Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 2)

3/3/2011 10:25:53 PM

Exporting Password Key Information

The Password Export Server (PES) service is used to migrate passwords during interforest migrations. This service must be installed on the source domain and uses a password key generated previously.

A 128-bit encrypted password key must be installed from the target domain on a server in the source domain. This key allows for the migration of password and SID History information from one domain to the next.

To create this key, follow these steps from the command prompt of the ADMT server in the target domain:

1.
Insert a USB drive to store the key. (The key can be directed to the network but, for security reasons, directing to a USB drive is better.)

2.
Open a command prompt.

3.
Type admt key /option:create /sourcedomain:<SourceDomainName>/keyfile:f:\domain.pes /keypassword:*, where <SourceDomainName> is the NetBIOS or DNS name of the source domain, f: is the destination drive for the key, and domain.pes is the password encryption filename. Then press Enter.

4.
The utility prompts for the password and confirmation of the password. Then the utility creates the password onto the destination drive.

5.
Upon successful creation of the key, remove the USB drive and keep it in a safe place.

This needs to be repeated for each domain to be migrated.

Installing PES on the Source Domain

After exporting the password key from the target domain, the encrypted password key needs to be installed on a domain controller in the source domain. The procedure uses the key generated previously. The following procedure outlines this installation:

1.
Insert the USB drive with the exported key from the target domain into the server’s disk drive.

2.
The installation source is a separate download from Microsoft with a version for 32-bit servers and one for 64-bit servers. This should be downloaded to the source domain controller.

3.
Start the Password Migration Installer by browsing to find the downloaded file, PwdMig.msi, and running it.

4.
On the Welcome page, click Next.

5.
Accept the license agreement, and then click Next.

6.
Enter the location of the key that was created on the target domain; normally, this is the USB drive that was used to transfer the key. Click Next to continue.

7.
Enter and confirm the password that was set on the key file, and click Next.

8.
On the Verification page, click Next to continue.

9.
Select an administrator account in the target domain for the service in the form domain\account and the password, and then click OK.

10.
Click Finish after the installation is complete.

11.
Open the Services console (Start, Administrative Tools, Services). Select the Password Export Server service and change its startup type to Automatic.

12.
The system must be restarted, so click Yes when prompted to automatically restart. Upon restarting, the proper settings will be in place to make this server a Password Export Server.

The account used for the service will be granted the Logon As a Service right. This needs to be installed on at least one source domain controller in each domain to be migrated.

Setting Proper Registry Permissions

The installation of the proper components creates special Registry keys, but leaves them disabled by default for security reasons. One of these is the AllowPasswordExport value. You need to enable this Registry key on the source domain to allow passwords to be exported from the Password Export Server. The following procedure outlines the use of the Registry Editor to perform this function:

1.
On the PES domain controller in the source domain, open the Registry Editor (Start, Regedit).

2.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

3.
Double-click the AllowPasswordExport DWORD value.

4.
Change the properties from 0 to 1 (Hexadecimal).

5.
Click OK and close the Registry Editor.

6.
Reboot the machine for the Registry changes to be enacted.

This allows passwords to be exported from the source domain to the target domain.

Configuring Domains for SID Migration

Migration of the source security identifiers (SIDs) into the target domain SID History allows the security assigned in access control lists (ACLs) to work transparently after the migration. This gives the administrator time to reset ACLs on a gradual basis or even after all objects are migrated.

There are several settings that need to be configured to allow for the SIDs to be transferred. These settings include creating a local group in the source domain for auditing, enabling TCP/IP client support on the source PDC emulator, and, finally, enabling auditing on both the source and target domains.

To create the local group on the source domain for auditing, execute the following steps:

1.
Log on to a domain controller on the source domain.

2.
Launch Active Directory Users and Computers.

3.
Create a domain local group named SourceDomain$$$, where SourceDomain is the NetBIOS name of the source domain. For example, the local group for the companyabc.com domain would be companyabc$$$.

Do not add any members to the group, or the migration process will fail.

To enable TCP/IP client support, execute the following steps:

1.
Log on to the PDC emulator domain controller in the source domain.

2.
Launch the Registry Editor.

3.
Navigate to \HKEY\LocalMachine\System\CurrentControlSet\Control\LSA.

4.
Create the value TcpipClientSupport REG_DWORD and assign it a value of 1.

5.
Exit the Registry Editor and restart the computer.

To enable auditing in Windows Server 2008 R2 domains, execute the following steps:

1.
Select Start, Administrative Tools, Group Policy Management.

2.
Drill Down to Forest, Domains, Domain, Domain Controllers, Default Domain Controller Policy, and then right-click and select Edit.

3.
Drill down to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, and select the Audit Policy node.

4.
Double-click on the Audit Account Management policy.

5.
Check the Define These Policy Settings and select both Success and Failure.

6.
Click OK to save the changes.

7.
Exit the Group Policy Management Editor.

8.
Repeat the preceding steps for all source and target domains.

Now the source and target domains will be prepared to transfer SIDs into the SID History.

Other -----------------
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 4) - Upgrading Domain and Forest Functional Levels & Moving AD-Integrated DNS Zones to Application Partitions
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 3) - Moving Operation Master Roles & Retiring “Phantom” Domain Controllers
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 2)
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 1) - Migrating Domain Controllers
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Big Bang Migration
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Beginning the Migration Process
 
 
Most view of day
- What's new and improved in SharePoint 2013 : Customizing the interface
- Microsoft Excel 2010 : Inserting Blank Rows (part 1) - Separating Subtotaled Rows for Print
- Windows Server 2003 on HP ProLiant Servers : Security Planning and Design (part 1)
- Windows Server 2003 on HP ProLiant Servers : The Physical Design and Developing the Pilot - Network Services
- Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - Backing Up and Restoring Domain GPOs
- Windows Server 2008 R2 file and print services : Administering Print and Document Services (part 1)
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 6)
- Windows Phone 8 : Orientation and the PhoneApplicationPage Class (part 3) - Setting Page Orientation at Runtime
- Microsoft Dynamics CRM 4.0 : Silverlight - Developing a Basic Silverlight Application
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Locking or Unlocking Worksheet Cells
Top 10
- Configuring and Troubleshooting IPv6 in Windows Vista (part 4) - Troubleshooting IPv6 Connectivity
- Configuring and Troubleshooting IPv6 in Windows Vista (part 3) - Configuring IPv6 in Windows Vista Using Netsh , Other IPv6 Configuration Tasks
- Configuring and Troubleshooting IPv6 in Windows Vista (part 2) - Configuring IPv6 in Windows Vista Using the User Interface
- Configuring and Troubleshooting IPv6 in Windows Vista (part 1) - Displaying IPv6 Address Settings
- Deploying IPv6 : IPv6 Enhancements in Windows Vista
- Games and Windows 7 : Games for Windows - LIVE (part 2) - Accessing Games for Windows - LIVE from within Compatible Games
- Games and Windows 7 : Games for Windows - LIVE (part 1) - Using the Games for Windows - LIVE Marketplace
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 3)
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 2) - Working with the REST API in JavaScript
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 1) - Understanding REST fundamentals
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro