Improved Password Migration
Along with scripting
and command-line support, password migration makes ADMT a viable
migration tool. Specifically, ADMT v1 did not support inter-forest
account password migration. ADMT v2 supports password migration with
several options:
Generate Complex Passwords:
These are randomly generated complex passwords and are stored with the
account name in a plain text file in \program files\active directory
migration tool\logs\passwords.txt.
Password Matches Username:
Combined with the requirement for the user to change the password at the
first login, makes it easy for the user, but is somewhat unsecure as it
makes the passwords easy to guess until the user changes it.
Migrate Password:
This option migrates the existing password on the source account to the
new account in the target domain or OU. This requires considerable work
to set it up. Figure 3 shows the password-migration options in the GUI.
Other Features
Just like its third-party peers, although not as flashy, ADMT allows the Administrator to
Decide how naming conflicts should be resolved (see Figure 4).
If there is a user, group, or computer in the source domain that is the
same as the target domain, you can set the rule on how to deal with it,
such as giving a standard suffix or prefix to the name.
Decide what to do with the source and target accounts (see Figure 5).
You might want to disable the old account in the source domain to force
the users to use the new one, or disable the target accounts and enable
them one by one as the user is ready.
Test
the migration in Reporting mode, which is a trial run. It doesn't
actually do the migration, but it does generate a report that includes
errors encountered. The following report shows an operation that
migrated five user accounts:
2004-02-11 16:01:54
2004-02-11 16:01:54 Active Directory Migration Tool, Starting...
2004-02-11 16:01:54 Starting Account Replicator.
2004-02-11 16:01:55 Account MigrationWriteChanges:No CORPNT CORP CopyUsers:Yes CopyGlobalGroups:No CopyLocalGroups:No CopyComputers:No
DisableSourceAccounts:Yes StrongPwd:All
2004-02-11 16:01:57 CN=NTUser11 - Created
2004-02-11 16:01:57 CN=NTUser12 - Created
2004-02-11 16:01:57 CN=NTUser13 - Created
2004-02-11 16:01:58 CN=NTUser14 - Created
2004-02-11 16:01:58 CN=NTUser15 - Created
2004-02-11 16:01:59 Operation completed.
ADMT's Value
How good is ADMT v2.0? I
queried a few of HP's consultants who have used ADMT v2 and asked what
kind of an environment or size of migration ADMT realistically would
support. When asked to compare ADMT's performance to third-party tools
from companies such as BindView, Aelita, NetIQ, and Quest, the
consultants indicated that performance is similar; that is, roughly 500
user objects per hour, and performance in re-ACLing (changing the
security ACLs to reflect new security in the new domain) is acceptable.
However, ADMT's capability to perform a migration should be judged on
the complexity of the source environment. If you have to split up the
migration into multiple tasks (for different locations, business units,
and so on), ADMT will not make it easy. Also if you have shared
resources that are ACL'd from multiple trusted domains, it will be
difficult and time-consuming with ADMT v2.
When asked what complexity
limit they would recommend using with ADMT v2, the response was that a
single source domain with 10,000 users could be done in a single batch
over a weekend. It is possible that ADMT v2's scripting and command-line
interface could make it possible to do multiple batches and increase
this limit.
When asked to name the operations they have used ADMT v2 for, the response was that they used it to interactively
Migrate users
Migrate user profiles
Migrate workstations and servers
ReACL files and Exchange mailboxes
Securely copy passwords
Update user profiles that are in use (much improved over ADMT v1)
When asked what their
overall impression was of ADMT v2, the response was that, in general,
it's very reliable and easy to use, and seems to work as documented.
Scripting support is the biggest improvement in v2. If you were to take
the time to build the framework, ADMT v2 could be enterprise-capable,
assuming your environment is simple enough.
note
At this writing, ADMT
v3 is being developed. Microsoft has indicated that this version will
use a SQL database (presumably the Microsoft Data Engine [MSDE] will
work) and will store information so the target and source don't have to
be online at the same time. Monitor Microsoft's Web site for this new
version of the tool.
Third-Party Products
A number of companies
are selling AD migration tools. The most mature ones are listed here.
These tools have been around a long time—since Windows 2000 was
released. I'm not selling or recommending them, but simply listing them
here with a short feature list so you can be aware of what's out there.
These products have clear advantages over ADMT, but they cost a lot
more, too. Large migrations in terms of users, remote sites, and so on
will benefit from these tools, where ADMT is probably sufficient for
smaller organizations as noted in the previous section. These products
all run from a separate member server and map credentials needed for the
migration to accounts in the tool to give migrators proper permissions.
That can all be safely removed after the migration so it doesn't mess
with actual permissions, and running separately on a member server, they
aren't intrusive into the domain. They all have an “undo” function so
you can back out of an operation, they let you organize “projects” so
you can design the stages of the migration autonomously, and they
feature SIDHistory Cleanup and reporting to allow you to test a
migration sequence and see the result, including errors, giving you a
chance to correct them before the live migration.
Quest Software
Quest features the
Fastlane suite of products, including Fastlane Migrator and Fastlane NDS
Migrator. Quest was one of the initial three vendors who worked with
Microsoft in the beta days of Windows 2000, and the Fastlane products
are as mature as any on the market. The easy-to-navigate Quest Web site
at http://www.quest.com/solutions/allproductsatoz.asp
lists all the products with quick links to the product information and a
link to the trial download. The features of the Fastlane Migrator
include
A Migration Guide with step-by-step instructions for the migration
Integration of the Exchange 2000 Active Directory Connector (ADC)
Drag and drop of objects (users, computers, and so on) to migrate between domains and forests
Object level “undo” capability so you can back out of the migration
Updating of Exchange mailboxes, mailbox data, AD objects, and public folders (for Exchange migrations)
Aelita Software
Aelita Software, http://www.aelita.com,
markets a couple of interesting products in regard to migration. Aelita
also has AD-management products. The Domain Migration Wizard has the
following features:
Processing of ACLs, including owners, auditing, and permissions
Full Windows NT migration
Netware
5.0 Migration Directory Synchronization Tool (MSDSS) migrates security
descriptors that allow access to Netware shares, folders, and files
during the migration
Exchange mailboxes and permissions are modified for migrated accounts
Password migration for migrated accounts
SIDHistory Cleanup
Security management on Microsoft SQL data stores to reflect account migrations
Windows NT domain reconfiguration enables merging and splitting of Windows NT domains
Aelita also has a
feature called ZeroImpact that aids in migration of the user profiles
without Administrators visiting each workstation. The company also lays
claim to being able to perform migrations much faster (elapsed time)
than its competitors. A number of whitepapers are on Aelita's Web site
at http://www.aelita.com/products/domainmigrationwizard/documentation.asp.
BindView
BindView has several
products that provide migration capability and are sold separately or
bundled together as a suite. Details are noted on the BindView Web site
at http://www.bindview.com/Products/DirAdminMig/Migration/index.cfm.
The products include
bv-Admin for Windows Migration:
For migrating Windows NT and Windows 2000 to Windows 2003 and intra-forest migrations.
bv-Admin for Exchange Migration:
Supports migration from Exchange 5.5 and Exchange 2000 to Exchange 2003.
bv-admin for Novell Migration:
Migrates complete or partial NDS hierarchy, manages file and resource
permissions including translation from NDS security to AD security, and
maps NDS user accounts to AD user accounts.
BindView was one of the
original migration tools developed for Windows 2000 and used by Compaq
in its Windows NT to Windows 2000 migration. This tool offers all the
features noted earlier in this section, such as Project-based
management, rollback, and so on.
NetIQ
NetIQ, also one of the
original three migration tools for Windows 2000, offers three products
in the migration arena as well as a number of products for AD
administration. Microsoft's ADMT is actually a stripped-down version of
NetIQ's Domain Administrator product; NetIQ wrote the original ADMT.
NetIQ's suite of products, which can be purchased and used separately or
as a suite, include
Domain Migration Administrator:
Used for migrating Windows NT or 2000 domains to Windows Server 2003.
This tool allows the target domain to be mixed mode, whereas some other
tools, such as ADMT, require it to be native. More information at http://download.netiq.com/CMS/DATASHEET/NetIQ_DS_Domain_Migration_Administrator.pdf.
Exchange Migrator:
Moves mailboxes, distribution lists, public folders, and custom
recipients, and supports Exchange 5.5, Exchange 2000, and Exchange 2003.
Server Consolidator:
Supports hardware consolidations, including cluster implementations; and
supports data, shares, and printer settings.
