Migrate Service Accounts
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Migrate the service accounts that you identified earlier in the intraforest restructure process by using the Service Account Migration Wizard. This wizard marked the accounts as service accounts in the ADMT database. For more information about using ADMT to identify service accounts that are running in the context of a user account, see "Plan for Service Account Transitioning" earlier in this chapter.
You can migrate service accounts by using the ADMT console, by using the ADMT command-line option, or by using a script.
To migrate service accounts by using the ADMT console
Complete the User Account Migration Wizard by using the information provided in Table 12.9.
Table 12.9 Using the User Account Migration Wizard to Migrate Service Accounts
Wizard Page Action Test or Make Changes
Click Migrate Now?
Domain Selection
In the Source domain box, type or select the name of the source domain.
In the Target domain box, type or select the name of the target domain.
User Selection
Click Add.
In the Select Users dialog box, select all the service accounts that were identified by the Service Account Migration Wizard, and then click Add. By default, the wizard adds the service accounts to the Users container. If you need to change the OU, click the Location button, and then locate the OU that contains the service accounts.
Click OK.
Organizational Unit Selection
Click Browse.
In the Browse for Container dialog box, locate the source domain, select the container for the service accounts, and then click OK.
User Options
Select the Update user rights check box.
Ensure that the Do Not Rename Accounts check box is selected.
Ensure that no other settings are selected, including the Migrate associated user groups option. A warning box will appear to inform you that if the global groups to which the user accounts belong are not also migrated, users will lose access to resources. Select OK to continue with the migration.
Naming Conflicts
Click Ignore conflicting accounts and don’t migrate.
Service Account Information
Click Migrate all service accounts and update SCM for items marked include. The wizard will present you with a list of the service accounts that you are migrating (if you are migrating accounts that are not service accounts, they will be migrated but will not be listed). By default, the accounts are marked as Include. To change the status of the account, select the account, and then click the Skip/Include button.
Click Next to migrate the accounts.
A Migration Progress dialog box updates you on the status of the migration. During this time, ADMT moves the accounts to the target domain, generates a new password for the accounts, assigns the accounts the right to log on as a service, and provides this new information to the services that use the accounts. When the status is listed as Completed in the Migration Progress dialog box, you can continue with the rest of the intraforest migration. Before the migration of the service accounts is completed, users might experience interruptions when they use the services because the service still uses the account that has been migrated until the service is restarted. For any services that continually use credentials, such as search services, manually restart the services to ensure optimal results.
To migrate service accounts by using the ADMT command-line option
On a member server in the target domain where ADMT is installed, log on by using a user account that is a member of the ADMT account migration group.
At the command line, type:
ADMT USER /N “server_name1” “server_name2” /IF:YES /SD:”source_domain” /TD:”target_domain” /TO:”target_OU” /MSA:YESServer_name1 and Server_name2 are the names of servers in the source domain that run service accounts. Alternatively, you can include parameters in an option file that is specified at the command line as follows:
ADMT USER /N “server_name1” “server_name2” /O: “option_file.txt”Table 12.10 lists the parameters that are required for migrating service accounts, the command-line parameters, and option file equivalents.
Table 12.10 Parameters Required for Migrating Service Accounts
Parameters Command Line Syntax Option File Syntax Intra-Forest
/IF:YESIntraForest=YESTarget domain
/TD:"target_domain"TargetDomain="target_domain"Target OU location
/TO:"target_OU"TargetOU="target_OU"Migrate Service Accounts
/MSA:YESMigrateServiceAccounts=YESUpdate user rights
/UUR:YESUpdateUserRights=YESDo not rename accounts
/RO:DONT(default)RenameOption=DONT(default)Ignore conflicting accounts
/CO:IGNORE(default)ConflictOptions=IGNORE(default)Review the results that are displayed on the screen for any errors.
Open Active Directory Users and Computers, and locate the target domain OU. Verify that the service accounts exist in the target domain OU.
To migrate service accounts by using a script
Use Listing 12.4 to prepare a script that incorporates ADMT commands and options for migrating service accounts.
Listing 12.4 Migrating Service Accounts Within a Forest
<Job id=" MigratingServiceAccountsWithinForest" > <Script language=" VBScript" src=" AdmtConstants.vbs" /> <Script language=" VBScript" > Option Explicit Dim objMigration Dim objUserMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject(" ADMT.Migration" ) Set objUserMigration = objMigration.CreateUserMigration ' 'Specify general migration options. ' objMigration.IntraForest = True objMigration.SourceDomain = " source domain" objMigration.SourceOu = " source container" objMigration.TargetDomain = " target domain" objMigration.TargetOu = " target container" ' 'Specify user migration specific options. ' objUserMigration.UpdateUserRights = True objUserMigration.MigrateServiceAccounts = True ' 'Migrate specified service accounts. ' objUserMigration.Migrate admtData, _ Array(" service account name1" ," service account name2" ) Set objUserMigration = Nothing Set objMigration = Nothing </Script> </Job>
For a sample script to assist you in migrating service accounts, see "Migrating Service Accounts Within a Forest" (DSSRERA_3.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating Service Accounts Within a Forest" on the Web at https://www.microsoft.com/reskit).