Applies to: Active Directory Migration Tool 3.1 (ADMT 3.1) and ADMT 3.2
Migrating Active Directory domains between forests (interforest migration) involves relocating objects from source domains in one forest to target domains in another forest. You might have to restructure Active Directory domains between forests for the following reasons:
|
Task
|
Reference
|
|
Review the Active Directory Migration Tool (ADMT) preinstallation instructions.
|
Installing ADMT in the Target Domain
|
|
To migrate computers running Windows Server 2003, Windows Vista (without Service Pack 1), Windows XP, and Microsoft Windows 2000 (using ADMT 3.1) to a target domain with domain controllers running Windows Server 2008 R2 or Windows Server 2008, first set the following registry key on the target domain controllers:
.gif) Note |
|
This registry key does not need to be set to migrate computers that run Windows Server 2008, Windows Server 2008 R2, Windows 7, or Windows Vista SP1 or that installed the RODC client compatibility pack (hotfix 944043). |
Registry path: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
Registry value: AllowNT4Crypto
Type: REG_DWORD
Data: 1
|
Note |
|
This registry setting corresponds to the Allow cryptography algorithms compatible with Windows NT 4.0 setting in Group Policy. |
|
For more information about making this change using Group Policy, see Microsoft Knowledge Base article 942564 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;942564).
For more information about the RODC client compatibility pack, see Microsoft Knowledge Base article 944043 (http://support.microsoft.com/kb/944043).
|
|
For any migration tasks that use agent deployment and where Windows Firewall is in use, enable the File and Printer Sharing exception. This can include migration for the following situations:
-
Migrating workstation computers and member servers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows Vista, or Windows XP.
-
Migrating security settings or performing security translation
|
For more information about making this change in Windows Firewall, see Enable or Disable the File and Printer Sharing Exception (http://go.microsoft.com/fwlink/?LinkID=119315).
|
|
Prepare to restructure Active Directory domains within a forest. This task has the following subtasks:
-
Determine your account migration process.
-
Assign object roles and locations.
-
Develop a test plan for your migration.
-
Create a rollback plan.
-
Manage users, groups, and user profiles.
-
Create a user communication plan.
|
Installing ADMT in the Target Domain
Planning to Restructure Active Directory Domains Between Forests
|
|
Prepare the source and target domains. This task has the following subtasks:
-
Install 128-bit encryption software.
-
Establish trusts that are required for migration.
-
Establish migration accounts for your migration.
-
Configure the source and target domains for security identifier (SID) history migration.
-
Configure the target domain organizational unit (OU) structure.
-
Install ADMT in the target domain.
-
Specify service accounts for your migration.
|
Installing ADMT in the Target Domain
Planning to Restructure Active Directory Domains Between Forests
|
|
Specify and transition service accounts using either the Service Account Migration Wizard or ADMT command-line tools. You can use the admt service command-line tool to specify service accounts in the source domain. You can use the admt user command-line tool to transition service accounts that you specify.
|
Transitioning Service Accounts in Your Migration
|
|
Migrate global groups using either the Group Account Migration Wizard or the admt group command-line tool.
|
Migrating Global Groups
|
|
Migrate managed service accounts, user accounts, and workstation accounts with their SID histories in batches. You can use either the User Account Migration Wizard or the admt user command-line tool to migrate user accounts. You can use the Managed Service Account Migration Wizard or admt managedserviceaccount command-line tool to migrate managed service accounts.
|
Migrating Accounts While Using SID History
Migrating Managed Service Accounts
Migrating All User Accounts
|
|
Migrate resources, such as member servers and domain local groups. You can use either the Computer Account Migration Wizard or the admt computer command-line tool to migrate computer accounts. You can use the Group Account Migration Wizard or the admt group command-line tool to migrate groups.
|
Remigrating User Accounts and Migrating Workstations in Batches
|
|
Translate security on servers to add the SIDs of the user and group accounts in the target domain to the access control lists (ACLs) of the resources. You can use either the Security Translation Wizard or the admt security command-line tool.
|
Translating Security in Add Mode
|
|
Repeat a migration of user accounts, workstation computers, and member servers, including translating local user profiles to user and computer objects that you migrated earlier.
|
Remigrating User Accounts and Migrating Workstations in Batches
|
|
Migrate domain local groups using either the Group Account Migration Wizard or the admt group command-line tool.
|
Migrating Domain and Shared Local Groups
|
|
Migrate domain controllers.
|
Migrating Domain Controllers
|
|
Complete postmigration tasks. This task has the following subtasks:
-
Translate security on member servers.
-
Decommission the source domains.
|
Translating Security on Your Member Servers
Decommissioning the Source Domain
|