Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Server

Windows Server 2003 on HP ProLiant Servers : Migration Tools (part 2)

11/7/2012 3:51:17 PM
Improved Password Migration

Along with scripting and command-line support, password migration makes ADMT a viable migration tool. Specifically, ADMT v1 did not support inter-forest account password migration. ADMT v2 supports password migration with several options:

  • Generate Complex Passwords: These are randomly generated complex passwords and are stored with the account name in a plain text file in \program files\active directory migration tool\logs\passwords.txt.

  • Password Matches Username: Combined with the requirement for the user to change the password at the first login, makes it easy for the user, but is somewhat unsecure as it makes the passwords easy to guess until the user changes it.

  • Migrate Password: This option migrates the existing password on the source account to the new account in the target domain or OU. This requires considerable work to set it up. Figure 3 shows the password-migration options in the GUI.

    Figure 3. Password migration has several options exposed in the ADMT GUI.
Other Features

Just like its third-party peers, although not as flashy, ADMT allows the Administrator to

  • Decide how naming conflicts should be resolved (see Figure 4). If there is a user, group, or computer in the source domain that is the same as the target domain, you can set the rule on how to deal with it, such as giving a standard suffix or prefix to the name.

    Figure 4. ADMT offers several choices of how to deal with name conflicts when the source accounts are moved to the target domain.
  • Decide what to do with the source and target accounts (see Figure 5). You might want to disable the old account in the source domain to force the users to use the new one, or disable the target accounts and enable them one by one as the user is ready.

    Figure 5. ADMT allows the Administrator to enable or disable the source and target accounts as part of the migration.
  • Test the migration in Reporting mode, which is a trial run. It doesn't actually do the migration, but it does generate a report that includes errors encountered. The following report shows an operation that migrated five user accounts:

    2004-02-11 16:01:54
    2004-02-11 16:01:54 Active Directory Migration Tool, Starting...
    2004-02-11 16:01:54 Starting Account Replicator.
    2004-02-11 16:01:55 Account MigrationWriteChanges:No CORPNT CORP CopyUsers:Yes CopyGlobalGroups:No CopyLocalGroups:No CopyComputers:No
    DisableSourceAccounts:Yes StrongPwd:All
    2004-02-11 16:01:57 CN=NTUser11          - Created
    2004-02-11 16:01:57 CN=NTUser12          - Created
    2004-02-11 16:01:57 CN=NTUser13          - Created
    2004-02-11 16:01:58 CN=NTUser14          - Created
    2004-02-11 16:01:58 CN=NTUser15          - Created
    2004-02-11 16:01:59 Operation completed.
    
    
    					  
ADMT's Value

How good is ADMT v2.0? I queried a few of HP's consultants who have used ADMT v2 and asked what kind of an environment or size of migration ADMT realistically would support. When asked to compare ADMT's performance to third-party tools from companies such as BindView, Aelita, NetIQ, and Quest, the consultants indicated that performance is similar; that is, roughly 500 user objects per hour, and performance in re-ACLing (changing the security ACLs to reflect new security in the new domain) is acceptable. However, ADMT's capability to perform a migration should be judged on the complexity of the source environment. If you have to split up the migration into multiple tasks (for different locations, business units, and so on), ADMT will not make it easy. Also if you have shared resources that are ACL'd from multiple trusted domains, it will be difficult and time-consuming with ADMT v2.

When asked what complexity limit they would recommend using with ADMT v2, the response was that a single source domain with 10,000 users could be done in a single batch over a weekend. It is possible that ADMT v2's scripting and command-line interface could make it possible to do multiple batches and increase this limit.

When asked to name the operations they have used ADMT v2 for, the response was that they used it to interactively

  • Migrate users

  • Migrate user profiles

  • Migrate workstations and servers

  • ReACL files and Exchange mailboxes

  • Securely copy passwords

  • Update user profiles that are in use (much improved over ADMT v1)

When asked what their overall impression was of ADMT v2, the response was that, in general, it's very reliable and easy to use, and seems to work as documented. Scripting support is the biggest improvement in v2. If you were to take the time to build the framework, ADMT v2 could be enterprise-capable, assuming your environment is simple enough.

note

At this writing, ADMT v3 is being developed. Microsoft has indicated that this version will use a SQL database (presumably the Microsoft Data Engine [MSDE] will work) and will store information so the target and source don't have to be online at the same time. Monitor Microsoft's Web site for this new version of the tool.


Third-Party Products

A number of companies are selling AD migration tools. The most mature ones are listed here. These tools have been around a long time—since Windows 2000 was released. I'm not selling or recommending them, but simply listing them here with a short feature list so you can be aware of what's out there. These products have clear advantages over ADMT, but they cost a lot more, too. Large migrations in terms of users, remote sites, and so on will benefit from these tools, where ADMT is probably sufficient for smaller organizations as noted in the previous section. These products all run from a separate member server and map credentials needed for the migration to accounts in the tool to give migrators proper permissions. That can all be safely removed after the migration so it doesn't mess with actual permissions, and running separately on a member server, they aren't intrusive into the domain. They all have an “undo” function so you can back out of an operation, they let you organize “projects” so you can design the stages of the migration autonomously, and they feature SIDHistory Cleanup and reporting to allow you to test a migration sequence and see the result, including errors, giving you a chance to correct them before the live migration.

Quest Software

Quest features the Fastlane suite of products, including Fastlane Migrator and Fastlane NDS Migrator. Quest was one of the initial three vendors who worked with Microsoft in the beta days of Windows 2000, and the Fastlane products are as mature as any on the market. The easy-to-navigate Quest Web site at http://www.quest.com/solutions/allproductsatoz.asp lists all the products with quick links to the product information and a link to the trial download. The features of the Fastlane Migrator include

  • A Migration Guide with step-by-step instructions for the migration

  • Integration of the Exchange 2000 Active Directory Connector (ADC)

  • Drag and drop of objects (users, computers, and so on) to migrate between domains and forests

  • Object level “undo” capability so you can back out of the migration

  • Updating of Exchange mailboxes, mailbox data, AD objects, and public folders (for Exchange migrations)

Aelita Software

Aelita Software, http://www.aelita.com, markets a couple of interesting products in regard to migration. Aelita also has AD-management products. The Domain Migration Wizard has the following features:

  • Processing of ACLs, including owners, auditing, and permissions

  • Full Windows NT migration

  • Netware 5.0 Migration Directory Synchronization Tool (MSDSS) migrates security descriptors that allow access to Netware shares, folders, and files during the migration

  • Exchange mailboxes and permissions are modified for migrated accounts

  • Password migration for migrated accounts

  • SIDHistory Cleanup

  • Security management on Microsoft SQL data stores to reflect account migrations

  • Windows NT domain reconfiguration enables merging and splitting of Windows NT domains

Aelita also has a feature called ZeroImpact that aids in migration of the user profiles without Administrators visiting each workstation. The company also lays claim to being able to perform migrations much faster (elapsed time) than its competitors. A number of whitepapers are on Aelita's Web site at http://www.aelita.com/products/domainmigrationwizard/documentation.asp.

BindView

BindView has several products that provide migration capability and are sold separately or bundled together as a suite. Details are noted on the BindView Web site at http://www.bindview.com/Products/DirAdminMig/Migration/index.cfm.

The products include

  • bv-Admin for Windows Migration: For migrating Windows NT and Windows 2000 to Windows 2003 and intra-forest migrations.

  • bv-Admin for Exchange Migration: Supports migration from Exchange 5.5 and Exchange 2000 to Exchange 2003.

  • bv-admin for Novell Migration: Migrates complete or partial NDS hierarchy, manages file and resource permissions including translation from NDS security to AD security, and maps NDS user accounts to AD user accounts.

BindView was one of the original migration tools developed for Windows 2000 and used by Compaq in its Windows NT to Windows 2000 migration. This tool offers all the features noted earlier in this section, such as Project-based management, rollback, and so on.

NetIQ

NetIQ, also one of the original three migration tools for Windows 2000, offers three products in the migration arena as well as a number of products for AD administration. Microsoft's ADMT is actually a stripped-down version of NetIQ's Domain Administrator product; NetIQ wrote the original ADMT. NetIQ's suite of products, which can be purchased and used separately or as a suite, include

  • Domain Migration Administrator: Used for migrating Windows NT or 2000 domains to Windows Server 2003. This tool allows the target domain to be mixed mode, whereas some other tools, such as ADMT, require it to be native. More information at http://download.netiq.com/CMS/DATASHEET/NetIQ_DS_Domain_Migration_Administrator.pdf.

  • Exchange Migrator: Moves mailboxes, distribution lists, public folders, and custom recipients, and supports Exchange 5.5, Exchange 2000, and Exchange 2003. 

  • Server Consolidator: Supports hardware consolidations, including cluster implementations; and supports data, shares, and printer settings.

Top Search -----------------
- Windows Server 2008 R2 : Work with RAID Volumes - Understand RAID Levels & Implement RAID
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Configuring Email Settings in Windows Small Business Server 2011
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Implement Permissions
- Monitoring Exchange Server 2010 : Monitoring Mail Flow
- Windows Server 2008 R2 :Task Scheduler
- Windows Server 2008 R2 : File Server Resource Manager
- Windows Server 2008 R2 : Installing DFS
- Exchange Server 2010 : Managing Anti-Spam and Antivirus Countermeasures
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Share Folders
Other -----------------
- SQL SErver 2008 : Resource Governor in action
- SQL SErver 2008 : Resource Governor - Workload groups, Resource pools
- Windows Server 2008 Server Core : emoving Files with the Del and Erase Commands, Compressing Files with the Diantz and MakeCab Utilities
- Windows Server 2008 Server Core : Comparing Two Files with the Comp Utility, Copying Files with the Copy Command
- Microsoft Lync Server 2010 Monitoring : Configuration
- Windows Server 2008 R2 file and print services : Administering File Shares (part 3) - Publishing shared folders to Active Directory
- Windows Server 2008 R2 file and print services : Administering File Shares (part 2) - Securing shared folders
- Windows Server 2008 R2 file and print services : Administering File Shares (part 1) - Creating shared folders
- SQL Server 2008 R2 : A Performance and Tuning Methodology (part 4) - Tools of the Performance and Tuning Trade
- SQL Server 2008 R2 : A Performance and Tuning Methodology (part 3) - Performance and Tuning Design Guidelines
 
 
Most view of day
- Windows Server 2008 Server Core : Compressing Data with the Compact Utility
- Manage the Active Directory Domain Services Schema : Remove Attributes from the Index
- Add an InfoPath Form Web Part to a SharePoint Web Part Page
- Microsoft Systems Management Server 2003 : Defining Parent-Child Relationships (part 2) - Installing the Secondary Site Locally from the SMS CD
- Windows Server 2003 : Analyzing Traffic Using Network Monitor (part 1)
- BizTalk 2009 : Host Integration Server 2009 - Planning Your Host Integration Server Topology
- Using Windows Live Programs (part 2) - Using Windows Live Mail
Top 10
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 3) - Servicing the Operating System in an Image , Committing an Image
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 2) - Mounting an Image , Servicing Drivers in an Image
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 1) - Viewing Information about an Image with DISM
- Automating Windows 7 Installation : Applying an Image Using ImageX
- Automating Windows 7 Installation : Capturing an Image Using ImageX
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 4) - Fine-tuning Web Pages and Battling Bugs - Saving a Visio Drawing as a Web Page
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 3) - Fine-tuning Web Pages and Battling Bugs - Customizing Web Page Output
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 2) - Exploring Visio-Generated Web Pages
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 1) - Saving as Web Page
- Microsoft Visio 2010 : Sending Visio Files in Email, Saving as PDF or XPS Files
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro