Migrate Global Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Migrate global groups, without members, from the source domain to the target domain to protect against the problem of open sets. After global groups are migrated to the target domain, they cease to exist in the source domain if the source domain has a functional level of Windows 2000 native or higher.

Because global groups only contain members from their own domain, they cannot be migrated from one domain to another. ADMT changes global groups to universal groups when they are migrated. The universal group in the target domain retains the SID history of the global group in the source domain, which enables users to continue to access resources in the source domain after the global groups are migrated. ADMT changes the universal groups back to global groups after all members of the global group are migrated from the source domain to the target domain.

You do not need to include built-in and well-known global groups in your migration. Built-in and well-known groups already exist in the target domain. If a built-in or well-known global group is selected for migration, ADMT does not migrate it; instead, ADMT makes a note in the log and continues to migrate other global groups.

The procedure for using the Group Account Migration Wizard to migrate global groups is the same as that for migrating universal groups. For more information about the procedure for migrating global groups and universal groups, see "Migrate Universal Groups" earlier in this chapter.

After you complete the global group migration process, use Active Directory Users and Computers to verify that the global groups migrated successfully. Verify that the global groups no longer exist in the source domain and that the groups appear in the target domain in the OU that you specified during the migration process. The global groups are listed as universal groups in the target domain if they still have members in the source domain. To view a list of members of the universal group, right-click the group, click Properties, and then click the Members tab. The original members of the global group are listed. Note, however, that user accounts have not yet been migrated.

You can migrate global groups by using the ADMT console, by using the ADMT command-line option, or by using a script.

To migrate global groups by using the ADMT console

  1. On the member server in the target domain where ADMT is installed, log on by using a user account that is a member of the ADMT account migration group.

  2. Start ADMT, and select Group Account Migration Wizard.

  3. Complete the Group Account Migration Wizard by using the information provided in Table 12.7.

    Table 12.7   Using the Group Account Migration Wizard to Migrate Groups

    Wizard Page Action

    Test or Make Changes

    Click Migrate Now?

    Domain Selection

    In the Source domain box, type the NetBIOS or DNS name of the source domain or select the name from a list.

    In the Target domain box, type the NetBIOS or DNS name of the target domain.

    If ADMT includes the names of the source and target domains, ensure that they are correct.

    Group Selection

    Click Add.

    In the Select Groups dialog box, select all global groups that you want to migrate (except built-in and well-known groups), click Add, and then click OK.

    Organizational Unit Selection

    Type the name of the OU, or click Browse.

    In the Browse for Container dialog box, find the container in the target domain that you want to move the global groups into, and then click OK.

    Group Options

    Click Migrate Group SIDs to target domain.

    Click Do not rename accounts.

    Ensure that no other options are selected.

    Naming Conflicts

    Click Ignore conflicting accounts and don’t migrate.

  4. After the wizard runs, click View Log, and review the migration log for any errors.

  5. Open Active Directory Users and Computers, and then locate the target domain OU. Verify that the global groups exist in the target domain OU.

To migrate global groups by using the ADMT command-line option

  1. On the member server in the target domain where ADMT is installed, log on by using a user account that is a member of the ADMT account migration group.

  2. At a command line, type:

    ADMT GROUP /N “group_name1” “group_name2” /IF:YES /SD:”source_domain” /TD:”target_domain” /TO:”target_OU” [parameters]
    

    Alternatively, you can include parameters in an option file that is specified at the command line as follows:

    ADMT GROUP /N “group_name1” “group_name2” /O: “option_file.txt”
    

    Table 12.8 lists the parameters that are required for migrating global groups, the command-line parameters, and option file equivalents.

    Table 12.8   Parameters Required for Global Group Migrations

    Parameters Command-Line Syntax Option File Syntax

    Intra-Forest

    /IF:YES

    IntraForest=YES

    Target domain

    /TD:"target_domain"

    TargetDomain="target_domain"

    Target OU location

    /TO:"target_OU"

    TargetOU="target_OU"

    Do not rename accts

    /RO:DONT (default)

    RenameOption=DONT

    Ignore conflicting accts and do not migrate them

    /CO:IGNORE (default)

    ConflictOptions=IGNORE

  3. Review the results that are displayed on the screen for any errors.

  4. Open Active Directory Users and Computers, and then locate the target domain OU. Verify that the global groups exist in the target domain OU.

To migrate global groups by using a script

  1. Use a script that incorporates ADMT commands and options for migrating universal groups. For more information about migrating universal groups, see "Migrate Universal Groups" earlier in this chapter.

  2. After completing the global group migration by using a script, view the migration log. The migration.log file is stored in the folder where you installed ADMT, typically %Program Files%\Active Directory Migration Tool.

    For a sample script to assist you in migrating groups, see "Migrating Groups Within a Forest" (DSSRERA_2.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating Groups Within a Forest" on the Web at https://www.microsoft.com/reskit).

Note

Because universal groups are replicated to the global catalog, converting global groups to universal groups can affect replication traffic. When the domain is operating at the Windows Server 2003 functional level, this impact is reduced because only changes to the universal group membership are replicated. However, if the domain is not operating at the Windows Server 2003 functional level, the entire group membership replicates every time universal group membership changes.