How can I transfer NT4 domain data using the Active Directory Migration Tool?

Posted on January 7, 2009 by Daniel Petri in Active Directory with 0 Comments

When migrating to Windows 2000 Active Directory Services, many organizations choose the path of restructuring rather than upgrading.

This involves building a pristine Windows 2000 ADS environment and then adding the organization’s users, groups, and computer accounts rather than upgrading a Windows NT4 domain. Of course, with a clean ADS domain structure, you still have to import the domain information from your existing NT 4.0 domain into your new Active Directory, while maintaining seamless access to network resources for your users. This is where Microsoft’s Active Directory Migration Tool (ADMT) comes in. ADMT provides a fast way to migrate your NT 4.0 domain data into the W2K Active Directory.

Overview of ADMT features

The ADMT interface is basically a series of wizards that step you through the process of migrating user accounts, groups, service accounts, trusts, and computers. The features and individual settings found in the migration tool are too numerous for me to describe them all in detail here; however, I’ll provide an overview to familiarize you with the main features.

User Account Migration

The User Account Migration Wizard allows an administrator to essentially copy existing NT 4.0 domain user accounts to the Windows 2000 AD, complete with the same user settings, such as name, home directory, and logon times. An important feature is the ability to migrate SID history information along with the user accounts. Maintaining users SID history allows them to access the same network resources, such as files and Exchange 5.5 mailboxes, while logged in with their Windows 2000 account. The User Account Migration Wizard provides the option of disabling the NT 4.0 account, disabling the new AD account, or leaving them both enabled. The main difference between the two accounts has to do with the user’s password. The currently released version of ADMT provides the option to set the password of the migrated account to match the username or to randomly generate a new one.

Group Migration

The Group Migration Wizard does exactly what you would expect, copying NT 4.0 group information to the new Active Directory. If groups are migrated before the member user accounts, ADMT lets you perform a user account migration on the members or simply bring the membership information along with the migrated group. Before migrating groups, you can optionally run the Group Mapping And Merging Wizard to map a group in the source domain to a new or existing group in the target domain. This mapping ensures that when the groups members are migrated from the source domain into the target domain, group memberships will reflect the mapping. This feature is also useful for allowing administrators to merge multiple groups into one.

Computer Migration

One of the most overlooked ADMT features is the Computer Migration Wizard. At first glance, it appears this feature is used only to re-create identical computer accounts within Active Directory. However, the tool goes much further than that. Remember that logging on to a Windows NT 4.0 or Windows 2000 workstation with a new user account, even with the same login name, creates a new user profile on the machine. This means all previous settings, such as desktop appearance, shortcuts, and printers, are lost. This can cause problems for users and the administrators that support them. The Computer Migration Wizard can dispatch an agent to the NT 4.0 or Windows 2000 workstation that will migrate all local user profiles, so when the users log on to the workstation with their new Windows 2000 account, they will receive the same profile settings as before.

Trust Relationship Migration

The Trust Relationship Migration Wizard compares the trust relationships in the source domain to those in the target domain and then creates in the target domain any trust relationships that exist in the source domain. For environments with several domains involved in one-way and two-way trust relationships, this feature is a time-saver.

Service Account Migration

The Service Account Migration Wizard migrates service accounts used by such applications as Microsoft Exchange and Veritas Backup Exec.


Every wizard mentioned above includes the option to test the migration before actually making modifications to your environment. Testing the migration first, preferably in a lab, lets you identify problems or errors that might be encountered during the actual migration operation. No migration tool would be complete without the ever-important Undo feature—and ADMT has one. In many cases, if there is a problem, you can use the Undo feature to automatically restore previous settings.

Installing and running ADMT

You can download the current version of ADMT (Version 1.0) from Microsoft’s Web site. ADMT installs as a Microsoft Management Console (MMC) snap-in. Several requirements must be met prior to installing and running ADMT:

The primary domain controller of the Windows NT 4.0 source domain must have SP4 or higher installed.

The ADMT agent, which is installed by ADMT on the source computers, can operate only on computers running Windows NT 3.51 (with SP5), Windows NT 4.0 (with SP4 or higher), or Windows 2000.

The target domain must be running in Native Mode.

Auditing must be enabled for account management (i.e., success and failure events) in the source and target domains.

A two-way trust must exist between the source and target domains.

The Domain Admins global group from the source domain must be part of the Administrators local group in the target domain, and vice versa. A new local group called Source Domain$$$ must exist in the source domain.

In the registry of the PDC in the source domain, under

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\LSA

add the key TcpipClientSupport with a REG_DWORD:0x1.

Ensure that administrative shares exist on the domain controller in the target domain, as well as on any computers on which an agent will be dispatched.

Run ADMT from the PDC that is the Flexible Single Master Operation (FSMO) role holder in the target domain.

Log on to the server running ADMT with an account that has Domain Administrator rights in the target domain, is a member of the Administrators group in the source domain, and has Administrator rights on each computer that will be migrated.

ADMT Version 2.0

Active Directory Migration Tool (Version 2.0) offers numerous enhancements over the current version. With Version 2.0, passwords can be migrated for interforest user migrations by using a Password Export Server (PES) in the source domain.

In addition, ADMT operations can be performed via a scriptable interface. The template script TemplateScript.vbs is installed with ADMT Version 2 and explains most of the options. This is a welcome enhancement for administrators who prefer the benefits of a script rather than a GUI interface.

Also in ADMT v2, a new log file is created for each new migration operation. Agent dispatch credentials are no longer required, thus eliminating the need to enter user credentials each time the Computer Migration Wizard is run. ADMT v2 also officially supports migrations from a Windows 2000-based domain to a Windows Server 2003-based domain.

Migrate with ease

Migrating from Windows NT4 to Windows 2000 can be a complex and difficult process. The decision to restructure rather than upgrade can create challenges pertaining to migrating existing user, group, computer, trust, and service accounts. However, Microsoft’s Active Directory Migration Tool provides a secure and easy-to-use set of wizards that can greatly simplify this part of the migration process.

Note: Original tip written by Del Smith, TechRepublic


Download Active Directory Migration Tool v2.0 (4.7mb)

Active Directory Migration Tool Overview

Domain Migration Cookbook (Chapters 1-11, very good resource for reading BEFORE you start migrating, not after, duh…)

How to Deploy Active Directory

Chapter 6 of Building Enterprise Active Directory Services: Notes from the Field – Domain Migration and Consolidation

Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration – 260871

ClonePrincipal and ADMT Require Uplevel Trust to Migrate Objects Between Windows 2000 Domains – 256250

You Cannot Update the SID History for Group with the Active Directory Migration Tool – 269352

Best Practice Active Directory Deployment for Managing Windows Networks

Domain Names with All Capital Letters Prevent ADMT User Migration – 266763

Service Account Admin Password Must Be Reset After Migration to Windows 2000 – 265042

ADMT Does Not Migrate the Exchange System Attendant Service – 300628

Objects from Active Directory Are Ignored When Running the Active Directory Management Agent – 272768