Remigrating Global Groups
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
A large user account migration might take place over an extended period of time. For this reason, you might need to remigrate global groups from the source to the target domain to reflect changes made to the groups in the source domain after the initial global group migration occurred. This procedure updates global group membership without overwriting previously migrated user accounts.
Note
Do not migrate global groups during peak work hours. The global group migration process consumes a large amount of network resources and resources on the domain controller that is running ADMT.
You can migrate global groups by using the Active Directory Migration Tool console, by using the ADMT command-line option, or by using a script.
To remigrate global groups from a Windows NT 4.0 source domain by using the ADMT console
On the domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
Open the Active Directory Migration Tool console, and select Group Account Migration Wizard.
Complete the Group Account Migration Wizard by using the information provided in Table 10.16.
Table 10.16 Using the Group Account Migration Wizard to Remigrate Groups
Wizard Page Action Test or Make Changes
Select Migrate Now?
Domain Selection
In the Source domain box, type the NetBIOS name of the source domain or select the name from a list.
In the Target domain box, type the NetBIOS or DNS name of the target domain.
If ADMT includes the names of the source and target domains, ensure that they are correct.
Group Selection
Click Add.
In the Select Groups dialog box, select all global groups that you want to migrate (except built-in groups), click Add, and then click OK.
Organizational Unit Selection
Type in the name of the OU or click Browse.
In the Browse for Container dialog box, find the container in the target domain you want to move the global groups into, and then click OK.
Group Options
Select Update user rights.
Ensure that Copy group members is not selected.
Ensure that Update previously migrated objects is not selected.
Select Fix membership of group.
Select Migrate Group SIDs to target domain.
Select Do not rename accounts.
User Account
Enter User name, Password, and Domain of an account that has administrative rights in the source domain.
Naming Conflicts
Select Replace conflicting accounts.
Select Remove existing user rights.
Select Remove existing members of groups being replaced.
Ensure that Move replaced accounts to specified target Organizational Unit is not selected.
When the wizard has finished running, click View Log and review the migration log for any errors.
Start Active Directory Users and Computers, and then navigate to the target OU. Verify that the global groups exist in the target domain OU.
To remigrate global groups from a Windows NT 4.0 source domain by using the ADMT command-line option
On the domain controller in the target domain on which ADMT is installed, log on using the ADMT account migration account.
At the command line, type:
ADMT GROUP /N “group_name1” “group_name2” /SD:”source_domain” /TD:”target_domain” /TO:”target_OU” /MSS:YES /UGR:YES /MMS:NO /CO:REPLACE+REMOVEUSERRIGHTS+REMOVEMEMBERSAlternatively, you can include parameters in an option file that is specified on the command line as follows:
ADMT GROUP /N “group_name1” “group_name2” /O: “option_file.txt”Table 10.17 lists the parameters required for remigrating global groups, along with the command-line parameter and option file equivalents.
Table 10.17 Parameters Required for Global Group Remigrations
Parameters Command-Line Syntax Option File Syntax Source domain
/SD:"source_domain"SourceDomain="source_ domain"Target domain
/TD:"target_domain"TargetDomain="target_ domain"Target OU location
/TO:"target_OU"TargetOU="target_OU"Migrate GG SIDs
/MSS:YESMigrateSIDs=YESDo not rename accts
/RO:DONT(default)RenameOption=DONTUpdate user rights
/UGR:YESUpdateGroupRights=YESCopy group members
/MMS:NOMigrateMembers=NOIgnore conflicting accts and do not migrate them
/CO:REPLACE+REMOVEUSER RIGHTS+REMOVEMEMBERS
ConflictOptions=REPLACE+REMOVEUSERRIGHTS+REMOVE MEMBERSReview the results that are displayed on the screen for any errors.
Start Active Directory Users and Computers, and then navigate to the target OU. Verify that the global groups exist in the target domain OU.
To remigrate global groups by using a script
Prepare a script that incorporates ADMT commands and options for remigrating global groups by using the sample script shown in Listing 10.9.
Listing 10.9 Remigrating Global Groups
<Job id=" RemigratingGlobalGroupsNTSource" > <Script language=" VBScript" src=" AdmtConstants.vbs" /> <Script language=" VBScript" > Option Explicit Dim objMigration Dim objGroupMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject(" ADMT.Migration" ) Set objGroupMigration = objMigration.CreateGroupMigration ' 'Specify general migration options. ' objMigration.SourceDomain = " source domain" objMigration.TargetDomain = " target domain" objMigration.TargetOu = " target container" objMigration.ConflictOptions = admtReplaceConflicting + _ admtRemoveExistingUserRights + admtRemoveExistingMembers ' 'Specify group migration specific options. ' objGroupMigration.MigrateSIDs = True objGroupMigration.UpdateGroupRights = True objGroupMigration.UpdatePreviouslyMigratedObjects = False objGroupMigration.FixGroupMembership = True objGroupMigration.MigrateMembers = False ' 'Migrate specified group objects. ' objGroupMigration.Migrate admtData, Array(" group name1" ," group name2" ) Set objGroupMigration = Nothing Set objMigration = Nothing </Script> </Job>For a script file to assist you in creating a script to migrate global groups, see "Remigrating Global Groups — Windows NT 4.0 Source" (DSSRENT_11.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Remigrating Global Groups — Windows NT 4.0 Source" on the Web at https://www.microsoft.com/reskit).