Migrating Managed Service Accounts

  • Article

Updated: September 29, 2013

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

A standalone managed service account is a domain account object that is available in the Active Directory schema beginning with Windows Server 2008 R2. A standalone managed service account can be installed on computers that run Windows 7 or Windows Server 2008 R2 or later.

Note

Group managed service accounts cannot be migrated by using ADMT.

The process for identifying and migrating managed service accounts using ADMT involves two steps:

  1. Use the Managed Service Account Migration Wizard or admt managedserviceaccount command line tool to migrate managed service account objects to the target domain, as explained in this topic.

  2. Use the Computer Migration Wizard or admt computer command line tool to migrate the computers that host the managed service accounts. For more information about migrating computers as part of an interforest migration, see Remigrating User Accounts and Migrating Workstations in Batches. For more information about migrating computers as part of an intraforest migration, see Migrate Workstations and Member Servers.

    The managed service accounts that were migrated in the previous step and that were originally installed on the migrated computers are identified during the computer migration. After the computer migration is complete, the managed service accounts are re-installed on the computer in the target domain (unless you request to skip them). If you have run security translation on the member servers that have resources that grant permission to the managed service accounts, the accounts have the same permissions for resource access in the target domain as they had in the source domain.

Important

If you are migrating managed service accounts between domains within the same forest, run security translation on the member servers in the source domain that have resources that grant permission to the managed service accounts. Security translation is not normally necessary during an intraforest migration because a SID is moved with an account. But managed service accounts that are migrated between domains in the same forest are copied. A new account is created in the target domain and the account properties (excluding SID) are copied from the source domain. Therefore, you need to run security translation.
If the resources in the source domain that grant permission to a managed service account are hosted on the same computer as the managed service account, then you should select security translation on the appropriate resources (Files and folders, Local groups, and so on) on the Translate Objects page of the Computer Migration Wizard. If the resources are on other computers that are not being migrated, then you need to run the Security Translation Wizard on those computers and on the Security Translation Options page, select Previously migrated objects or explicitly provide the MSA accounts in a SID mapping file. For more information about translation security, see Translating Security on Your Member Servers.

To migrate managed service accounts by using the ADMT snap-in

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. In the ADMT snap-in, click Action, and then click Managed Service Account Migration Wizard.

  3. Complete the Managed Service Account Migration Wizard by using the information in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    Managed Service account Selection Option

    Click Select managed service accounts from domain to migrate managed service accounts from the domain by using either the object selection dialog box or an include file. This option is best if you want to migrate all managed service accounts from the source domain.

    Or

    Click Provide computers to be queried for any installed managed service accounts and then click Next. On the Managed Service Account Selection page, click Add to select the computer accounts in the source domain that you want to query for managed service accounts, click OK, and then click Next. This option is preferred if you want to migrate only managed service accounts that are installed on specific computers. Each computer that you provide may have multiple managed service accounts installed.

    You can choose a combination of these options by proceeding back and forth within the wizard. For example, you can provide computers to be queried and add the managed service accounts that are installed on those computers to the list of accounts to be migrated. Then you can click Back in the wizard to return to this page and select additional managed service accounts from the domain or from an include file.

    Managed Service account Selection Option

    This page appears only if you select managed service accounts from the domain.

    Click Select managed service accounts from domain, and then click Next. On the Managed Service Account Selection page, click Add to select the accounts in the source domain that you want to migrate, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Organizational Unit Selection

    Click Browse to specify a location for the migrated accounts and then click Next.

    Managed Service Account Options

    Select the Update account rights check box

    Select the Fix accounts’ group memberships check box

    If the account is being migrated to a different forest, select the Migrate account SIDs to the target domain check box. This option is not available for an intraforest migration.

    Click Next. Type the user name, password and domain of an account that has administrative credentials in the source domain, and click Next.

    Completing the Managed Service Account Migration Wizard

    Review your selections, and then click Finish.

  4. When the wizard has finished running, click View Log, and then review the migration log for any errors.

  5. Start Active Directory Users and Computers, and then verify that the managed server accounts exist in the appropriate OU in the target domain.

To migrate managed service accounts by using the ADMT command-line option

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. At the command line, type the following command, and then press ENTER:

    ADMT MANAGEDSERVICEACCOUNT /N "<managed service account1_name>" "<managed service account2_name>" /IF:NO /SD:"<source_domain>" /TD:"<target_domain>" /UUR:YES /FGM:YES /MSS:YES

    Where <managed service account1_name> and <managed service account2_name> are the names of managed service accounts in the source domain.

    As an alternative, you can include parameters in an option file that is specified at the command line as follows:

    ADMT MANAGEDSERVICEACCOUNT /N "<managed service account1_name>" "<managed service account2_name>" /O:"<option_file>.txt"

    The following table lists the common parameters that are used for the migrating managed service accounts, along with the command-line parameter and option file equivalents.

    Values Command-line syntax Option file syntax

    Interforest migration

    /IF:No

    Intraforest=No

    <Source domain>

    /SD:"source_domain"

    SourceDomain="source_domain"

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

    Update account rights

    /UUR:Yes

    UpdateUserRights=Yes

    Update accounts’ group membership

    /FGM:Yes

    FixGroupMembership=Yes

    Migrate account SIDs

    Note
    You can migrate SIDs for managed service accounts only between forests. An error is returned if you use this parameter during an intraforest migration.

    /MSS:Yes

    MigrateSIDs=Yes

  3. Review the results that are displayed on the screen for any errors.

For managed service accounts that are hosted on member computers in the source domain, you can include the member computer when you perform computer migration and the managed service account will be installed on the member computer in the target domain after the computer is migrated.