When migrating to Windows 2000 Active Directory Services, many organizations choose the path of restructuring rather than upgrading.
This involves building a pristine Windows 2000 ADS environment and then adding the organization’s users, groups, and computer accounts rather than upgrading a Windows NT4 domain. Of course, with a clean ADS domain structure, you still have to import the domain information from your existing NT 4.0 domain into your new Active Directory, while maintaining seamless access to network resources for your users. This is where Microsoft’s Active Directory Migration Tool (ADMT) comes in. ADMT provides a fast way to migrate your NT 4.0 domain data into the W2K Active Directory.
Overview of ADMT features
The ADMT interface is basically a series of wizards that step you through the process of migrating user accounts, groups, service accounts, trusts, and computers. The features and individual settings found in the migration tool are too numerous for me to describe them all in detail here; however, I’ll provide an overview to familiarize you with the main features.
User Account Migration
The User Account Migration Wizard allows an administrator to essentially copy existing NT 4.0 domain user accounts to the Windows 2000 AD, complete with the same user settings, such as name, home directory, and logon times. An important feature is the ability to migrate SID history information along with the user accounts. Maintaining users SID history allows them to access the same network resources, such as files and Exchange 5.5 mailboxes, while logged in with their Windows 2000 account. The User Account Migration Wizard provides the option of disabling the NT 4.0 account, disabling the new AD account, or leaving them both enabled. The main difference between the two accounts has to do with the user’s password. The currently released version of ADMT provides the option to set the password of the migrated account to match the username or to randomly generate a new one.
The Group Migration Wizard does exactly what you would expect, copying NT 4.0 group information to the new Active Directory. If groups are migrated before the member user accounts, ADMT lets you perform a user account migration on the members or simply bring the membership information along with the migrated group. Before migrating groups, you can optionally run the Group Mapping And Merging Wizard to map a group in the source domain to a new or existing group in the target domain. This mapping ensures that when the groups members are migrated from the source domain into the target domain, group memberships will reflect the mapping. This feature is also useful for allowing administrators to merge multiple groups into one.
One of the most overlooked ADMT features is the Computer Migration Wizard. At first glance, it appears this feature is used only to re-create identical computer accounts within Active Directory. However, the tool goes much further than that. Remember that logging on to a Windows NT 4.0 or Windows 2000 workstation with a new user account, even with the same login name, creates a new user profile on the machine. This means all previous settings, such as desktop appearance, shortcuts, and printers, are lost. This can cause problems for users and the administrators that support them. The Computer Migration Wizard can dispatch an agent to the NT 4.0 or Windows 2000 workstation that will migrate all local user profiles, so when the users log on to the workstation with their new Windows 2000 account, they will receive the same profile settings as before.
Trust Relationship Migration
The Trust Relationship Migration Wizard compares the trust relationships in the source domain to those in the target domain and then creates in the target domain any trust relationships that exist in the source domain. For environments with several domains involved in one-way and two-way trust relationships, this feature is a time-saver.
Service Account Migration
The Service Account Migration Wizard migrates service accounts used by such applications as Microsoft Exchange and Veritas Backup Exec.
Every wizard mentioned above includes the option to test the migration before actually making modifications to your environment. Testing the migration first, preferably in a lab, lets you identify problems or errors that might be encountered during the actual migration operation. No migration tool would be complete without the ever-important Undo feature—and ADMT has one. In many cases, if there is a problem, you can use the Undo feature to automatically restore previous settings.
Installing and running ADMT
You can download the current version of ADMT (Version 1.0) from Microsoft’s Web site. ADMT installs as a Microsoft Management Console (MMC) snap-in. Several requirements must be met prior to installing and running ADMT:
The primary domain controller of the Windows NT 4.0 source domain must have SP4 or higher installed.
The ADMT agent, which is installed by ADMT on the source computers, can operate only on computers running Windows NT 3.51 (with SP5), Windows NT 4.0 (with SP4 or higher), or Windows 2000.
The target domain must be running in Native Mode.
Auditing must be enabled for account management (i.e., success and failure events) in the source and target domains.
A two-way trust must exist between the source and target domains.
The Domain Admins global group from the source domain must be part of the Administrators local group in the target domain, and vice versa. A new local group called Source Domain$$$ must exist in the source domain.
In the registry of the PDC in the source domain, under
add the key TcpipClientSupport with a REG_DWORD:0x1.
Ensure that administrative shares exist on the domain controller in the target domain, as well as on any computers on which an agent will be dispatched.
Run ADMT from the PDC that is the Flexible Single Master Operation (FSMO) role holder in the target domain.
Log on to the server running ADMT with an account that has Domain Administrator rights in the target domain, is a member of the Administrators group in the source domain, and has Administrator rights on each computer that will be migrated.
ADMT Version 2.0
Active Directory Migration Tool (Version 2.0) offers numerous enhancements over the current version. With Version 2.0, passwords can be migrated for interforest user migrations by using a Password Export Server (PES) in the source domain.
In addition, ADMT operations can be performed via a scriptable interface. The template script TemplateScript.vbs is installed with ADMT Version 2 and explains most of the options. This is a welcome enhancement for administrators who prefer the benefits of a script rather than a GUI interface.
Also in ADMT v2, a new log file is created for each new migration operation. Agent dispatch credentials are no longer required, thus eliminating the need to enter user credentials each time the Computer Migration Wizard is run. ADMT v2 also officially supports migrations from a Windows 2000-based domain to a Windows Server 2003-based domain.
Migrate with ease
Migrating from Windows NT4 to Windows 2000 can be a complex and difficult process. The decision to restructure rather than upgrade can create challenges pertaining to migrating existing user, group, computer, trust, and service accounts. However, Microsoft’s Active Directory Migration Tool provides a secure and easy-to-use set of wizards that can greatly simplify this part of the migration process.
Note: Original tip written by Del Smith, TechRepublic
Download Active Directory Migration Tool v2.0 (4.7mb)
Domain Migration Cookbook (Chapters 1-11, very good resource for reading BEFORE you start migrating, not after, duh…)