Establishing Migration Accounts for Your Migration
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To migrate accounts and resources between forests, you must establish a migration account or accounts and assign the appropriate credentials to those accounts. ADMT uses the migration accounts to migrate the objects that you identify. Because ADMT requires only a limited set of credentials, creating separate migration accounts enables you to simplify administration. If the migration tasks for your organization are distributed across more than one group, it is helpful to create a migration account for each group involved in performing the migration
To simplify administration, create a single account in the source domain and a single account in the target domain for all objects, with the required credentials to modify the objects, such as users, global groups, and local profiles, to be migrated by that account. For example, a migration account that you use to migrate user accounts along with SID history, global groups along with SID history, computers, and user profiles has local administrator or domain administrator credentials in the source domain, and delegated permission on the user, group, and computer OUs in the target domain, with the extended right to migrate SID history on the user OU. The user needs to be a local administrator on the computer in the target domain on which ADMT is installed. A migration account that you use to migrate workstations and domain controllers must have local administrator or source domain administrator credentials on the workstations or the account must have source domain administrator credentials on the domain controller, or both.
In the target domain, it is necessary to use an account that has delegated permissions on the computer OU and the user OU. You might want to use a separate account for the migration of workstations if this migration process is delegated to administrators that are in the same location as the workstations.
Table 11.2 lists the credentials that are required in the source and target domains for different migration objects.
Table 11.2 Migration Account Credentials
| Migration Object | Credentials Necessary in Source Domain | Credentials Necessary in Target Domain |
|---|---|---|
User/Group without SID history |
Delegated Read all user information permission on the user OU or group OU. |
Delegated Create user objects permission on the user OU or group OU and local administrator on the computer on which ADMT is installed. |
User/Group with SID history |
Local administrator or domain administrator |
Delegated permission on the user OU or the group OU, extended permission to migrate SID history, and local administrator on the computer on which ADMT is installed. |
Computer |
Domain administrator or administrator in the source domain and on each computer |
Delegated permission on the computer OU and local administrator on the computer on which ADMT is installed. |
Profile |
Local administrator or domain administrator |
Delegated permission on the user OU and local administrator on the computer on which ADMT is installed. |
The following procedures provide examples for creating groups or accounts to migrate accounts and resources. Procedures differ according to whether a one-way trust or a two-way trust exists The procedure for creating migration groups when a one-way trust exists is more complex than the procedure for creating migration accounts when a two-way trust exists, because you must add the migration group to the local Administrators group on local workstations. The sample procedure for creating migration groups when a one-way trust exists involves the creation of separate groups for migrating accounts and resources; however, you can combine acct_migrators and res_migrators into one group, if you do not need to separate them to delegate different sets of permissions.
To create an account migration group when a one-way trust exists in which the source domain trusts the target domain
In the target domain, create a global group, acct_migrators.
In the target domain, add the acct_migrators group to the Domain Admins group, or delegate administration of OUs that are targets for account migration to this group.
If you are migrating SID history, and you did not place the acct_migrators group in the Domain Admins group, grant the acct_migrators group the extended permission Migrate SID History on the target domain object. To do this:
Start Active Directory Users and Computers, right-click the domain object, and then click Properties.
Click the Security tab, click Add, and select acct_migrators.
In the Permissions for acct_migrators box, click Allow for the Migrate SID History permission.
In the source domain, add the acct_migrators group to the Administrators group.
On each computer on which you plan to translate local profiles, add the acct_migrators group to the local Administrators group.
To create the resource migration group when a one-way trust exists in which the source domain trusts the target domain
In the target domain, create a global group, res_migrators.
In the target domain, add the res_migrators group to the Domain Admins group, or delegate administration of OUs that are targets for resource migration to this group.
In the source domain, add the res_migrators group to the Administrators group.
On each computer that you plan to migrate or on which you plan to perform security translation, add the res_migrators group to the local Administrators group.
To create a resource migration account when a two-way trust exists between the source and target domains
In the source domain, create an account, res_migrator.
In the source domain, add the res_migrator account to the Domain Admins group. (The Domain Admins group is a member of the local Administrators group on every computer in the domain by default; therefore, you do not need to add it to the local Administrators group on every computer.)
In the target domain, delegate permissions on OUs that are targets for resource migration to the res_migrator account.