Inter-forest Migration from win2003 to win 2008 R2 forest using ADMT.
- Create a user in the source domain with membership of “Domain Admins” & “Enterprise Admins” that would be used throughout the migration. Eg. ent-exchadmin
- Communication between the old (source) DC, PDC Emulator and new (target) DC, PDC Emulator needs to be established completely.
a. Ensure DNS has been configured on the target DC
b. Create a conditional forwarder from source (domain) DNS and target (domain) DNS (AD integrated) to forward DNS queries from each other domains.
From source AD DNS (old domain controller)
From Target AD DNS (new domain controller)
c. Now verify DNS resolving between both the domains. use NSLOOKUP
d. Create a two way external trust relationship between the both domains
From target (new domain) domain controller -AD domain and trust
From source (old domain) domain controller -AD domain and trust
e. Disable SID filtering on the outgoing trust on the moth domains,
Examples: on new (target) domain: Netdom trust newdomain.com /domain:olddomain.com /quarantine:No /ent-exchadmin:user /Pass12345:Password
on old (source) domain: Netdom trust olddomain.com /domain:newdomain.com /quarantine:No /ent-exchadmin:user /Pass12345:Password
f. Create registry key “AllowPasswordExport” add DWORD 1 to to DWORD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA on the source Domain PDC Emulator which users account and password (inslalling PES) will be migrated from.
Note: For windows 2000 server needs additional registry key “TcpipClientSupport” with DWORD value to 1.
g. Create a Global Group in the OU on the new domain that contain the members of those would be involved in the migration process of Users/Groups/Workstations/Servers eg. site-admins
i. Assign the Migrators Members to the site-admins Group.
j. Install the ADMT on target (new domain) DC or windows 2008 member server (see. http://www.remoteitservices.com/content/migrating-users-windows-2003-windows-2008-using-admt-31-0)
k. Add new domain (target) “Domain Admins” group and “Site-Admins” in to the “Administrators” Group on the server that is running the ADMT.
l. Add Target “Domain Admins” group & Site-Admins in to the “Administrators” Group in the Source Domain Active Directory.
m. Delegate permissions on “newdomain.com” root domain in “Active Directory Users and Computers” “migrate SID History” to the Site-Admins group and Full Control permissions on the OU where the Objects would be migrated to. Say, Users, Groups and Computers.
n. Make sure that on both Domains “Default Domain Controller Policy” -> Computer Configuration -> Windows Setting -> Security Settings -> Local Policies -> Audit Policy -> “Audit Account Management” is set to Audit both Success & Failure.
o. Create a Local group “olddomain.com$$$” On the Source Domain.
Note: do not place any members in this group or the ADMT would fail migrating SID History.
p. From the new domain controller where ADMT is installed, run the following command: c:\windows\ADMT>admt key /opt:create /sd:olddomain.com /kf:”c:\temp\olddomain.pes”
q. copy the “olddomain.pes” onto a local disk on the old domain controller that would be used for the migration process.
r. Install the PES Application/DLL (filename. pwdmig.msi) on the old domain controller, the Installation setup could be found on the ADMT server where the ADMT was installed – Win2003R2\I386\ADMT\PWDMIG (or http://www.microsoft.com/downloads/en/details.aspx?familyid=5B4E5C61-1C00-4DA7-9C0D-130200AED21A&displaylang=en., Supply the Installation wizard with the “olddomain.pes” you just copied onto the DC, When asked under what service to run the PES DLL choose and set a new (Target) Domain Admin user account that was decided. eg. newdomain\administrator.
s. Now start the password export service from old domain controller.
You are done with the prerequisites and preparation. Now you are ready to use ADMT to migrate your required accounts or services.
Please see my next posts for Users, Email and Computer account migrations using ADMT.