Exporting Password Key
Information
The Password Export Server
(PES) service is used to migrate passwords during interforest
migrations. This service must be installed on the source domain and uses
a password key generated previously.
A 128-bit encrypted password
key must be installed from the target domain on a server in the source
domain. This key allows for the migration of password and SID History
information from one domain to the next.
To create this key,
follow these steps from the command prompt of the ADMT server in the
target domain:
1. | Insert a
USB drive to store the key. (The key can be directed to the network but,
for security reasons, directing to a USB drive is better.)
|
2. | Open a command prompt.
|
3. | Type admt key
/option:create
/sourcedomain:<SourceDomainName>/keyfile:f:\domain.pes
/keypassword:*, where <SourceDomainName> is the
NetBIOS or DNS name of the source domain, f: is the destination
drive for the key, and domain.pes is the password encryption
filename. Then press Enter.
|
4. | The utility prompts for the password and confirmation of
the password. Then the utility creates the password onto the
destination drive.
|
5. | Upon successful creation of the key, remove the USB
drive and keep it in a safe place.
|
This needs to be repeated
for each domain to be migrated.
Installing PES on the
Source Domain
After exporting the
password key from the target domain, the encrypted password key needs to
be installed on a domain controller in the source domain. The procedure
uses the key generated previously. The following procedure outlines
this installation:
1. | Insert
the USB drive with the exported key from the target domain into the
server’s disk drive.
|
2. | The installation source is a separate download from
Microsoft with a version for 32-bit servers and one for 64-bit servers.
This should be downloaded to the source domain controller.
|
3. | Start the Password Migration Installer by browsing to
find the downloaded file, PwdMig.msi, and running it.
|
4. | On the Welcome page, click Next.
|
5. | Accept the license agreement, and then click Next.
|
6. | Enter the location of the key that was created on the
target domain; normally, this is the USB drive that was used to transfer
the key. Click Next to continue.
|
7. | Enter and confirm the password that was set on the key
file, and click Next.
|
8. | On the Verification page, click Next to continue.
|
9. | Select an administrator account in the target domain
for the service in the form domain\account and the password, and then
click OK.
|
10. | Click
Finish after the installation is complete.
|
11. | Open the Services console (Start, Administrative Tools,
Services). Select the Password Export Server service and change its
startup type to Automatic.
|
12. | The system must be restarted, so click Yes when prompted
to automatically restart. Upon restarting, the proper settings will be
in place to make this server a Password Export Server.
|
The account used for the
service will be granted the Logon As a Service right. This needs to be
installed on at least one source domain controller in each domain to be
migrated.
Setting Proper Registry
Permissions
The installation of
the proper components creates special Registry keys, but leaves them
disabled by default for security reasons. One of these is the
AllowPasswordExport value. You need to enable this Registry key on the
source domain to allow passwords to be exported
from the Password Export Server. The following procedure outlines the
use of the Registry Editor to perform this function:
1. | On the
PES domain controller in the source domain, open the Registry Editor
(Start, Regedit).
|
2. | Navigate
to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
|
3. | Double-click the AllowPasswordExport DWORD value.
|
4. | Change the properties from 0 to 1 (Hexadecimal).
|
5. | Click OK and close the Registry Editor.
|
6. | Reboot the machine for the Registry changes to be
enacted.
|
This allows passwords to be
exported from the source domain to the target domain.
Configuring Domains for
SID Migration
Migration of the source
security identifiers (SIDs) into the target domain SID History allows
the security assigned in access control lists (ACLs) to work
transparently after the migration. This gives the administrator time to
reset ACLs on a gradual basis or even after all objects are migrated.
There are several settings
that need to be configured to allow for the SIDs to be transferred.
These settings include creating a local group in the source domain for
auditing, enabling TCP/IP client support on the source PDC emulator,
and, finally, enabling auditing on both the source and target domains.
To create the local group on
the source domain for auditing, execute the following steps:
1. | Log on to
a domain controller on the source domain.
|
2. | Launch Active Directory Users and Computers.
|
3. | Create a domain local group named SourceDomain$$$,
where SourceDomain is the NetBIOS name of the source domain. For
example, the local group for the companyabc.com domain would be
companyabc$$$.
|
Do not add any members to
the group, or the migration process will fail.
To enable TCP/IP client support, execute the
following steps:
1. | Log on to
the PDC emulator domain controller in the source domain.
|
2. | Launch the Registry Editor.
|
3. | Navigate to \HKEY\LocalMachine\System\CurrentControlSet\Control\LSA.
|
4. | Create the value TcpipClientSupport REG_DWORD and
assign it a value of 1.
|
5. | Exit the Registry Editor and restart the computer.
|
To enable auditing in
Windows Server 2008 R2 domains, execute the following steps:
1. | Select
Start, Administrative Tools, Group Policy Management.
|
2. | Drill Down to Forest, Domains, Domain, Domain
Controllers, Default Domain Controller Policy, and then right-click and
select Edit.
|
3. | Drill
down to Computer Configuration, Policies, Windows Settings, Security
Settings, Local Policies, and select the Audit Policy node.
|
4. | Double-click on the Audit Account Management policy.
|
5. | Check the Define These Policy Settings and select both
Success and Failure.
|
6. | Click OK to save the changes.
|
7. | Exit the Group Policy Management Editor.
|
8. | Repeat the preceding steps for all source and target
domains.
|
Now the source and target
domains will be prepared to transfer SIDs into the SID History.