pre-check shows passed
Select Run pre-check and agent operations & click Start. Wait until Agent Operation Shows successful
Click Close after completing operation. Migrate all users, Groups, Computers, servers & service accounts to new domain.
Post Migration tasks After successful migration do following tasks 1. 2. 3. 4. 5. Shutdown old domain controller & check functionality If entire network working fine then restart old domain controller Change all clients & Servers DNS settings to new DNS server, if not changed Remove trust between old & new domain. Shutdown & remove old domain from organization

Active Directory Domain Migration Using ADMT Tool1

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Active Directory Domain Migration Using ADMT Tool1

Загружено:

Авторское право:

Доступные форматы

Active Directory Domain Migration Manual Using Microsoft ADMT 3.

Magnamious Systems Pvt. Ltd

Author- Bhavesh Liya

Magnamious Systems Pvt. Ltd