Enabling Migration of Passwords

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

ADMT version 2 supports password migration. When you migrate passwords by using ADMT, you must use a password export server (PES) to host password migration support dynamic-link libraries (DLLs). The PES can be any domain controller in the source domain that supports 128-bit encryption.

Passwords are copied from the source domain to the target domain in hash form; therefore, it is not possible for a password filter to verify that the complexity or length of the passwords meet the requirements of the organization. The target domain controller used to set the password can, however, verify password history by comparing the hash of the password against previous hashes.

In the target domain, ensure that the built-in group Pre-Windows 2000 Compatible Access contains the Everyone and Anonymous Logon groups. The groups will not be present if you selected Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems when you installed Active Directory in the target domain.

If the groups are not present, ADMT logs an Access Denied error. You must then manually add them to enable support for password migration. To do this, type the following at the command line on a target domain controller:

NET LOCALGROUP "Pre-Windows 2000 Compatible Access" Everyone /ADD 
NET LOCALGROUP "Pre-Windows 2000 Compatible Access" "Anonymous Logon" /ADD

After this update to the Pre-Windows 2000 Compatible Access group replicates, you must restart the Server service on all domain controllers in the target domain.

Use the following procedures to enable support for password migration.

To generate an encryption key

1. Log on to the domain controller in the target domain on which you installed ADMT by using your ADMT migration account.

2. Select the location to which to save the file. The location can be any local drive, including the floppy drive.

3. Open a command window, change to the drive on which ADMT is installed, and at the command line, type:

   ADMT KEY Source_Domain Folder[password] [*]
   

   The Source_Domain can be specified as either the DNS or NetBIOS name. A password, which provides key encryption, is optional. To protect the shared key, type either the password or an asterisk (*) at the command line. The asterisk prompts for a password that is not displayed on the screen.

To generate an encryption key

1. Log on to the domain controller in the target domain on which you installed ADMT by using your ADMT migration account.

2. Select the location to which to save the file. The location can be any local drive, including the floppy drive.

3. Open a command window, change to the drive on which ADMT is installed, and at the command line, type:

   ADMT KEY Source_Domain Folder[password] [*]
   

   The Source_Domain can be specified as either the DNS or NetBIOS name. A password, which provides key encryption, is optional. To protect the shared key, type either the password or an asterisk (*) at the command line. The asterisk prompts for a password that is not displayed on the screen.

To enable password migration on the source domain

1. On the PES in the source domain, insert the encryption key disk.

2. Insert the Windows Server 2003 operating system CD in the CD drive.

3. Navigate to the \i386\admt\pwdmig directory, and run pwdmig.exe. If you set a password during the key generation process on the domain controller in the target domain, the Key Password Required dialog box appears.

4. Enter the password and then complete the setup.

5. On the source domain PES, use the registry editor to navigate to the following registry subkey:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
   

6. Modify the registry entry AllowPasswordExport, of data type REG_DWORD, by setting the value to 1.