Checklist: Performing an Intraforest Migration

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Reducing the number of Active Directory domains in your forest simplifies the following tasks or reduces the time that is required to complete them:

  • Managing administration requirements for your organization

  • Handling replication traffic

  • Administering users and groups

  • Implementing Group Policy

If you frequently reassign users to different domains, you might also migrate objects between domains on a regular basis. Restructuring Active Directory domains within a forest differs from migration between forests, and it requires careful planning and testing.

Task Reference

Review Active Directory Migration Tool (ADMT) installation instructions.

Installing ADMT in the Target Domain

To migrate computers that are running Windows Server 2003, Windows Vista® (without Service Pack 1 (SP1)), Windows XP, and Microsoft® Windows 2000 (by using ADMT 3.1) to a target domain, first set the following registry key on the target domain controllers:

Note
This registry key does not need to be set for migrating computers that run later versions of Windows (such as Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2), or that installed the RODC client compatibility pack (hotfix 944043).

Registry path: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

Registry value: AllowNT4Crypto

Type: REG_DWORD

Data: 1

Note

This registry setting corresponds to the Allow cryptography algorithms compatible with Windows NT 4.0 setting in Group Policy.

For more information about making this change using Group Policy, see Microsoft Knowledge Base article 942564 (https://support.microsoft.com/default.aspx?scid=kb;EN-US;942564).

For more information about the RODC client compatibility pack, see Microsoft Knowledge Base article 944043 (https://support.microsoft.com/kb/944043).

For any migration tasks that use agent deployment and where Windows Firewall is in use, enable the File and Printer Sharing exception. This can include migration for the following situations:

  • Migrating workstation computers and member servers that are running Windows Server 2003 or Windows XP or later.

  • Migrating security settings or performing security translation

For more information, see Enable or Disable the File and Printer Sharing Exception (https://go.microsoft.com/fwlink/?LinkID=119315).

Prepare to restructure Active Directory domains within a forest. This task has the following subtasks:

  • Evaluate the new Active Directory domain structure.

  • Assign domain object roles and locations.

  • Plan for group and text migration.

  • Create a rollback plan and a user communication plan.

  • Create migration account groups.

  • Install ADMT.

  • Plan to transition service accounts.

Installing ADMT in the Target Domain

Preparing to Restructure Active Directory Domains Within a Forest

Migrate universal and global groups using either the Group Account Migration Wizard or the admt group command-line tool.

Migrate Groups

Migrate service accounts using either the Service Account Migration Wizard or ADMT command-line tools, such as admt service to identify service accounts in the source domain and admt user to migrate service accounts that you specify.

Migrate Service Accounts

Migrate standalone managed service accounts using the Managed Service Account Migration Wizard or the admt managedserviceaccount command-line tool. Group managed service accounts cannot be migrated.

Migrating Managed Service Accounts

Migrate user accounts using either the User Account Migration Wizard or the admt user command-line tool.

Migrate User Accounts

Translate local user profiles using either the Security Translation Wizard or the admt security command-line tool.

Translate Local User Profiles

Migrate workstation computers and member servers using either the Computer Migration Wizard or the admt computer command-line tool.

Migrate Workstations and Member Servers

Migrate domain local groups using either the Group Account Migration Wizard or the admt group command-line tool.

Migrate Domain Local Groups

Complete post-migration tasks. This task has the following subtasks:

  • Examine migration logs for errors.

  • Verify group types.

  • Translate security on member servers.

  • Decommission the source domains.