Migrating Global Groups

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

To preserve the memberships of global groups, you must migrate global groups before you migrate users.

Note

Do not migrate global groups during peak work hours. The global group migration process can consume a large amount of network resources and resources on the domain controller in the target domain.

Global group migration involves performing the following steps:

  1. The administrator selects global group objects in the source domain.

  2. A new global group object is created in the target domain, and a new primary security identifier (SID) is created for the object in the target domain.

  3. To preserve resource access, the Active Directory Migration Tool (ADMT) adds the SID of the global group in the source domain to the SID history attribute of the new global group in the target domain.

After the migration, events are logged in both the source and the target domain.

Note

If the user account migration process takes place over an extended period of time, you might have to remigrate global groups from the source to the target domain. The objective is to propagate membership changes that are made in the source domain before the migration process is complete. For more information about remigrating global groups, see Remigrating All Global Groups After All Batches Are Migrated, later in this guide.

You can migrate global groups by using the ADMT snap-in, the ADMT command-line option, or a script.

To migrate global groups by using the ADMT snap-in

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. Use the Group Account Migration Wizard by performing the steps in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    Group Selection

    Click Select groups from domain, and then click Next. On the Group Selection page, click Add to select the groups in the source domain that you want to migrate, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Organizational Unit Selection

    Type the name of the organizational unit (OU), or click Browse.

    In the Browse for Container dialog box, find the container in the target domain that you want to move the global groups into, and then click OK.

    Group Options

    Click Migrate Group SIDs to target domain.

    Make sure that all other options are not selected.

    User Account

    Type the user name, password, and domain of an account that has administrative rights in the source domain.

    Conflict Management

    Click Do not migrate source object if a conflict is detected in the target domain.

  3. When the wizard has finished running, click View Log, and review the migration log for any errors.

  4. Open the Active Directory Users and Computers snap-in, and then locate the target OU. Verify that the global groups exist in the target domain OU.

To migrate global groups by using the ADMT command line option

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. At the command line, type the ADMT Group command with the appropriate parameters, and then press ENTER:

    ADMT GROUP /N "<group_name1>" "<group_name2>" /SD:" <source_domain>" /TD:" <target domain>" /TO:" <target OU>" /MSS:YES

    As an alternative, you can include parameters in an option file that is specified at the command line as follows:

    ADMT GROUP /N "<group_name1>" "<group_name2>" /O: "<option_file>.txt"

    The following table lists the common parameters that are used for migrating global groups, along with the command-line parameter and option file equivalents.

    Parameters Command-line syntax Option file syntax

    <Source domain>

    /SD:"source_domain"

    SourceDomain="source_domain"

    <Source OU> location

    /SO:"source_OU"

    SourceOU="source_OU"

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

    <Target OU> location

    /TO:"target_OU"

    TargetOU="target_OU"

    Migrate GG SIDs

    /MSS:YES

    MigrateSIDs=YES

    Conflict management

    /CO:IGNORE (default)

    ConflictOptions=IGNORE

  3. Review the results that appear on the screen for any errors.

  4. Open the Active Directory Users and Computers snap-in and locate the target OU. Verify that the global groups exist in the target domain OU.

To migrate global groups by using a script

  • Prepare a script that incorporates ADMT commands and options for migrating global groups by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.

    <Job id=" MigratingGlobalGroupsBetweenForests" >
    <Script language="VBScript"  src="AdmtConstants.vbs" />
    <Script language="VBScript" >
       Option Explicit
    
       Dim objMigration
       Dim objGroupMigration
    
       '
       'Create instance of ADMT migration objects.
       '
    
       Set objMigration = CreateObject("ADMT.Migration" )
       Set objGroupMigration = objMigration.CreateGroupMigration
    
       '
       'Specify general migration options.
       '
    
       objMigration.SourceDomain = "source domain" 
        objMigration.SourceOu = "source container" 
       objMigration.TargetDomain = "target domain" 
       objMigration.TargetOu = "target container" 
    
       '
       'Specify group migration specific options.
       '
    
       objGroupMigration.MigrateSIDs = True
    
       '
       'Migrate specified group objects.
       '
    
       objGroupMigration.Migrate admtData, Array("group name1" ,"group name2" )
    
       Set objGroupMigration = Nothing
       Set objMigration = Nothing
    </Script>
    </Job>