Consolidating and Migrating Domains Using the Active Directory Migration Tool
The
development of Windows Server 2003 coincides with improvements in the
Active Directory Migration Tool (ADMT), a fully functional domain
migration utility included on the Windows Server 2003 CD. ADMT allows
Active Directory and NT domain users, computers, and groups to be
consolidated, collapsed, or restructured to fit the design needs of an
organization. In regard to Windows 2000 migrations, ADMT provides for
the flexibility to restructure existing domain environments into new
Windows Server 2003 Active Directory environments, keeping security
settings, user passwords, and other settings.
Understanding ADMT Functionality
ADMT
is an effective way to migrate users, groups, and computers from one
domain to another. It is robust enough to migrate security permissions
and Exchange mailbox domain settings; plus, it supports a rollback
procedure in the event of migration problems. ADMT is composed of the
following components and functionality:
ADMT migration wizards—
ADMT includes a series of wizards, each specifically designed to
migrate specific components. You can use different wizards to migrate
users, groups, computers, service accounts, and trusts.
Low client impact—
ADMT automatically installs a service on source clients negating the
need to manually install client software for the migration. In
addition, after the migration is complete, these services are
automatically uninstalled.
SID history and security migrated—
Users can continue to maintain network access to file shares,
applications, and other secured network services through migration of
the SID history attributes to the new domain. This preserves the
extensive security structure of the source domain.
Test migrations and rollback functionality—
An extremely useful feature in ADMT is the capability to run a mock
migration scenario with each migration wizard. This helps to identify
any issues that might exist prior to the actual migration work. In
addition to this functionality, the most recently performed user,
computer, or group migration can be undone, providing for rollback in
the event of migration problems.
Consolidating a Windows 2000 Domain to a Windows Server 2003 Domain Using ADMT
ADMT installs very easily but requires a
thorough knowledge of the various wizards to be used properly. In
addition, best-practice processes should be used when migrating from
one domain to another.
The migration
example in the following sections describes the most common use of the
Active Directory Migration Tool: an interforest migration of domain
users, groups, and computers into another domain. This procedure is by
no means exclusive, and many other migration techniques can be used to
achieve proper results. Thus, matching the capabilities of ADMT with
the migration needs of an organization is important.
1. Using ADMT in a Lab Environment
ADMT
comes with unprecedented rollback capabilities. Not only can each
wizard be tested first, but the last wizard transaction can also be
rolled back in the event of problems. In addition, it is highly
recommended that you reproduce an environment in a lab setting and that
the migration process is tested in advance to mitigate potential
problems that might arise.
You can develop
the most effective lab by creating new domain controllers in the source
and target domains and then physically segregating them into a lab
network, where they cannot contact the production domain environment.
The Operations Master (OM) roles for each domain can then be seized for
each domain using the ntdsutil utility, which effectively creates exact replicas of all user, group, and computer accounts that can be tested with the ADMT.
2. ADMT Installation Procedure
The
ADMT component should be installed on a domain controller in the target
domain, to which the accounts will be migrated. To install, follow
these steps:
1. | Insert the Windows Server 2003 CD into the CD-ROM drive of a domain controller in the target domain.
|
2. | Choose Start, Run. Then type d:\i386\admt\admigration.msi, where d: is the drive letter for the CD-ROM drive, and press Enter.
|
3. | At the welcome screen, click Next to continue.
|
4. | Accept the end-user license agreement (EULA), and click Next to continue.
|
5. | Accept the default installation path, and click Next to continue.
|
6. | When ready to begin the installation, click Next.
|
7. | After installation, click Finish to close the wizard.
|
ADMT Domain Migration Prerequisites
As
previously mentioned, the most important prerequisite for migration
with ADMT is lab verification. Testing as many aspects of a migration
as possible can help to establish the procedures required and identify
potential problems before they occur in the production environment.
That
said, several functional prerequisites must be met before the ADMT can
function properly. Many of these requirements revolve around the
migration of passwords and security objects, and are critical for this
functionality.
Creating Two-Way Trusts Between Source and Target Domains
The
source and target domains must each be able to communicate with each
other and share security credentials. Consequently, it is important to
establish trusts between the two domains before running the ADMT.
Assigning Proper Permissions on Source Domain and Source Domain Workstations
The
account that will run the ADMT in the target domain must be added into
the Builtin\Administrators group in the source domain. In addition,
each workstation must include this user as a member of the local
Administrators group for the computer migration services to be able to
function properly. Domain group changes can be easily accomplished, but
a large workstation group change must be scripted, or manually
accomplished, prior to migration.
Creating Target Organizational Unit (OU) Structure
The
destination for user accounts from the source domain must be designated
at several points during the ADMT migration process. Establishing an OU
for the source domain accounts can help to simplify and logically
organize the new objects. These objects can be moved to other OUs after
the migration and this OU can be collapsed, if you want.
Modifying Default Domain Policy on the Target Domain
Unlike
previous versions of Windows operating systems, Windows Server 2003
does not support anonymous users authenticating as the Everyone group.
This functionality was designed in such a way as to increase security.
However, for ADMT to be able to migrate the accounts, this
functionality must be disabled. When the process is complete, the
policies can be reset to the default levels. To change the policies,
follow these steps:
1. | Open the Domain Security Policy (Start, All Programs, Administrative Tools, Domain Security Policy).
|
2. | Navigate to Security Settings\Local Policies\Security Options.
|
3. | Double-click Network Access: Let Everyone Permissions Apply to Anonymous Users.
|
4. | Check the Define This Policy Setting check box, and choose Enabled, as indicated in Figure 1. Click OK to finish.
|
5. | Repeat the procedure for the Domain Controller Security Policy snap-in. |