Translate Security on Member Servers
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Translate security on member servers to clean up the access control lists (ACLs) of the resources. After objects are migrated to the target domain, resources contain the ACL entries of the source domain objects. Although the security identifier (SID) history provides access to resources during the migration, ACLs should be cleaned up after the migration to contain the new primary SID of the migrated groups. Use the Security Translation Wizard in ADMT to replace the source domain SIDs with the target domain SIDs.
Important
If you migrated managed service accounts between domains within the same forest, run security translation on the member servers in the source domain that have resources that grant permission to the managed service accounts. Managed service accounts that are migrated between domains in the same forest are copied. A new account is created in the target domain and the account properties (excluding SID) are copied from the source domain. Therefore, you need to run security translation. For more information, see Migrating Managed Service Accounts.
To translate security on member servers by using the ADMT snap-in
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
Use the Security Translation Wizard by performing the steps in the following table.
Wizard page Action Security Translation Options
Click Previously migrated objects.
If you plan to use a SID mapping file, click Other objects specified in a file, and then provide the location of the SID mapping file that you have created.
Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
When you perform an intraforest migration, the domain controller that holds the relative ID (RID) operations master role (also known as flexible single master operations or FSMO) is always used as the source domain controller, regardless of your selection.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Computer Selection
Click Select computers from domain, and then click Next. On the Service Account Selection page, click Add to select the accounts in the source domain that you want to migrate, click OK, and then click Next.
- or -
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Translate Objects
Click File and folders, Shares, Printers, User rights, and Registry.
Security Translation Options
Click Replace.
To translate security on member servers by using the ADMT command-line option
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type the following command, and then press ENTER:
ADMT Security /N "<computer_name1>" "<computer_name2>" /SD:" <source_domain>" /TD:" <target_domain>"Where
<Computer_name1>and<computer_name2>are the names of computers for which you want to translate security.As an alternative, you can include parameters in an option file that is specified at the command line, as follows:
ADMT Security /N "<computer_name1>" "<computer_name2>" /O:" <option_file>.txt"The following table lists the common parameters that are used to translate security on member servers, along with the command-line parameter and option file equivalents.
Parameters Command-line syntax Option file syntax <Source domain>
/SD:"source_domain"SourceDomain="source_domain"<Target domain>
/TD:"target_domain"TargetDomain="target_domain"Review the results that are displayed on the screen for any errors.
To translate security on member servers by using a script
Use the following sample to prepare a script that incorporates ADMT commands and options to translate security on member servers. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id=" TranslatingSecurityOnMemberServersWithinForest" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objSecurityTranslation ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objSecurityTranslation = objMigration.CreateSecurityTranslation ' 'Specify general migration options. ' objMigration.IntraForest = True objMigration.SourceDomain = "source domain" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "Computers" ' 'Specify security translation specific options. ' objSecurityTranslation.TranslationOption = admtTranslateReplace objSecurityTranslation.TranslateFilesAndFolders = True objSecurityTranslation.TranslateLocalGroups = True objSecurityTranslation.TranslatePrinters = True objSecurityTranslation.TranslateRegistry = True objSecurityTranslation.TranslateShares = True objSecurityTranslation.TranslateUserProfiles = False objSecurityTranslation.TranslateUserRights = True ' 'Perform security translation on specified computer objects. ' objSecurityTranslation.Translate admtData, _ Array("computer name1" ,"computer name2" ) Set objSecurityTranslation = Nothing Set objMigration = Nothing </Script> </Job>