Identifying Service Accounts for Your Migration

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Identify the member servers and domain controllers in the source domain that run applications in the context of a service account. A service account is a user account created as a means to provide a security context for applications. The service account is a standard user account that is granted permission to log on as a service. ADMT does not migrate services that run in the context of the Local System account because they are migrated when the computer is migrated; however, services that run in the context of a user account must be updated on the computer after you have completed the account migration process. ADMT also cannot migrate the Local Service or Network Service accounts because they are well-known accounts that always exist in Windows Server 2003.

The process of identifying, migrating, and updating services that run in the context of user accounts involves three steps. First, the administrator starts ADMT from the target Active Directory domain controller and runs the Service Account Migration Wizard. The Service Account Migration Wizard sends an agent to a computer that is specified and identifies all services on the computer that are running in the context of a user account. The wizard only identifies service accounts that are running in the context of a user account; it does not actually migrate the accounts. The next step, which can occur later in the migration process, is to migrate the accounts when other user accounts are migrated by means of the User Account Migration Wizard.

The Service Account Migration Wizard scans an administrator-defined list of servers for services that are configured to use a domain account to authenticate. The accounts are then flagged as service accounts in the ADMT database. The password is never migrated when a service account is migrated. Instead, ADMT uses a clear-text representation of the password to configure the services after the service account migration. An encrypted version of the password is then stored in the "password.txt" file in the ADMT installation folder.

An administrator of a workstation or server can install any service and configure the service to use any domain account. If the administrator cannot configure the service to authenticate with the correct password, then the service will be unable to start. After the service account is migrated, ADMT configures the service on the workstation or the server to use the new password and the service will now start under the user account.

It is important to include in the Service Account Migration Wizard only those servers that are managed by trusted administrators. Do not use the Service Account Migration Wizard to detect service accounts on computers that are not managed by trusted administrators, such as workstations.

Dispatch agents to all servers managed by trusted administrators in the domain to ensure that you do not overlook any service accounts. If you miss a service account that shares an account with a service that has already been migrated, it is not possible for ADMT to synchronize them. You must then manually change the password for the service account and then reset the service account password on each server that is running that service.

When the accounts that the Service Account Migration Wizard identifies in the ADMT database as running in the context of a user account are migrated to the target domain, ADMT grants each account the right to log on as a service. If the service account is assigned rights by means of its membership in a group, the Security Translation Wizard updates the account to assign those rights. For more information about running the Security Translation Wizard, see "Transitioning Service Accounts in Your Migration" later in this chapter.

To identify service accounts by using the ADMT console

  1. On the domain controller on which ADMT is installed, log on by using the ADMT account migration account.

  2. Open the Active Directory Migration Tool console and then select Service Account Migration Wizard.

  3. Complete the Service Account Migration Wizard by using the information in Table 11.4.

    Table 11.4   Using the Service Account Migration Wizard

    Wizard Page Action

    Domain Selection

    In the Source domain box, type or select the NetBIOS or DNS name of the source domain.

    In the Target domain box, type or select the NetBIOS or DNS name of the target domain.

    Update Information

    Click Yes, update the information.

    Service Account Selection

    Click Add.

    In the Select Computers list box, click the names of all servers that are capable of running services in the source domain and in all domains that trust the source domain.

    Click OK, and then click Next.

    Service Account Information

    Select any user accounts that do not need to be marked as service accounts in the ADMT database, and then click Skip/Include to mark them as Skip.

  4. When the wizard has finished running on all computers, on the Server List page, click View Log, and review the migration log for any errors.

To identify service accounts by using the ADMT command-line option

  1. On a domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. At the command line, type:

    ADMT SERVICE /N "computer_name1" "computer_name2" /SD:"source_domain" /TD:"target_domain"

    Computer_name1 andcomputer_name2 are the names of computers in the source domain that run service accounts.

    Alternatively, you can include parameters in an option file that is specified at the command line as follows:

    ADMT SERVICE /N "computer_name1" "computer_name2" /O: "option_file.txt"

    Table 11.5 lists the common parameters used for the identification of service accounts, along with the command-line parameter and option file equivalents.

    Table 11.5   Common Parameters Used for Service Account Identification

    Parameters Command-Line Syntax Option File Syntax

    Source domain

    /SD:"source_domain"

    SourceDomain="source_domain"

    Target domain

    /TD:"target_domain"

    TargetDomain="target_domain"

  3. Review the results that are displayed on the screen for any errors.

To identify service accounts by using a script

  • Create a script that incorporates ADMT commands and options for identifying service accounts by using the sample script shown in Listing 11.3.

    Listing 11.3   Identifying Service Accounts

    <Job id=" IdentifyingServiceAccounts" >
<Script language=" VBScript"  src=" AdmtConstants.vbs" />
<Script language=" VBScript" >
   Option Explicit

   Dim objMigration
   Dim objServiceAccountEnumeration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject(" ADMT.Migration" )
   Set objServiceAccountEnumeration = _
  objMigration.CreateServiceAccountEnumeration

   '
   'Specify general migration options.
   '

   objMigration.SourceDomain = " source domain"

   '
   'Enumerate service accounts on specified computers.
   '

   objServiceAccountEnumeration.Enumerate admtData, _
  Array(" computer name1" ," computer name2" )

   Set objServiceAccountEnumeration = Nothing
   Set objMigration = Nothing
</Script>
</Job>

    For a script file to assist you in creating a script to identify service accounts, see "Identifying Service Accounts" (DSSRENT_5.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Identifying Service Accounts" on the Web at https://www.microsoft.com/reskit).