Plan for Service Account Transitioning
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Most services run within the context of the Local System account. Consequently, they do not need any maintenance when they are migrated to a different domain. Some services, however, run in the context of a user account instead of the Local System account.
Service account transitioning refers to the process of identifying, migrating, and updating services that run in the context of user accounts. This process has three steps. First, the administrator starts the Active Directory Migration Tool (ADMT) from the target Active Directory domain controller and runs the Service Account Migration Wizard. Second, the Service Account Migration Wizard sends an agent to a specified computer and identifies (but does not migrate) all the services on the computer that are running in the context of a user account. The third step, which can occur later in the migration process, is to migrate the accounts when other user accounts are migrated with the User Account Migration Wizard.
The Service Account Migration Wizard checks every service on a computer to identify services that run in the context of a user account. You can create a security hole during the migration of service accounts if someone who is not a service administrator enters an account with administrative permissions in the source domain but uses an invalid password on their computer to start the service. The service will not start before the account migration—because the password is not correct—but it will work after migration because ADMT resets the password of the service account and configures all services that are using that service account with the new password.
To eliminate this possible security problem, it is important to include in the Service Account Migration Wizard only those servers that are managed by trusted administrators. Do not use the Service Account Migration Wizard to detect service accounts on computers that are not managed by trusted administrators, such as workstations.
If you do not identify and transition a trusted computer that therefore does not get its service account updated, you will have to manually set the new password that ADMT creates. To do this, obtain the password from the Password.txt file, and then manually enter that account and password information for the service on the computer that did not get transitioned.
When the accounts that the Service Account Migration Wizard identifies in the ADMT database as running in the context of a user account are migrated to the target domain, ADMT grants each account the right to log on as a service.
To run the service account migration wizard
In ADMT, start the Service Account Migration Wizard.
Use the wizard by performing the steps in the following table.
Wizard page Action Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
When you perform an intraforest migration, the domain controller that holds the relative ID (RID) operations master role is always used as the source domain controller, regardless of your selection.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Update Information
Click Yes, update the information.
Computer Selection Option
Click Select computers from domain, and then click Next. On the Service Account Selection page, click Add to select the accounts in the source domain that you want to migrate, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Agent Dialog
In Agent Actions, select Run pre-check and agent operation, and then click Start. A message will appear in the Agent Summary when the agent operations are complete. After the agent operations finish, click Close.
Service Account Information
Select any user accounts that do not have to be marked as service accounts in the ADMT database, and then click Skip/Include to mark the accounts as Skip.
The wizard connects to the selected computers, and then sends an agent to check every service on the remote computers. The Service Account Information page lists the services that are running in the context of a user account and the name of that user account. ADMT notes in its database that these user accounts have to be migrated as service accounts. If you do not want a user account to be migrated as a service account, select the account, and then click Skip/Include to change the status from Include to Skip.
You use Update SCM to update the Service Control Manager with the new information. Unless you have a failure in reaching a computer to update the service, the Update SCM button is not available. If you have a problem updating a service account after the account was identified and migrated, ensure that the computer that you are trying to reach is available, and then restart the Service Account Migration Wizard. In the wizard, click Update SCM to try to update the service. If you ran the Service Account Migration Wizard previously and the Update SCM button is not available, examine the ADMT log files to determine the cause of the problem. After you correct the problem and the agent can connect successfully, the Update SCM button becomes available.
To identify service accounts by using the ADMT command-line option
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type the following command, and then press ENTER:
ADMT SERVICE /N "<computer_name1>" "<computer_name2>" /SD:"<source_domain>" /TD:" <target_domain>"Where <computer_name1>and<computer_name2> are the names of computers in the source domain that run service accounts.
As an alternative, you can include parameters in an option file that is specified at the command line as follows:
ADMT SERVICE /N "<computer_name1>" "<computer_name2>" /O:" <option_file>.txt"The following table lists the common parameters that are used for the identification of service accounts, along with the command-line parameter and option file equivalents.
Parameters Command-line syntax Option file syntax <Source domain>
/SD:"source_domain"SourceDomain="source_domain"<Target domain>
/TD:"target_domain"TargetDomain="target_domain"Review the results that appear on the screen for any errors.
To identify service accounts by using a script
Create a script that incorporates ADMT commands and options for identifying service accounts by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id="IdentifyingServiceAccounts" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objServiceAccountEnumeration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objServiceAccountEnumeration = _ objMigration.CreateServiceAccountEnumeration ' 'Specify general migration options. ' objMigration.SourceDomain = "source domain" ' 'Enumerate service accounts on specified computers. ' objServiceAccountEnumeration.Enumerate admtData, _ Array("computer name1" ,"computer name2" ) Set objServiceAccountEnumeration = Nothing Set objMigration = Nothing </Script> </Job>