Determining Your Account Migration Process

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

With the Active Directory Migration Tool (ADMT), you can use security identifier (SID) history to maintain resource permissions when you migrate accounts. However, if SID filtering is enabled between your source and target domains and you do not trust the administrators in the source domain, you cannot disable SID filtering. Nor can you use SID history to enable access to resources in the source domain. In this case, you must use a different migration process.

You can choose one of the following three methods to migrate accounts between forests while maintaining user rights to access resources in the source domain:

  • Migrate user accounts while using SID history for resource access. With this method, you remove SID filtering on the trusts between the domains to enable users to access resources in the source domain by means of their SID history credentials.

    • If you have a forest trust in place, you remove SID filtering on the forest trust. (You can also override the forest trust by creating an external trust so that the domain that holds the resources trusts the target domain and then removing SID filtering on the external trust.)

    • If you do not have a forest trust in place, you establish external trusts between the source and target domains. You then have to remove SID filtering on the external trusts.

    For more information about this process, see Migrating Accounts While Using SID History, later in this guide.

  • Migrate all users, groups, and resources to the target domain in one step. For more information about this process, see Migrating Accounts While Using SID History, later in this guide.

  • Migrate user accounts without using SID history for resource access, but translate security for all resources before the migration process to ensure resource access. For more information about migrating accounts without using SID history, see Migrating Accounts Without Using SID History, later in this guide.

To determine which account migration process is best for your organization, you must first determine if you can disable SID filtering and migrate accounts while using SID history for resource access. You can safely do this if the administrators of the source domain fully trust the administrators of the target domain. You might disable SID filtering if one of the following conditions applies:

  • The administrators of the trusting domain are the administrators of the trusted domain.

  • The administrators of the trusting domain trust the administrators of the trusted domain and are confident that they have secured the domain appropriately.

If you disable SID filtering, you remove the security boundary between forests, which otherwise provides data and service isolation between the forests. For example, an administrator in the target domain who has service administrator rights or an individual who has physical access to a domain controller can modify the SID history of an account to include the SID of a domain administrator in the source domain. When the user account for which the SID history has been modified logs on to the target domain, it presents valid domain administrator credentials for, and can obtain access to, resources in the source domain.

For this reason, if you do not trust the administrators in the target domain or do not believe that the domain controllers in the target domain are physically secure, enable SID filtering between your source and target domains, and migrate user accounts without using SID history for resource access.

The following illustration shows the decision process involved in determining which migration process is appropriate for your organization.