Enabling Migration of Passwords

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

The Active Directory Migration Tool (ADMT) uses the Password Export Server service version 3.1 (PES v3.1) to help you migrate passwords when you perform an interforest migration. PES v3.1 can be downloaded from Microsoft Connect (https://go.microsoft.com/fwlink/?LinkId=401534), the same location where you can download ADMT. The PES service can be installed on any writable domain controller in the source domain that supports 128-bit encryption.

Note

The PES service cannot be installed on read-only domain controllers (RODCs).

Because ADMT does not check all settings of the target domain password policy, users need to explicitly set their password after migration unless the Password never expires or Smartcard is required for interactive logon flags are set.

The PES service installation in the source domain requires an encryption key. However, you must create the encryption key on the computer running the ADMT in the target domain. When you create the key, save it to a shared folder on your network or onto removable media so that you can copy it to the local drive of the source domain controller where the PES service is installed. Store it in a secure location that you can reformat after the migration is complete.

You can install the PES service after you install ADMT. The following procedures explain how to install and use the PES service on computers running Windows Server 2008 or later.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create an encryption key

  • At a command line, type the following command, and then press ENTER:

    admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath> /keypassword:{<password>|*}

    Value Description

    <SourceDomain>

    Specifies the name of the source domain in which the PES service is being installed. Can be specified as either the Domain Name System (DNS) or NetBIOS name.

    <KeyFilePath>

    Specifies the path to the location where the encrypted key is stored.

    {<password>|*}

    A password, which provides key encryption, is optional. To protect the shared key, type either the password or an asterisk (*) on the command line. The asterisk causes you to be prompted for a password that is not displayed on the screen.

After you create the encryption key, configure the PES service on a domain controller in the source domain.

ADMT provides the option to run the PES service under the Local System account or by using the credentials of an authenticated user in the target domain. We recommend that you run the PES service as an authenticated user in the target domain. This way, you do not have to add the Everyone group and the Anonymous Logon group to the Pre–Windows 2000 Compatible Access group.

Note

If you run the PES service under the Local System account, ensure that the Pre–Windows 2000 Compatible Access group in the target domain contains the Everyone group and the Anonymous Logon group.

To configure the PES service in the source domain

  1. On the domain controller that runs the PES service in the source domain, insert the encryption key disk.

  2. Run Pwdmig.msi. If you set a password during the key generation process on the domain controller in the target domain, provide the password that was given when the key was created, and then click Next.

    Wizard page Action

    Welcome to the ADMT Password Migration DLL Installation Wizard

    Click Next.

    Encryption File

    To install the ADMT Password Migration dynamic-link library (DLL), you must specify a file that contains a valid password encryption key for this source domain. The key file must be located on a local drive.

    You use the admt key command to generate the key files. For more information, see the previous procedure "To create an encryption key."

    Run the service as

    Specify the account that you want the PES service to run under. You can specify either of the following accounts:

    • The local System account

    • A specified user account

    Note
    If you plan to run the PES service as an authenticated user account, specify the account in the format domain\user_name.

    Summary

    Click Finish to complete the PES service installation.

    Note

    To use the password migration of ADMT, you must restart the server where you installed the PES service. 

    <p></p>
</div></td>
</tr>
</tbody>
</table>

    1. After installation completes, restart the domain controller.

    2. After the domain controller restarts, to start the PES service, point to Start, point to All Programs, point to Administrative Tools, and then click Services.

    3. In the details pane, right-click Password Export Server Service, and then click Start.

    Note

    Run the PES service only when you migrate passwords. Stop the PES service after you complete the password migration.