Requirements for Optional Migration
Tasks
You can
complete the following tasks automatically by running the User
Migration Wizard in Test mode and selecting the migrate sIDHistory
option. The user account you use to run ADMT must be an
Administrator in both the source and the target domains for the
automatic configuration to succeed.
-
Create a new local group in the source domain that is named
%sourcedomain%$$$. There must be no members in this group.
-
Turn
on auditing for the success and failure of Audit account
management on both domains in the Default Domain Controllers
policy.
-
Configure the source domain to allow RPC access to the SAM by
configuring the following registry entry on the PDC Emulator in
the source domain with a DWORD value of 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport
You must
restart the PDC Emulator after you make this change.
Note:
For Windows 2000 domains, the account you use to run ADMTv2 must
have domain administrator permissions in both the source and target
domains. For Windows Server 2003 target domains, the 'Migrate
sIDHistory' may be delegated. For more information, see Windows
Server 2003 Help & Support.
You can
turn on interforest password migration by installing a DLL that runs
in the context of LSA. By running in this protected context,
passwords are shielded from being viewed in cleartext, even by the
operating system. The installation of the DLL is protected by a
secret key that is created by ADMTv2, and must be installed by an
administrator.
To
install the password migration DLL:
-
Log
on as an administrator or equivalent to the computer on which
ADMTv2 is installed.
-
At a
command prompt, run the ADMT KEY sourcedomainpath [* | password]
command to create the password export key file (.pes). In this
example, sourcedomain is the NetBIOS name of the source domain
and path is the file path where the key will be created. The
path must be local, but can point to removable media such as a
floppy disk drive, ZIP drive, or writable CD media. If you type
the optional password at the end of the command, ADMT protects
the .pes file with the password. If you type the asterisk (*),
ADMT prompts for a password, and the system will not echo it as
it is typed.
-
Move
the .pes file you created in step 2 to the designated Password
Export Server in the source domain. This can be any domain
controller, but make sure it has a fast, reliable link to the
computer that is running ADMT.
-
Install the Password Migration DLL on the Password Export Server
by running the Pwmig.exe tool. Pwmig.exe is located in the
I386\ADMT folder on the Windows Server 2003 installation media,
or the folder to which you downloaded ADMTv2 from the Internet.
-
When
you are prompted to do so, specify the path to the .pes file
that you created in step 2. This must be a local file path.
-
After the installation completes, you must restart the server.
-
If
you are ready to migrate passwords, modify the following
registry key to have a DWORD value of 1. For maximum security,
do not complete this step until you are ready to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\AllowPasswordExport
The
Active Directory Migration Tool v2 is included in the I386\Admt
folder on the Windows Server 2003 CD.
|