No announcement yet.

Active Directory Migration

  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Migration

    Hi all,

    Iīm performing an Inter-forest Migration from win2000 to win 2003.
    Let me explain the scenario:

    Source: win2000 AD --> ADMTv3 --> win2003

    following the ADMT v3 Guide (downloaded from Microsoft site), it doesnīt
    explain the use of proper users and rights in details.
    I could migrate a user, but not his password and SID, for example, I got
    the following error when I try to migrate the SID:

    "Could not verify auditing and TcpipClientSupport on domains. will not be
    able to migrate SIDīs. access is denied"

    TcpipClientSupport key doesnīt exists in source DC registry. I think that is an users and rights problem, but I canīt understand the fact.

    FYI: for example, i canīt add Administrator from source domain to "Domain admins" group in the target domain, īcause is not possible to see the source domain... Trust Relationship problem maybe?????

    Can you give me a hand with this? a troubleshooting guide maybe or

    Thanks in advance.


  • #2
    Re: Active Directory Migration

    I wrote a procedure for Inter-Forest Migration for ADMT, but this Step-by-Step procedure is also valid for NetIQ DMA and Quest Migration Manager tools (they are all running on the same concept). with Quest tool there are few other things that are recommended to be set but I won't go into it unless you are about to tell me you planing using it.
    This procedure covers all your issues (I have been through them all).
    If you are planing to be using both on Target Domain and on Source domain a User that is a member of Domain Admins Group,
    (each User on his domain),then you can skip the "Site_Admins" part on all sections.
    here I am posting the Preparations for Inter-Forest Migration.

    Inter-Forest Migration Preparation using ADMT


    The purpose of this document is to prepare Source & Target Domains for Inter-Forest Migration


    1.Understanding in Active Directory and DNS
    2.Administrative access is needed on the source domain that is about to be migrated into the Target Domain by creating a user on the source domain that is a member of “Domain Admins” & “Enterprise Admins” that would be used during migration.
    3.Communication between the source domain DC & PDC Emulator and Target DC on site & Target PDC Emulator has to be fully open between them all (full IP).

    Inter-Forest Migration Preparation
    1.Make sure the Target DC on site that is going to be used for Migration has a DNS Server Service Installed.
    2.Create an AD integrated conditional forwarder on “” DNS to forward any DNS queries of the source domain to the source domain’s DNS server. This could be done by running the following command on one of “” DNS servers: DnsCmd DNSServer /ZoneAdd /DsForwarder xx.xx.xx.xx (IP Address of the Source Domain’s DNS Server).
    3.Create an AD integrated conditional forwarder on “” DNS to forward any DNS queries of “” domain to the Target domain’s DNS server. This could be done by running the following command on one of “” DNS servers : DnsCmd SourceDC /ZoneAdd /DsForwarder xx.xx.xx.xx (IP Address of the target Domain’s DNS Server closest to the source domain site).
    4.Verify that there is DNS resolving between the Domains using NSLOOKUP, This test could only take place from the DC’s that are open to each other (refer to “PREREQUISITES”, Section 3).
    5.Create a Two Way External Trust between both Domains using an Target Domain Admin User and the Domain Admin user you created on the Source Domain.
    Make sure that if you are using the same user “name” on both Domains, the Password of that user must match on both domains, otherwise you would receive an unrelated RPC error when trying to create the Trust.
    6.Disable SID filtering on the outgoing Trust on both Domains, This could be done by running the following command:
    ·On Target Domain: Netdom trust / /quarantine:No /userD:User /passwordD:Password
    ·On Source Domain: Netdom trust / /quarantine:No /userD:User /passwordD:Password
    7.Modify/Create the following registry key “AllowPasswordExport” to DWORD 1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA on the Source Domain PDC Emulator and on the source DC that would be used for migration (Installing PES).

    8.If the Source Domain Controller used for migration is running Windows 2000, you must add on the Domain Controller the following Registry Key: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA” Modify/Create the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.
    9.Create a dedicated Global Group in the OU on the Target domain, which would contain the members of those who would be involved in the migration process of Users/Groups/Workstations/Servers (e.g. Site_Admins).
    10.Assign the Migrators Members to the Site_Admins Group.
    11.Install the ADMT Software on a member server that is Part of Target Domain (not on the Source Domain member server).
    12. Add Target “Domain Admins” group & Site_Admins in to the “Administrators” Group on the server that is running the ADMT.
    13.Add Target “Domain Admins” group & Site_Admins in to the “Administrators” Group in the SourceDomain Active Directory.
    14.Delegate permissions on “” root domain in “Active Directory Users & Computers” "migrate SID History" to the Site_Admins group and a Full Control permissions on the OU where the Objects would be migrated to (i.e. users/groups/computers,etc).
    15.Make sure that on both Domains “Default Domain Controller Policy” -> Computer Configuration -> Windows Setting -> Security Settings -> Local Policies -> Audit Policy -> "Audit Account Management" is set to Audit both Success & Failure.
    16.On the Source Domain create a Domain Local group “SourceDomain$$$" (Domain NetBios name).
    Make sure you do not place any members in this group or the ADMT would fail migrating SID History.
    17.On the Server that the ADMT is installed run the following command (c:\windows\ADMT)
    admt key /opt:create / /kf:"c:\temp\source.pes"
    18.copy the “source.pes” that you just created onto a local disk on the source domain controller that would be used for the migration process.
    19.Install the PES Application/DLL on the source domain controller, the Installation setup could be found at: could be found on the ADMT server where the ADMT was Installed. Supply the Installation wizard with the “source.pes” you just copied onto the DC, When asked under what service to run the PES DLL choose and set a Target Domain Admin user account that was decided.

    your done, after that ADMT v3 should be working without a problem, ADMT v3.1 is based the same, so that should apply on ADMT v3.1 as well..
    Last edited by Akila; 8th August 2008, 12:57.


    • #3
      Re: Active Directory Migration

      ohh one thing I did not mention, this procedure I wrote was originally meant for migration between 2003 AD to 2003 AD, the only difference is that on a 2000 source DNS you won't be able to create a conditional forwarder as you could do on a 2003 DNS, so just create a secondary zone on the source DNS containing a zone copy of the target Domain's DNS Zone , that would have the same effect.
      another difference when you establish an External Trust on 2000 AD Domain, the SID filtering is not enabled by default ,hence you don't need to disable it on the 2000 domain,
      but only on the 2003 Domain (at your case the Target domain).
      on a Forest trust the SID filtering is not enabled by default , but you can't create a Forest trust on a 2000 Forest, so that doesn't
      really matters to you any way.

      BTW - have you considered using the ADMT v3.1? - you would mainly benefit from it if you got 2008 Member server you want to migrate and/or Vista Workstations, which ADMT v3 does not officially support - there are work around making it work though.
      Last edited by Akila; 25th July 2008, 15:20.