Microsoft has made available the Active DirectoryTM Migration Tool (ADMT) which
provides an easy, secure, and fast way to migrate from Windows NTR to the
WindowsR 2000 Server Active Directory service. You can also use ADMT to
restructure your Windows 2000 Active Directory domains. This tool can help a
system administrator diagnose any possible problems before starting migration
operations. The task-based wizards will then allow you to migrate users, groups,
and computers; set correct file permissions; and migrate Microsoft Exchange
Server mailboxes. The tool’s reporting feature allows you to assess the impact
of the migration, both before and after move operations.
In many cases, if there is a problem you can use the rollback feature to
automatically restore previous structures. The tool also provides support for
parallel domains, so you can maintain your existing Microsoft Windows NT 4.0
operating system domains while you deploy the Microsoft Windows 2000 operating
system.
ADMT provides an effective tool that simplifies the process of migrating
users, computers, and groups to new domains. At the same time, ADMT is designed
to be flexible so that each organization can use it to implement a migration
process that is adapted to its needs. This powerful tool lets you accomplish the
following:
ADMT features let you manage domain migration efficiently and fine-tune the
results to suit their requirements.
No need to manually load software onto all those computers. When using ADMT
to migrate users and groups, you install the ADMT tool, typically in the target
domain into which security principals or resources are being migrated. Beyond
that, ADMT requires no additional software installation on the computers in the
source domain from which security principals or resources are being migrated.
When migrating computers or translating security on resources, ADMT
automatically installs services (called agents) on the source computers. This
means you do not need to manually load software onto each source computer to
perform the migration. Once the agent’s task is completed, it uninstalls itself.
Wizards make it easy. ADMT lets you use a series of wizards, including the
User Migration wizard, Computer
Migration wizard, Group Migration wizard, Service Account Migration wizard, Trust
Migration wizard, and Reporting wizard to
simplify various parts of the migration process.
Select the appropriate options among the many provided by the various wizards
when performing a migration. For example, you can choose to copy users rights
assigned in the source domain to the target domain; you can copy groups along
with their members to the target domain; you can leave user accounts active in
both the source and target domains; you can copy roaming profiles to the target
domain for selected user accounts; and so on.
Restructure groups. Optionally, before migrating groups you can run the Group Mapping and Merging Wizard to map a group in the source
domain to a new or existing group in the target domain. This mapping ensures
that, when the group’s members are migrated from the source domain into the
target domain, group memberships will reflect the mapping. You can also merge
multiple groups into one group.
Trial run. By selecting the Test the migration settings and
migrate later option, you can run a wizard without actually making any
changes in your network. Review the log files and reports generated by the
wizards to identify and troubleshoot any potential problems before performing
the actual migration.
Undo. You can undo the most recently performed user, group, or computer
migration. Users maintain access to resources. During user and group migration,
ADMT lets users retain their premigration access to resources such as files,
shares, and applications through its sIDHistory feature
or by updating those resources to refer to the migrated user. This capability
keeps your security structure (the granting and denying of access to resources)
intact but conveniently brings it into the new domain.
Users retain access to Exchange resources. If you need to update security
permissions on Exchange mailboxes to reflect the migration, ADMT can also handle
that.
Service accounts migrate too. ADMT also migrates service accounts. Many
applications, such as Microsoft Exchange, use service accounts to run services
with the same set of credentials on several network computers. Putting objects
into OUs. In addition to consolidating Windows NT resource domains into Active
Directory OUs, ADMT also lets you migrate selected users, groups, or computers
to OUs in the target domain. Then, you can use Windows 2000 features to manage
these OUs-for example, you can establish group policy configuration settings for
a group of computers collected in a given OU. Handling trust relationships. A
trust relationship connects two domains and lets users in the trusted domain
access resources in the trusting domain. To maintain resource access during
migration, the same trust relationships must be established in the target domain
as exist in the source domain. The Trust Migration wizard does this for you-it
compares the trust relationships in the source domain to the trust relationships
in the target domain, and then creates in the target domain any trust
relationships that exist in the source domain. Making use of the new universal
group scope. In intra-forest migration (that is, when performing a migration
between Windows 2000 domains in the same forest), when global groups are
migrated from a native-mode source domain, the groups are created as universal
groups in the target domain so that they can contain members from the source
domain that have not yet been migrated.Global groups can contain only members
from their own domain; universal groups can have members from any Windows 2000
domain in the forest.
ADMT System Requirements
Target domain. For target domains, ADMT can run on
any computer capable of running the Windows 2000 Server operating system.
Source domain. The source domain must be running
either Windows 2000 or Windows NT 4.0.
The primary domain controller (PDC)
of a Windows NT 4.0 source domain must have SP4 or higher installed. The ADMT
agent (installed by ADMT on the source computers) can operate on computers
running Windows NT 3.51 (with SP5); Windows NT 4.0 (with SP4 or higher); or
Windows 2000.
To download: Windows 2000 Active Directory Migration Tool
Related tips:
- ClonePrincipal and ADMT Require Uplevel Trust to Migrate Objects
Between Windows 2000 Domains
- Support WebCast: Domain Migration Using the Microsoft Active
Directory Migration Tool
1 hr 11 minutes
- You Cannot Update the SID History for Group with the Active
Directory Migration Tool
- Windows 2000 Directory Interoperability & Migration Solution
Matrix
- Best Practice Active Directory Deployment for Managing Windows
Networks
- Domain Names with All Capital Letters Prevent ADMT User Migration
- Objects from Active Directory Are Ignored When Running the Active
Directory Management Agent
- Cannot Delete Cloned User Accounts that Include Security
Identifier History from Local Groups
- Domain Migration Cookbook – Chapter 4: Restructuring Tools
- Domain Migration Cookbook – Chapter 7: The Desired Structure and
Migration Goals
- Domain Migration Cookbook – Chapter 9: Migration of a Windows NT
4.0 Account Domain to Active Directory
- Domain Migration Cookbook – Chapter 11: Intraforest Migration
- Chapter 6: Domain Migration and Consolidation
- How to Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration
- XADM: Service Account Admin Password Must Be Reset After Migration
to Windows 2000
- ADMT Does Not Migrate the Exchange System Attendant Service
- How to Deploy Active Directory
- Chapter 6 – Domain Migration and Consolidation
- Optimizing Active Directory Topology for Group Policy
