Migrate Service Accounts
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Migrate the service accounts that you identified earlier in the intraforest restructure process by using the Service Account Migration Wizard. This wizard marked the accounts as service accounts in the Active Directory Migration Tool (ADMT) database. For more information about using ADMT to identify service accounts that are running in the context of a user account, see Plan for Service Account Transitioning, earlier in this guide.
You can migrate service accounts by using the ADMT snap-in, the ADMT command-line option, or a script.
To migrate service accounts by using the ADMT snap-in
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
Use the User Account Migration Wizard by performing the steps in the following table.
Wizard page Action Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
When you perform an intraforest migration, the domain controller that holds the relative ID (RID) operations master (also known as flexible single master operations or FSMO) role is always used as the source domain controller regardless of your selection.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
User Selection
Click Select users from domain, and then click Next. On the User Selection page, click Add to select the accounts in the source domain that you want to migrate, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Organizational Unit Selection
Type the name of the organizational unit (OU), or click Browse.
In the Browse for Container dialog box, find the container in the target domain that you want to move the accounts into, and then click OK.
User Options
Select the Update user rights check box.
Ensure that no other settings are selected, including the Migrate associated user groups option. A warning box will appear to inform you that if the global groups to which the user accounts belong are not also migrated, users will lose access to resources. Select OK to continue with the migration.
Conflict Management
Select Do not migrate source object if a conflict is detected in the target domain.
Service Account Information
Click Migrate all service accounts and update SCM for items marked include. The wizard presents you with a list of the service accounts that you are migrating (if you are migrating accounts that are not service accounts, they will be migrated but they will not be listed). By default, the accounts are marked as Include. To change the status of the account, select the account, and then click Skip/Include.
Click Next to migrate the accounts.
A Migration Progress dialog box updates you on the status of the migration. During this time, ADMT moves the accounts to the target domain, generates a new password for the accounts, assigns the accounts the right to log on as a service, and provides this new information to the services that use the accounts. When the status is listed as Completed in the Migration Progress dialog box, you can continue with the rest of the intraforest migration.
Before the migration of the service accounts is completed, users might experience interruptions when they use the services. This is because, until the service is restarted, it still uses the account that has been migrated. For any services that continually use credentials, such as search services, manually restart the services to ensure optimal results.
To migrate service accounts by using the ADMT command-line option
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type the following command, and then press ENTER:
ADMT USER /N "<server_name1>" "<server_name2>" /IF:YES /SD:" <source_domain>" /TD:" <target_domain>" /TO:" <target_OU>" /MSA:YESWhere
<Server_name1>and<Server_name2>are the names of servers in the source domain that run service accounts. As an alternative, you can include parameters in an option file that is specified at the command line, as follows:ADMT USER /N "<server_name1>" "<server_name2>" /O: "<option_file>.txt"The following table lists the parameters that are required for migrating service accounts, the command-line syntax, and option file equivalents.
Parameters Command-line syntax Option file syntax Intra-forest
/IF:YESIntraForest=YES<Target domain>
/TD:"target_domain"TargetDomain="target_domain"<Target OU> location
/TO:"target_OU"TargetOU="target_OU"Migrate service accounts
/MSA:YESMigrateServiceAccounts=YESUpdate user rights
/UUR:YESUpdateUserRights=YESIgnore conflicting accounts
/CO:IGNORE(default)ConflictOptions=IGNORE(default)Review the results that are displayed on the screen for any errors.
Open Active Directory Users and Computers, and locate the target domain OU. Verify that the service accounts exist in the target domain OU.
To migrate service accounts by using a script
Use the following listing to prepare a script that incorporates ADMT commands and options for migrating service accounts. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id=" MigratingServiceAccountsWithinForest" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objUserMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objUserMigration = objMigration.CreateUserMigration ' 'Specify general migration options. ' objMigration.IntraForest = True objMigration.SourceDomain = "source domain" objMigration.SourceOu = "source container" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "target container" ' 'Specify user migration specific options. ' objUserMigration.UpdateUserRights = True objUserMigration.MigrateServiceAccounts = True ' 'Migrate specified service accounts. ' objUserMigration.Migrate admtData, _ Array("service account name1", "service account name2" ) Set objUserMigration = Nothing Set objMigration = Nothing </Script> </Job>