locked
ADMT3.0 Interforest Migration Process RRS feed

  • Question

  • I have been reading the forums and the ADMT guide and just wanted to verify that my steps are correct for Interforest migration. Also have some questions on what some steps are.

    • I created a two trust between my new domain/forest and my old domain.  The Trust Works
    • Do I have to disable SID Filtering???  Wont it transfer the SID automatically?
    • Service accounts get migrated next.  Are service accounts only on Member Servers and Domain Controllers?
    • Then comes migrating groups.  Do you migrate the users that are in the groups at this time or do you just do the groups themselves?
    • Then comes migrating the users. 
    • Then you migrate the desktop computers and such
    • Then you mgirate the member servers
    • Then you finally migrate the domain controller.  It is demoted before migration.

    What exactly is security translation used for and when is it done.  Which step?

    I saw something about remigration.  Is this only if you make changes to your source domain?  If dont make any changes to groups or users, then would I have to do a remigration?

    Thanks for any information.  This site has been a huge help for helping me.

    Thursday, July 7, 2011 7:16 PM

Answers

All replies

  • >> Do I have to disable SID Filtering??? Wont it transfer the SID automatically?

    SID Filtering and SID migration are 2 different components. You need to disable SIDfiltering if you are planning to access source resources using SidHistory (Source ObjectSID)

    >> Service accounts get migrated next. Are service accounts only on Member Servers and Domain Controllers?

    Domain service accounts are in AD. 

      >> Then comes migrating groups. Do you migrate the users that are in the groups at this time or do you just do the groups themselves?

    It is up to you.  Technical it doesn’t matter.  Make sure group membership are updating properly.  I recommend migrating the groups first then users.

    >> What exactly is security translation used for and when is it done. Which step?

    Security Translation performs Re-ACL  process.  Perform this step before the computer migration.

    >> I saw something about remigration

    What do you mean by “remigration”?

    Also, here are some of my notes on ADMT migration process:

    http://www.sivarajan.com/admt.html


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 12:37 AM
  • SID filtering needs to be disabled & SID transfer is SIDHistory needs to be selected for maintaing the access of resources in old forest, post migration, when its been complete you can cleanup the SIDHistory.

    Services account which are from domain can be migrated too.

    It is recommended, you migrate user & groups at the same time.

    Best Practices for Performing User and Group Account Migrations

    http://technet.microsoft.com/en-us/library/cc974427%28WS.10%29.aspx

    http://technet.microsoft.com/en-us/library/cc974412%28WS.10%29.aspx

    For computer migration, make sure account used is part of all the member computers in the domain as well as admin% share is accessible.

    Migration of Workstations and Member Servers

    http://technet.microsoft.com/en-us/library/cc755496%28WS.10%29.aspx

    Security translation is reapplying the security permissions from old domain to new domain by adding SID's.

    You can refer the below link along with Santhosh.

    Intraforest & Interforest Migration

    http://awinish.wordpress.com/2010/12/24/intraforest-interforest-migration/

     

    FYI, the best practices of migration is installing ADMT tool in target domain.

     

    Regards  


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, July 8, 2011 10:57 AM
  • Thanks for all the information.  I really do appreciate it.
    Friday, July 8, 2011 1:02 PM
  • Test everything in a lab environment first.  Then you will get a clear understanding of the process.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 2:25 PM
  • I did a test move of a group and one user.  The user had read/write access to a folder on the old domain.  I moved the user and below is a copy of the log.  It appears everything migrated fine.  I did not migrate the computer yet though.

    When I logged on the computer, that is still in the old domain, with the user that I just migrated, the desktop did not copy over.  When I went to the folder location of the old domain that this user had full access to, I now only has read access and I do not see where this user has been given the rights to the folder.  So I am assuming SID transferred because I can get into the folder.  What step am i missing?

    Here is the log.

    Intra-Forest: No
    Migrate Security Identifiers: Yes
    Update Rights: Yes
    Fix group membership: Yes
    Conflict Option: Ignore
    Migrate members: Yes
    Password Option: Generate passwords, only for new objects = No
    Password File:   'C:\WINDOWS\ADMT\Logs\passwords.txt'
    Translate Roaming Profiles: No
    Source Disable Option: Leave source account
    Source Expiration: Do not expire source account
    Target Disable Option: Set target same as source

    [Object Migration Section]
    2011-07-08 10:30:14 Starting Account Replicator.
    2011-07-08 10:30:15 CN=move 2. plews     - Created
    2011-07-08 10:30:15 SID for PLEWSUS\moveplews added to the SID History of PLEWS\moveplews
    2011-07-08 10:30:17 WRN1:7561 ADMT could not migrate some properties for this object type (user) due to schema mismatches.  Please refer to the Schema Section in the migration log for a complete listing.  The Schema Section will be available once object migration is complete.
    2011-07-08 10:30:20 WRN1:7857 Could not copy following properties for 'CN=move 2. plews'.
    2011-07-08 10:30:20  showInAddressBook = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ideal,DC=us,DC=com, ...  A constraint violation occurred.
    2011-07-08 10:30:42   CN=move 2. plews     - Strong password generated.
    2011-07-08 10:30:42 CN=tstmoveplews      - Created
    2011-07-08 10:30:42 SID for PLEWSUS\tstmoveplews added to the SID History of PLEWS\tstmoveplews
    2011-07-08 10:30:44 WRN1:7561 ADMT could not migrate some properties for this object type (group) due to schema mismatches.  Please refer to the Schema Section in the migration log for a complete listing.  The Schema Section will be available once object migration is complete.
    2011-07-08 10:31:07 Processing group membership for CN=tstmoveplews.
    2011-07-08 10:31:07 LDAP://ordtmpdc1.plews.local/CN=move 2. plews,OU=IT,DC=plews,DC=local added.
    2011-07-08 10:31:07 Updated user rights for CN=move 2. plews
    2011-07-08 10:31:07 Updated user rights for CN=tstmoveplews
    2011-07-08 10:31:07 Operation completed.

     

    Friday, July 8, 2011 3:52 PM
  • >> When I logged on the computer, that is still in the old domain, with the user that I just migrated, the desktop did not copy over.

    Did you perform Security Translation? This is process will migrate the user profile.

    I now only has read access and I do not see where this user has been given the rights to the folder. So I am assuming SID transferred because I can get into the folder. What step am i missing?

    Did you verify SIDhistory on the migrated account? 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 4:20 PM
  • Quick question, how do I verify SIDHistory.

    I did not do the security translation on the Users PC.  I did go back and try it but I received errors.  I do believe I have figured out another issue I am going to have.  My PC in question is a windows 7 PC.  I dont believe ADMT can do translation on a windows 7 machine.

    Here is the log from when I tried to translate security.

    Translate Option: Replace
    Translate Files:         No
    Translate Local Groups:  No
    Translate Printers:      No
    Translate Registry:      No
    Translate Rights:        No
    Translate Shares:        No
    Translate User Profiles: Yes
    Perform Pre-check Only: No

    [Agent Dispatch Section]
    2011-07-08 12:22:47 Read 3 accounts from the database that were previously migrated from the domain 'plewsus.net' to the domain 'plews.local'.
    2011-07-08 12:22:48 Created account input file for remote agents: Accounts000005.txt
    2011-07-08 12:22:49 Installing agent on 1 servers
         
    2011-07-08 12:22:49 The Active Directory Migration Tool Agent will be installed on TESTMOVE.plewsus.net
    2011-07-08 12:22:55 WRN1:7289 Processor architecture for machine \\TESTMOVE.plewsus.net is unknown, Error accessing registry rc=53   The network path was not found.
    2011-07-08 12:22:55 ERR2:7006 Failed to install agent on \\TESTMOVE.plewsus.net, rc=53   The network path was not found.
    2011-07-08 12:22:55 ERR2:7666 Unable to access server service on the machine 'TESTMOVE.plewsus.net'.  Make sure netlogon and workstation services are running and you can authenticate yourself to the machine.  hr=0x80070005. Access is denied.

    Friday, July 8, 2011 5:27 PM
  • You can use ADSIedit  then go the properties of the migrated user.

    Or you can use DSQUERY command:

    http://portal.sivarajan.com/2011/03/verify-sidhistory-and-identify-source.html

    What version of ADMT are you using? ADMT 3.2 supports Windows 7 machines.

    http://portal.sivarajan.com/2010/12/active-directory-migration-tool-admt.html

    Since you are testing, lets select “YES” for all translation options.  You can change these options based on your requirements later.  But you need to select registry, rights etc.  Also, select “Add” option instead of “Replace”

    Your error message is “2011-07-08 12:22:55 ERR2:7006 Failed to install agent on \\TESTMOVE.plewsus.net, rc=53 The network path was not found.”

    Can you access this workstation from ADMT server using the ADMT service account?   Verify all items listed in my following blog:

    http://www.sivarajan.com/cm.html


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 6:07 PM
  • Thanks for all this information.

    I am using ADMT3.0 because I have 3 NT4.0 member servers in my old domain.  I was orginally going to use ADMT3.2 but unsure if I can manually move the NT4.0 member servers.  I can not upgrade or remove the NT4.0 servers, they are there to stay for now.

    Can I run two different versions of ADMT in my new domain.  Can I run ADMT3.0 on my windwos 2003 DC in my NEW domain so I can migrate the NT4.0 servers?  Then can I also run ADMT3.2 on a Windows 2008R2 member server in my NEW Domain to migrate all other things?

    For my service account I am just using the administrator account in the new domain which I have added to the administrators group in the OLD domain.  Will this work?  I can access the computer but it does ask me for a password.  So it must not have admin rights to the PC.

    Friday, July 8, 2011 6:34 PM
  • >> Can I run two different versions of ADMT in my new domain. Can I run ADMT3.0 on my windwos 2003 DC in my NEW domain so I can migrate the NT4.0 servers? Then can I also run ADMT3.2 on a Windows 2008R2 member server in my NEW Domain to migrate all other things?

    Can you? Technical you can but it will cause some confusion. Because user migration details are in the ADMT database.  Each instance of ADMT has its own database.

    However, if you are really familiar with ADMT and migration process, you can perform security translation using an input file (SID Mapping File) to “bypass” the ADMT database.

    http://portal.sivarajan.com/2011/04/admt-sid-mapping-file-generation-using.html

    I don’t want to confuse with all these details but if you really want to do this, test everything in the lab first.

    >>For my service account I am just using the administrator account in the new domain which I have added to the administrators group in the OLD domain. Will this work?

    Account has to be local admin on the workstation not only in the domain.

    >>but it does ask me for a password. So it must not have admin rights to the PC

    That is correct.  Add the service account to local admin group on the workstation or use GPO to achieve this. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 7:07 PM
  • I did the dsquery on the target domain, wrote the number down and then went to the source domain, did the LDAP search and it traced the number back to the account I migrated.  So if I am reading this correctly, the SID History did migrate.

    I think since ADMT3.0 does not support or can not migrate Windows7 computers, I am going to switch to ADMT3.2 and manually move the NT4.0 servers when the time comes.  How will doing it this way affect any service accounts on the NT4.0 member servers?

    Can I use the ADMT3.0 install right now to see what service accounts are on the NT4.0 member servers now.  This might give me a better idea of what I might be facing if I manually move these servers instead of letting ADMT migrate them.

    Once again thanks for all the help on this.  I believe my site is what you would consider worst case senario in a company network.

    Friday, July 8, 2011 7:28 PM
  • Looks like you have migrated SIDHistory successfully. 

    That is up to you.  Service accounts are domain account correct?  You can migrate them with any version.  But you might need to manually change them on the server.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 7:40 PM
  • Thanks for being so patient with me on this.  One more question.  Can I load ADMT3.2 on a windows 2008R2 member server in my target domain and still have my DC in my target domain only at windows 2003 server?

    Friday, July 8, 2011 8:26 PM
  • No problem. You can install ADMT on a Windows 2008 R2 server in Windows 2003 domain.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 8:51 PM
  • Thanks for all of your help.  I will probably have more questions as I start moving forward with this project.
    Friday, July 8, 2011 8:55 PM
  • No problem. Please let us know.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, July 8, 2011 8:56 PM