Introduction to Active Directory Migration Tool v2 for Administrators


Topic Last Modified: 2006-04-05

By Nino Bilic

This article is an introduction to Active Directory® Migration Tool (ADMT) version 2 (v2) that was released with Microsoft® Windows Server™ 2003 and Windows® 2000 Server. Even though ADMT is a Windows tool, you may find it useful when working on Microsoft Exchange Server migrations. This article explains ADMT functions. For more information about ADMT, see the For More Information section.

Active Directory Migration Tool (ADMT) is a tool that allows you to migrate users, computers, and groups from one domain to another domain. In most scenarios that involve Exchange Server, you use ADMT to migrate accounts from a Windows NT® Server 4.0 domain to a Windows 2000 Server domain. This is usually associated with a migration from Exchange Server version 5.5 to Exchange 2000 Server.

ADMT was released as version 2 (v2) as part of Windows Server 2003. It is located on the Windows Server 2003 CD (\\.\I386\ADMT).

One of the major improvements of ADMT v2 is that it can migrate user passwords. That makes the migration much more seamless for users, as compared to the previous version of ADMT, which was associated with Windows 2000 Server.

After the tool has been set up, run its Microsoft Management Console (MMC) snap-in by clicking Administrative Tools and then clicking Active Directory Migration Tool. From there, right-click Active Directory Migration Tool and select the User Account Migration Wizard option.

Some of the options might be unavailable until you perform a successful migration for some accounts.
Active Directory Migration Tool Main Drop Down

Click Next on the initial screen.

ADMT provides the options to either Test the migration settings and migrate later or Migrate now. Make your appropriate selection, and click Next.

Now you can choose the domains that you will be using for your migration.

Active Directory Migration Tool Domain Selection

The domains that you have available are determined by your current forest and any trusts that you have in place. Remember that the target domain must be in native mode to use ADMT.

If you are running ADMT for the first time, ADMT will perform several actions to make sure that migration is successful. This includes testing prerequisites, modifying registry entries on the Windows NT Server 4.0 primary domain controller (PDC), restarting the Windows NT Server 4.0 PDC, and modifying the Windows Server 2003 and Windows 2000 Server policy. These actions will vary based on options and types of domains that you have in your case. A detailed discussion of the possible ADMT options are beyond the scope of this article.

SID History is a term that is mentioned in Windows operating system migrations and Exchange Server migrations. The simple explanation of SID History is that it is an attribute on a migrated account that holds the security identifier (SID) of the original account.

For example, if you have Domain A as your source domain and Domain B as your destination domain, and if the account is migrated with SID History, the migrated account in Domain B will have an attribute that will hold the SID of the original account from Domain A.

The following describes the reasons why you need SID History:

  • If a migrated account from Domain B is to access resources from the originating domain, the presence of SID History will let the account access any resources that the original account in Domain A had rights on.

  • Active Directory Connector (ADC) uses SID History when matching the Exchange Server 5.5 directory object to the Active Directory account. Consider that Exchange Server 5.5 is in Domain A and the primary Windows NT Server 4.0 account of the Exchange Server 5.5 mailbox is the account in Domain A. You migrate this account using ADMT and SID History. That means that you have created an account in Domain B, which has the SID of the Domain A account stamped in the sIDHistory attribute. You set up ADC from the Exchange Server 5.5 server in Domain A to a domain controller in Domain B. When ADC runs, it checks the primary Windows NT Server 4.0 account of the Exchange Server 5.5 mailbox and reads its SID. Then, it finds a match in Active Directory because of the SID History stamped on the migrated account. If there was no SID History on the Domain B account, the ADC would not find a match, and would create the new account in a disabled state (-1).

When you view the SID from a Lightweight Directory Access Protocol (LDAP) tool, such as LDP (ldp.exe), the attribute will look like the following:

"1> sIDHistory: S-1-5-21-1659521004-1441491110-1935394565-1315;"

This SID will match the SID of the original account from the original domain, where this account was migrated from. The migrated Active Directory account will have its own unique SID.

To migrate accounts with SID History, you must set the option in ADMT. The following ADMT screen is where you make this selection.

ADMT User Account Migration Options

After the accounts have been migrated from Domain A to Domain B with the SID History option, you still have the situation where Exchange Server 5.5 mailboxes are set up to have Domain A Windows NT Server 4.0 accounts set as the Primary NT account. You have a situation where the Exchange Server 5.5 mailbox is associated with the Windows NT Server 4.0 account and ADC have associated that mailbox to the Active Directory (migrated) account based on SID History that you have migrated.

To switch the Exchange Server 5.5 Primary NT account to the new migrated Active Directory account, you need to run the Exchange Directory Migration Wizard. This option will become available only after you migrate the accounts.

The job of the Exchange Directory Migration Wizard is to switch the primary Windows NT Server 4.0 account of the mailbox and renew the active control list (ACL) of the Exchange Server 5.5 directory objects to replace, add, or remove, depending on what option you choose, any mentions of the Windows NT Server 4.0 account with the new migrated Active Directory account. With this wizard, you can accomplish the task of replacing all mentions of the source account with the migrated account with the same permissions on all objects stored in the Exchange Server 5.5 directory.

In ADMT, select Exchange Directory Migration Wizard from the available tasks.

ADMT Main Drop Down With EDMW Selection

Click Next on the following screen. Then, choose if you want to test the migration settings only or actually migrate now. After clicking Next, you will be able to select your target and source domains again. On the next screen, you can choose what you want to do using the Exchange Directory Migration Wizard.

Exchange Directory Migration Wizard Security opts

The following explains the Exchange Directory Migration Wizard options:

  • Replace   This option replaces any mention of the original source domain account with the target domain account giving the same permissions.

  • Add   This option leaves the source domain account, but also adds the target domain account with the same permissions.

  • Remove   This option can be used if you want to remove the source domain account after running the Add option.

Now complete the wizard to modify the Exchange Server 5.5 directory.

Because the Exchange Directory Migration Wizard can switch the primary Windows NT Server 4.0 account on the Exchange Server 5.5 mailbox to be the migrated account from the target domain, you can be certain that when ADC is run, the right match is found. In this situation, from the viewpoint of ADC only, not taking into consideration that you might need to access resources in the Windows NT Server 4.0 domain with the Active Directory account, you might not even have to migrate the SID History on accounts. This can be convenient if you have already migrated Windows NT Server 4.0 accounts, but did not migrate them with SID History, and now you need to finish the migration.

The migration path in that case would be as follows:

  1. Migrate accounts using ADMT but without SID History.

  2. Run the Exchange Directory Migration Wizard, and replace security references in the source domain with the destination domain (migrated) account. One of the things that will be done is the Primary NT account of Exchange Server 5.5 mailboxes will be the new migrated account from the Active Directory domain.

  3. Run ADC, because the new migrated Active Directory account is now the primary Windows NT Server 4.0 account of the mailbox. ADC should find the match and no duplicate objects should be created.

    Duplicate accounts might still be created if multiple mailboxes are associated with the same Windows NT Server 4.0 account on the Exchange Server 5.5 side. Running the Exchange Directory Migration Wizard does not resolve that problem.

Community Additions