No announcement yet.

Can't migrate passwords with ADMT v3.0

  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't migrate passwords with ADMT v3.0

    I donwload the ADMT v3.0.
    I install it in a new Windows 2003 DC, and I want to migrate from a Windows 2000 domain to this new one.
    But the passwords don't migrate because y don't have a Password Export Server Service running in my Win2000 domain.
    How I install that service in the Win 2000 ????

  • #2
    Re: Can't migrate passwords with ADMT v3.0

    Is there trust bettwen this two domains? Is one of the domain use SBS OS? Or Windows without 128 bit encryption?

    Use the Password Export Server (PES) service to migrate passwords when you perform an interforest migration. The PES service can be installed on any domain controller in the source domain that supports 128-bit encryption.

    The PES service installation in the source domain requires an encryption key, but you must create the encryption key on the computer running the Active Directory Migration Tool version 3 (ADMT v3) in the target domain. When you create the encryption key in the target domain, save it to a floppy disk so that it can be stored in a secure location and reformatted after the migration is complete.

    To create an encryption key
    At a command line, type the following:

    admt key /option:create /sourcedomain: SourceDomain /keyfile:KeyFilePath /keypassword:{password|*}

    Parameter Description
    Specifies the name of the source domain in which the PES service is being installed. Can be specified as either the Domain Name System (DNS) or NetBIOS name.

    Specifies the path to the location where the encrypted key is stored.

    A password, which provides key encryption, is optional. To protect the shared key, type either the password or an asterisk on the command line. The asterisk causes you to be prompted for a password that is not displayed on the screen.

    After you create the encryption key, configure the PES service on a domain controller in the source domain.

    ADMT provides the option to run the PES service under the Local System account or by using the credentials of an authenticated user in the target domain. It is recommended that you run the PES service as an authenticated user in the target domain.

    If you run the PES service under the Local System account, ensure that the Pre-Windows 2000 Compatible Access group in the target domain contains the Everyone group and the Anonymous Logon group.

    To configure the PES service in the source domain
    On the domain controller that runs the PES service in the source domain, insert the encryption key disk.

    In the Pwdmig folder, run Pwdmig.msi. If you set a password during the key generation process on the domain controller in the target domain, the Key Password Required dialog box appears. Provide the password that was given when the key was created, and then click Next.

    Specify the account to run the PES service.

    After installation completes, restart the domain controller.

    After the domain controller restarts, to start the PES service, point to Start, point to All Programs, point to Administrative Tools, and then click Services. In the details pane, right-click Password Export Server Service, and then click Start.

    Run the PES service only when you migrate passwords. Stop the PES service after you complete the password migration.
    Last edited by yuval14; 30th October 2005, 22:30.
    Best Regards,

    Yuval Sinay

    LinkedIn:, Blog:


    • #3
      Re: Can't migrate passwords with ADMT v3.0

      I did that.
      But I don't have a PWDMIG.MSI version 3, I have the one that comes with the ADMT v2.0.
      I run it in the Windows 2000 (my PDC), and don't install the PES service, it install the migration DLL for the ADMT v2.0.
      The ADMT v2 runs whithout problems.