Enabling Password Migration

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

ADMT version 2 supports interforest password migration. If you intend to migrate passwords when you restructure your Windows NT 4.0 domains, you must enable password migration.

When you migrate passwords by using ADMT, you must use a PES to host password migration support DLLs. The PES can be any domain controller in the source domain that supports 128-bit encryption. Use the following procedures to enable support for password migration.

In the target domain, ensure that the built-in group Pre-Windows 2000 Compatible Access contains the Everyone and Anonymous Logon groups. The groups will not be present if you selected Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems when you installed Active Directory in the target domain.

If the groups are not present, ADMT logs an Access Denied error. You must then manually add them to enable support for password migration. To do this, type the following at the command line on a target domain controller:

NET LOCALGROUP “Pre-Windows 2000 Compatible Access” Everyone /ADD 
NET LOCALGROUP “Pre-Windows 2000 Compatible Access” “Anonymous Logon” /ADD

After this update to the Pre-Windows 2000 Compatible Access group replicates, you must restart the Server service on all domain controllers in the target domain.

To create an encryption key

  1. Log on to the domain controller in the target domain on which you installed ADMT by using your ADMT migration account.

  2. Place a blank, formatted diskette in the floppy drive.

  3. Open a command window, navigate to the folder in which ADMT is installed, and then, at the command line, type:

    ADMT KEY Source_DomainFloppy_Drive [password] [*]

    The Source_Domain is the NetBIOS name, not the fully qualified domain name (FQDN). A password, which provides key encryption, is optional. To protect the shared key, type either the password or an asterisk on the command line. The asterisk causes you to be prompted for a password that is not displayed on the screen.

Note

For security reasons, providing a password is strongly recommended.

To enable password migration on the source domain

  1. On the PES, insert the encryption key diskette.

  2. Insert the Windows Server 2003 operating system CD in the CD drive.

  3. Navigate to the \i386\admt\pwdmig folder, and then run pwdmig.exe. If you set a password during the key generation process on the domain controller in the target domain, the Key Password Required dialog box appears.

  4. Type the password, and then complete the setup process.

  5. Navigate to the following registry subkey on the source domain PES: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

  6. Modify the registry entry AllowPasswordExport, of data type REG_DWORD, by setting the value to 1.

Warning

The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the "Registry Reference" on the Windows Server 2003 Deployment Kit companion CD or on the Microsoft Web site.