Logo
CAR REVIEW
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Server

Microsoft Exchange Server 2007 : Consolidating a Windows 2000 Domain to a Windows Server 2003 Domain Using ADMT (part 1) - Modifying Default Domain Policy on the Target Domain

3/16/2014 1:57:21 AM

Consolidating and Migrating Domains Using the Active Directory Migration Tool

The development of Windows Server 2003 coincides with improvements in the Active Directory Migration Tool (ADMT), a fully functional domain migration utility included on the Windows Server 2003 CD. ADMT allows Active Directory and NT domain users, computers, and groups to be consolidated, collapsed, or restructured to fit the design needs of an organization. In regard to Windows 2000 migrations, ADMT provides for the flexibility to restructure existing domain environments into new Windows Server 2003 Active Directory environments, keeping security settings, user passwords, and other settings.

Understanding ADMT Functionality

ADMT is an effective way to migrate users, groups, and computers from one domain to another. It is robust enough to migrate security permissions and Exchange mailbox domain settings; plus, it supports a rollback procedure in the event of migration problems. ADMT is composed of the following components and functionality:

  • ADMT migration wizards— ADMT includes a series of wizards, each specifically designed to migrate specific components. You can use different wizards to migrate users, groups, computers, service accounts, and trusts.

  • Low client impact— ADMT automatically installs a service on source clients negating the need to manually install client software for the migration. In addition, after the migration is complete, these services are automatically uninstalled.

  • SID history and security migrated— Users can continue to maintain network access to file shares, applications, and other secured network services through migration of the SID history attributes to the new domain. This preserves the extensive security structure of the source domain.

  • Test migrations and rollback functionality— An extremely useful feature in ADMT is the capability to run a mock migration scenario with each migration wizard. This helps to identify any issues that might exist prior to the actual migration work. In addition to this functionality, the most recently performed user, computer, or group migration can be undone, providing for rollback in the event of migration problems.


Consolidating a Windows 2000 Domain to a Windows Server 2003 Domain Using ADMT

ADMT installs very easily but requires a thorough knowledge of the various wizards to be used properly. In addition, best-practice processes should be used when migrating from one domain to another.

The migration example in the following sections describes the most common use of the Active Directory Migration Tool: an interforest migration of domain users, groups, and computers into another domain. This procedure is by no means exclusive, and many other migration techniques can be used to achieve proper results. Thus, matching the capabilities of ADMT with the migration needs of an organization is important.

1. Using ADMT in a Lab Environment

ADMT comes with unprecedented rollback capabilities. Not only can each wizard be tested first, but the last wizard transaction can also be rolled back in the event of problems. In addition, it is highly recommended that you reproduce an environment in a lab setting and that the migration process is tested in advance to mitigate potential problems that might arise.

You can develop the most effective lab by creating new domain controllers in the source and target domains and then physically segregating them into a lab network, where they cannot contact the production domain environment. The Operations Master (OM) roles for each domain can then be seized for each domain using the ntdsutil utility, which effectively creates exact replicas of all user, group, and computer accounts that can be tested with the ADMT.

2. ADMT Installation Procedure

The ADMT component should be installed on a domain controller in the target domain, to which the accounts will be migrated. To install, follow these steps:

1.
Insert the Windows Server 2003 CD into the CD-ROM drive of a domain controller in the target domain.

2.
Choose Start, Run. Then type d:\i386\admt\admigration.msi, where d: is the drive letter for the CD-ROM drive, and press Enter.

3.
At the welcome screen, click Next to continue.

4.
Accept the end-user license agreement (EULA), and click Next to continue.

5.
Accept the default installation path, and click Next to continue.

6.
When ready to begin the installation, click Next.

7.
After installation, click Finish to close the wizard.

ADMT Domain Migration Prerequisites

As previously mentioned, the most important prerequisite for migration with ADMT is lab verification. Testing as many aspects of a migration as possible can help to establish the procedures required and identify potential problems before they occur in the production environment.

That said, several functional prerequisites must be met before the ADMT can function properly. Many of these requirements revolve around the migration of passwords and security objects, and are critical for this functionality.

Creating Two-Way Trusts Between Source and Target Domains

The source and target domains must each be able to communicate with each other and share security credentials. Consequently, it is important to establish trusts between the two domains before running the ADMT.

Assigning Proper Permissions on Source Domain and Source Domain Workstations

The account that will run the ADMT in the target domain must be added into the Builtin\Administrators group in the source domain. In addition, each workstation must include this user as a member of the local Administrators group for the computer migration services to be able to function properly. Domain group changes can be easily accomplished, but a large workstation group change must be scripted, or manually accomplished, prior to migration.

Creating Target Organizational Unit (OU) Structure

The destination for user accounts from the source domain must be designated at several points during the ADMT migration process. Establishing an OU for the source domain accounts can help to simplify and logically organize the new objects. These objects can be moved to other OUs after the migration and this OU can be collapsed, if you want.

Modifying Default Domain Policy on the Target Domain

Unlike previous versions of Windows operating systems, Windows Server 2003 does not support anonymous users authenticating as the Everyone group. This functionality was designed in such a way as to increase security. However, for ADMT to be able to migrate the accounts, this functionality must be disabled. When the process is complete, the policies can be reset to the default levels. To change the policies, follow these steps:

1.
Open the Domain Security Policy (Start, All Programs, Administrative Tools, Domain Security Policy).

2.
Navigate to Security Settings\Local Policies\Security Options.

3.
Double-click Network Access: Let Everyone Permissions Apply to Anonymous Users.

4.
Check the Define This Policy Setting check box, and choose Enabled, as indicated in Figure 1. Click OK to finish.

Figure 1. Modifying the domain security policy.


5.
Repeat the procedure for the Domain Controller Security Policy snap-in.
Other -----------------
- Microsoft Exchange Server 2007 : Upgrading Separate AD Forests to a Single Forest Using Mixed-Mode Domain Redirect (part 2)
- Microsoft Exchange Server 2007 : Upgrading Separate AD Forests to a Single Forest Using Mixed-Mode Domain Redirect (part 1)
- Windows Server 2012 : Provisioning and managing shared storage (part 7) - Managing shared storage - Managing volumes, Managing shares
- Windows Server 2012 : Provisioning and managing shared storage (part 6) - Managing shared storage
- Windows Server 2012 : Provisioning and managing shared storage (part 5) - Provisioning SMB shares - Creating general-purpose SMB shares
- Windows Server 2012 : Provisioning and managing shared storage (part 4) - Provisioning SMB shares - Configuration options for SMB shares, Types of SMB shares
- Windows Server 2012 : Provisioning and managing shared storage (part 3) - Provisioning shared storage - Creating volumes
- Windows Server 2012 : Provisioning and managing shared storage (part 2) - Provisioning shared storage - Creating virtual disks
- Windows Server 2012 : Provisioning and managing shared storage (part 1) - Provisioning shared storage - Creating a storage pool
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 8) - Configuring Transport Rules
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 7) - Configuring Journal Rules
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 6) - Verifying Edge Subscriptions, Removing Edge Subscriptions
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 5) - Getting Edge Subscription Details, Synchronizing Edge Subscriptions
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 4) - Creating an Edge Subscription
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 3) - Enabling Anti-Spam Features
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 2) - Configuring the Transport Dumpster , Configuring Shadow Redundancy
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 1) - Configuring Transport Limits
- SharePoint 2013 : Health and Monitoring (part 4) - Timer Jobs, The Developer Dashboard
- SharePoint 2013 : Health and Monitoring (part 3) - Analytics, The Health Analyzer
- SharePoint 2013 : Health and Monitoring (part 2) - Correlation IDs, The Logging Database
 
 
Most view of day
- SQL server 2008 R2 : Creating and Managing Stored Procedures - Using Input Parameters
- Microsoft Project 2010 : Setting Up a Project Budget - Reducing Project Costs
- Windows Server 2012 : Simplifying the Datacenter (part 3) - Improvements in Group Policy Management, IP Address Management
- Windows Phone 7 : The Silverlight Controls (part 5) - Interactive Controls - CheckBox Controls, RadioButton Controls
- Windows Server 2003 on HP ProLiant Servers : Logical Structure Design (part 1) - Domain and OU Structure
- Windows Server 2012 : Enhancements for Flexible Identity and Security (part 2) - Active Directory Unification for Various Directory Services
- Zero Touch Installations : Creating and Capturing a Reference Image (part 1)
- Managing Windows 7 : Checking the Performance Status of Windows
- How to Troubleshoot Disk Problems (part 2) - How to Use the Graphical Chkdsk Interface
- Configuring Startup and Troubleshooting Startup Issues : Important Startup Files, How to Configure Startup Settings
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro