Migrate Global Groups

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Migrate global groups, without members, from the source domain to the target domain to protect against the problem of open sets. (For more information about open sets, see Background Information for Restructuring Active Directory Domains Within a Forest, earlier in this guide.) After global groups are migrated to the target domain, they cease to exist in the source domain.

Because global groups only contain members from their own domain, you cannot migrate them from one domain to another. The Active Directory Migration Tool (ADMT) changes global groups to universal groups when they are migrated. The universal group in the target domain retains the security identifier (SID) history of the global group in the source domain, which makes it possible for users to continue to access resources in the source domain after the global groups are migrated. ADMT changes the universal groups back to global groups after all members of the global group are migrated from the source domain to the target domain.

You do not have to include built-in and well-known global groups in your migration because these groups already exist in the target domain. If you select a built-in group or well-known global group for migration, ADMT does not migrate it. Instead, ADMT makes a note in the log and continues to migrate other global groups.

The procedure for using the Group Account Migration Wizard to migrate global groups is the same as that for migrating universal groups. For more information about the procedure for migrating global groups and universal groups, see Migrate Universal Groups, earlier in this guide.

After you complete the global group migration process, use Active Directory Users and Computers to verify that the global groups migrated successfully. Verify that the global groups no longer exist in the source domain and that the groups appear in the target domain in the organizational unit (OU) that you specified during the migration process. The global groups are listed as universal groups in the target domain if they still have members in the source domain. To view a list of members of the universal group, right-click the group, click Properties, and then click the Members tab. The original members of the global group are listed. Note, however, that user accounts have not yet been migrated.

If you are migrating user accounts during the intraforest migration but you are not migrating the global groups in the source domain that the user accounts are members of, ADMT updates the global groups in the source domain, regardless. ADMT removes the migrated user accounts from the membership of the global group in the source domain because the global group can only include members from the source domain. As a result, it is possible that users do not continue to access resources in the source domain after the migration because they are no longer members of those groups.

You can migrate global groups by using the ADMT snap-in, the ADMT command-line option, or a script.

To migrate global groups by using the ADMT snap-in

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. Use the Group Account Migration Wizard by performing the steps in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    When you perform an intraforest migration, the domain controller that holds the relative ID (RID) operations master (also known as flexible single master operations or FSMO) role is always used as the source domain controller, no matter what your selection is.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    Group Selection

    Click Select groups from domain, and then click Next. On the Group Selection page, click Add to select the groups in the source domain that you want to migrate, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Organizational Unit Selection

    Type the name of the OU, or click Browse.

    In the Browse for Container dialog box, find the container in the target domain that you want to move the global groups into, and then click OK.

    Group Options

    The Migrate Group SIDs to target domain and Fix Group Membership check boxes are selected and appear dimmed.

    Ensure that no other options are selected.

    Conflict Management

    Select Do not migrate source object if a conflict is detected in the target domain.

  3. After the wizard runs, click View Log, and review the migration log for any errors.

  4. Open Active Directory Users and Computers, and then locate the target domain OU. Verify that the global groups exist in the target domain OU.

To migrate global groups by using the ADMT command-line option

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

Note

When you start a group migration with sIDHistory migration from the command line, you must run the command on a domain controller in the target domain.

  1. At a command line, type the ADMT Group command with the appropriate parameters, and then press ENTER:

    ADMT GROUP /N "<group_name1>" "<group_name2>" /IF:YES /SD:" <source_domain>" /TD:" <target domain>" /TO:" <target OU>"

    As an alternative, you can include parameters in an option file that is specified at the command line, as follows:

    ADMT GROUP /N "<group_name1>" "<group_name2>" /O: "<option_file>.txt"

    The following table lists the parameters that are required for migrating global groups, the command-line parameters, and option file equivalents.

    Parameters Command-line syntax Option file syntax

    Intra-forest

    /IF:YES

    IntraForest=YES

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

    <Target OU> location

    /TO:"target_OU"

    TargetOU="target_OU"

    Conflict management

    /CO:IGNORE (default)

    ConflictOptions=IGNORE

  2. Review the results that are displayed on the screen for any errors.

  3. Open Active Directory Users and Computers, and then locate the target domain OU. Verify that the global groups exist in the target domain OU.

To migrate global groups by using a script

  1. Use a script that incorporates ADMT commands and options for migrating universal groups. For more information about migrating universal groups, see Migrate Universal Groups, earlier in this guide.

Note

When you start a group migration with sIDHistory migration from a script, the script must be run on a domain controller in the target domain.

  1. After completing the global group migration by using a script, view the migration log. The migration.log file is stored in the folder where you installed ADMT, typically Windows\ADMT\Logs.

Note

Because universal groups are replicated to the global catalog, converting global groups to universal groups can affect replication traffic. When the forest is operating at the Windows Server 2003 or Windows Server 2008 functional level, this impact is reduced because only changes to the universal group membership are replicated. However, if the forest is not operating at the Windows Server 2003 or Windows Server 2008 functional level, the entire group membership replicates every time that the universal group membership changes.