Export (0) Print
Expand All

Migrating Global Groups

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In order to preserve the global group user memberships, you must migrate global groups before you migrate users.

Global group migration involves the following steps:

  1. The administrator selects the global group objects in the source domain. ADMT reads the objects in the source domain.

  2. A new global group object is created in the target domain. A new primary SID is created for the object in the target domain.

  3. To preserve resource access if you are migrating SID history, ADMT adds the SID of the global group in the source domain to the SID history attribute of the new global group in the target domain.

Following the migration, audit events are logged in both the source and the target domain.

Note

  • If the user account migration process takes place over an extended period of time, then you might need to remigrate global groups from the source to the target domain to propagate membership changes that are made in the source domain before the migration process is complete. For more information about remigrating global groups, see "Remigrating Global Groups" later in this chapter.

You can migrate global groups by using the Active Directory Migration Tool console, by using the ADMT command-line option, or by using a script. For a worksheet to assist you in completing your initial global group migration, see "User and Group Object Assignment Table — Windows NT 4.0 Source" (DSSRENT_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "User and Group Object Assignment Table — Windows NT 4.0 Source" on the Web at http://www.microsoft.com/reskit).

To migrate global groups from a Windows NT 4.0 source domain by using the ADMT console

  1. On the domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. Open the Active Directory Migration Tool console, and then select Group Account Migration Wizard.

  3. Complete the Group Account Migration Wizard by using the information provided in Table 10.8.

    Table 10.8   Using the Group Account Migration Wizard to Migrate Groups

     

    Wizard Page Action

    Test or Make Changes

    Select Migrate Now?

    Domain Selection

    In the Source domain box, type the NetBIOS name of the source domain or select the name from a list.

    In the Target domain box, type the NetBIOS or DNS name of the target domain.

    If ADMT includes the names of the source and target domains, ensure that they are correct.

    Group Selection

    Click Add.

    In the Select Groups dialog box, select all global groups that you want to migrate (except built-in groups), click Add, and then click OK.

    Organizational Unit Selection

    Type in the name of the OU or click Browse.

    In the Browse for Container dialog box, find the container in the target domain you want to move the global groups into, and then click OK.

    Group Options

    Select Migrate Group SIDs to target domain.

    Select Do not rename accounts.

    Make sure that all other options are not selected.

    User Account

    Enter User name, Password, and Domain of an account that has administrative rights in the source domain.

    Naming Conflicts

    Select Ignore conflicting accounts and don’t migrate.

  4. When the wizard has finished running, click View Log, and then review the migration log for any errors.

  5. Start Active Directory Users and Computers, and then navigate to the target OU. Verify that the global groups exist in the target domain OU.

To migrate global groups from a Windows NT 4.0 source domain by using the ADMT command-line option

  1. On the domain controller in the target domain on which ADMT is installed, log on using the ADMT account migration account.

  2. At the command line, type:

    
                  ADMT GROUP /N “
                  group_name1
                  ” “
                  group_name2
                  ” /SD:”
                  source_domain
                  ” /TD:”
                  target_domain
                  ” /TO:”
                  target_OU
                  ” /MSS:YES
                
    

    Alternatively, you can include parameters in an option file that is specified on the command line as follows:

    
                  ADMT GROUP /N “
                  group_name1
                  ” “
                  group_name2
                  ” /O: “
                  option_file.txt
                  ”
                
    

    Table 10.9 lists the parameters required for migrating global groups, along with the command-line parameter and option file equivalents.

    Table 10.9   Parameters Required for Global Group Migrations

     

    Parameters Command-Line Syntax Option File Syntax

    Source domain

    /SD:"source_domain"

    SourceDomain="source_

    domain"

    Target domain

    /TD:"target_domain"

    TargetDomain="target_

    domain"

    Target OU location

    /TO:"target_OU"

    TargetOU="target_OU"

    Migrate GG SIDs

    /MSS:YES

    MigrateSIDs=YES

    Do not rename accts

    /RO:DONT (default)

    RenameOption=DONT

    Ignore conflicting accts and do not migrate them

    /CO:IGNORE (default)

    ConflictOptions=IGNORE

  3. Review the results that are displayed on the screen for any errors.

  4. Start Active Directory Users and Computers, and then navigate to the target OU. Verify that the global groups exist in the target domain OU.

To migrate global groups by using a script

  • Prepare a script that incorporates ADMT commands and options for migrating global groups by using the sample script shown in Listing 10.5.

    Listing 10.5   Migrating Global Groups

    <Job id=" MigratingGlobalGroupsNTSource" >
    <Script language=" VBScript"  src=" AdmtConstants.vbs" />
    <Script language=" VBScript" >
       Option Explicit
    
       Dim objMigration
       Dim objGroupMigration
    
       '
       'Create instance of ADMT migration objects.
       '
       Set objMigration = CreateObject(" ADMT.Migration" )
       Set objGroupMigration = objMigration.CreateGroupMigration
    
       '
       'Specify general migration options.
       '
       objMigration.SourceDomain = " source domain" 
       objMigration.TargetDomain = " target domain" 
       objMigration.TargetOu = " target container" 
    
       '
       'Specify group migration specific options.
       '
       objGroupMigration.MigrateSIDs = True
    
       '
       'Migrate specified group objects.
       '
       objGroupMigration.Migrate admtData, Array(" group name1" ," group name2" )
    
       Set objGroupMigration = Nothing
       Set objMigration = Nothing
    </Script>
    </Job>
    
    

    For a script file to assist you in creating a script to migrate global groups, see "Migrating Global Groups — Windows NT 4.0 Source" (DSSRENT_7.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating Global Groups —Windows NT 4.0 Source" on the Web at http://www.microsoft.com/reskit).

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft