MCITP 70-640: Active Directory Migration Tool (ADMT)

Uploaded by itfreetraining on 14.10.2012

Welcome to IT Free Training free course on Active Directory. In this video I will be
looking at the Active Directory Migration Tool otherwise known as ADMT.
Do you remember that email that was forwarded around entitled “How to know you are living
in the 90’s. “ One of lines was.-“You know you work in corporate America in the
90s if: You’ve sat at the same desk for 4 years and worked for three different companies.”
It is common in business for companies to change names, company to be bought and sold
and restructures to happen. The ADMT tool allows you to quickly move and copy objects
around Active Directory to quickly meet the needs of the business.
In this video I will look at using ADMT 3.2 on Windows Server 2008 R2 member server. It
is important to understand the prerequisites of any software and in particular ADMT. If
you attempt to install ADMT on an unsupported operating system you may have unexpected results.
Microsoft has released an ADMT migration guide. This document contains all the perquisites
for ADMT and instructions on how to install ADMT.
ADMT requires SQL Server to provide a database. In this case I will use SQL Express 2008 with
Service Pack 1. If you have a SQL Server on your network, you can use this install
to hold the ADMT database. It is also possible to install ADMT on a Domain
Controller. When we attempted to install it on a Domain Controller we had to implement
a work around to get ADMT to work correctly. All thought it can be done, it is easier to
install ADMT on a member server. In summary, read the prerequisites ADMT carefully.
In some cases you may encounter errors during the install. If this is case, hopefully Microsoft
has released a work around to fix these problems. Before I start looking at how to install and
use the ADMT tool, I will first look at some concepts and terminologies that you should
be aware of before you start moving objects around Active Directory.
The first term is Inter-Forest Migration. This is when the source domain and target
domain are in different forests. As shown here, the domain IT Free Training and High
Cost Training are separated by a forest trust. The domains could be separated by another
trust type. The important thing to remember is that when the domains are not part of the
same forest the migration is considered to be Inter-Forest Migration. To put it another
way, each domain is part of a different Active environment and thus has its own Active Directory
schema. The next migration type is Intra-forest migration.
This is when the source and target domain are in the same forest. As shown here, secure.ITFreeTraining.local
is a child domain of ITFreeTraining.local. In this case, migrations from between these
two domains would be considered intra-forest migrations. The easy way to remember is if
both domains share the same schema they are Intra-Forest, if they do not they are Inter-forest.
The next concept I want to look at is Sid History. To understand Sid History it helps
to look at the process of migrating a user from the source domain to the target domain.
As you can see here, the user exists in the source domain and the administrator wants
to move that user to the target domain. In order to migrate the user to the target domain,
a new user needs to be created in the target domain with the same username. You can see
here that when the new user is created in the target domain, the new user is given a
new Sid for the target domain. What this means is that the new user in the target domain
will not be able to access any resources in the old domain. As shown here, the new user
in the target domain will not be able to access a file share in the old domain. This is because
the file share permissions were set using the Sid from the old user account. Essentially
Active Directory sees the user in the target domain to be a completely new user and does
not recognize any of the permissions that user was given before.
To get around this you could simply change the access of the file share giving the new
user in target domain access. If you consider when performing most migrations you want to
remove the old domain when it is no longer required. The administrator simply wants to
allow the user to access to resources in the old domain until these resources can be moved
out of this domain and the domain is eventually decommissioned. This may not always be the
case, in some cases the user may be moved from a different domain due to job changes.
Whichever is the case, the migration should not involve having to change a lot of permissions
or groups in order to maintain the level of access the user had in the old domain.
To get around this problem, migration can make use of Sid History. Sid History keeps
a record of the Sid’s that were associated with that user in the old domain. In this
example, when the new user is created, the Sid for that user in the source domain is
copied into the Sid History for the new user. When the user logs into the new domain using
the new user, a security token is created for that user. This security token contains
the new user Sid and also the Sid’s in Sid History. This essentially means that the security
token can be used to access resources in that domain and any resources in the old domain.
Now that all the theory is out of the way, I will now change to my Windows Server 2008
R2 member server to look at how to install and use ADMT.
I do not have any SQL Servers installed on this network so the first thing that I need
to do is download SQL express with service pack 1. To find the download page I will perform
a search in Google. SQL express is a free standalone cut down version of SQL server.
SQL express provides basic database functions for applications but does not offer many features
that the commercial SQL server offers. In the case of ADMT, I only need a database to
store migration information so SQL Express will work well for this.
The first result is SQL Server 2008 R2 with service pack 1. Even though this server is
running Windows Server 2008 R2 the SQL express server that I will download is SQL server
2008 with service pack 1. This will allow me to demonstrate a work around that can be
used to get this version to work with Windows Server 2008 R2.
I will now perform a Google search for ADMT. The first result is ADMT 3.2 which is the
version that I am going to install. Notice down in the list is the ADMT guide. This is
a guide on how to use ADMT to migrate objects between different domains. It is a very detailed
document supplied by Microsoft to assist you with your migrations so it is worth downloading.
The ADMT guide, SQL express and ADMT 3.2, which have just been downloaded will all be
saved to the desktop. I will now install SQL express first, as ADMT will not install unless
it has a SQL Database to use. Since this version of SQL Express was not
designed for Windows Server 2008 R2 you may get some errors like this one. When setup
runs, it decompresses the files to the C drive and will have issues reading them. To get
around this, I will open Windows Explorer and copy the decompressed setup files to the
desktop. When I press OK on the error message the temporary files will now be removed. You
can also extract the install files using decompression software.
If I now run setup from the desktop using the decompressed files, this time it will
launch without any issues. To start the install, I will select install from the left and then
select the option new SQL Server stand-alone installation or add features to an existing
installation. The first screen will check for any problems
that may prevent SQL Express from installing correctly. Once past this screen SQL Express
will go to the product key screen. Since this is the free version I do not need to enter
in a product key and I can press next. The next screen will ask to accept the license
which I will do, following that, setup will ask which features to install. As there is
only one option I will press install. Setup will now install SQL express. Once the
install has been completed, some configuration needs to be done. The first screen will run
a number of tests to confirm that other components required by SQL Express are setup correctly.
In this case, setup has detected that the Windows Firewall is not set up correctly.
In this case I will only be using ADMT on the local computer and not over the network
and thus the firewall does not need to be configured correctly.
The next screen will ask which features need to be installed. In this case I only need
basic database support so I only need to select the first option Database Engine Services.
The next screen determines the instance configuration which is used to identify this install of
SQL Express. In this case I can accept the default and move on.
On the next screen I need to configure a service account for SQL Express to use. Since I am
only using this database locally I will choose the option to run the SQL database engine
using the system account. The next screen will ask for a user to be
added that will be responsible for administration of the SQL install. In this case I will add
the current user and move on. The next screen asks for usage and reporting, I will skip
this screen and move on. The next few screens will confirm what options
have just been done and install the files required for SQL Express. Once the installation
is compete, I can make my way to the end of wizard and close setup.
Now that SQL Express is installed, I will now run the setup for ADMT. Once I am past
the welcome, license and customer experience screen I will be asked to enter in the database
that ADMT will use. In this case I will enter in .\SqlExpress to indicate the local SQL
Express install. ADMT will now be installed. Setup will give
you the option to import data from an existing ADMT database. In this case the ADMT install
is a fresh install so I will not import anything. Once I finish the wizard I will now be able
to run the Active Directory Migration Tool from administrative tools under the start
menu. In this example, I will import some users
from the High Cost Training domain. The IT Free Training domain and High Cost Training
domain are separated by a forest trust and thus are completely different active directory
deployments. You could also use the ADMT tool to move users around domains in the same forest.
To start the migration, right click Active Directory migration tool and select the option
User Account Migration Wizard. You will notice there are also wizards available for migration
for groups, computers and other Active Directory objects.
Once past the welcome screen, enter in the source and target domain. In this case the
source domain will be High Cost Training and the target domain will be IT Free Training.
This means that the user for High Cost Training domain will be migrated to the IT Free Training
domain. On the next screen you have the option to
select which users you want to migrate. When you are migrating hundreds of users, it is
worth your time to look into the second option Read objects from an include file. This option
will read the users that need to be imported from a file rather than the administrator
having to manually select which users are to be migrated.
Once on the next screen of the wizard I can choose which users that I want to migrate.
In this case I will migrate the user John Doe and John Brown. Once you have selected
the users that you want to migrate, the next screen of the wizard will ask which organizational
unit these migrated users will be put into. Once you have selected the OU the users will
be put into, the next screen will ask the type of passwords that will be used. The default
option will generate complex passwords for the user.
The next option, migrate passwords requires Password Export Server to be installed on
the Domain Controller that you are migrating the users from. If you are going to use this
option, ensure the version of ADMT that you install supports the version of Password Export
Server that has been installed on that Domain Controller. If you do decide to migrate passwords,
remember that even if the passwords from other domain do not meet password requirements for
the new domain they will still be migrated. When the password expires in the new domain,
the user will be forced to choose a password that meets the new password complexity requirements
for the new domain. It is up to you to decide if this is a security risk.
The location for where new passwords are stored is now visible at the bottom of the screen.
If you decide to use complex passwords, this file has the new passwords for that user.
You need to read to obtain the password and pass this onto the user.
On the next screen you will need to configure the status of the account that will be created
after it is migrated. The default is - same as source. This means that if the account
was disabled it will be disabled when it is migrated. If the account was enabled, it will
also be enabled in the new domain after migration. You also have the option to choose if you
want the accounts to be disabled or enabled after the migration.
This gives you the option of what should happen in the source domain. If you do not want the
user to login to the old domain after the user account has been moved, tick the option
- disable source accounts. This option is useful during migration. It also enables you
to expire the account after a certain amount of days. This allows the user to log back
into the old domain if there is a problem but prevents them from using their user account
in the old domain indefinitely. The option at the bottom - migrate user SIDs
to target domain, should be selected for when a user is still using resources in the old
domain after a migration. This wills store the user previous SID’s in the new users
accounts SID history. When accessing resources Windows is now able to work out the new account
is the same person as the old account using the users SID history.
The next screen of the wizard allows you to configure options on how the user is migrated.
The option Translate Roaming Profiles means that if a roaming profile is used in the other
domain, this roaming profile will be copied to the new domain.
The next option, Update user rights, will attempt to configure the user with the same
user rights that they had in the previous domain.
The following option, Migrate Associated User Groups allows you to migrate any user groups
that are missing and required in the new domain. To have a smoother migration, an administrator
will normally migrate user groups first using the group migration wizard. This will allow
them to correct any issues beforehand. Remember that different groups will have different
scopes so this could affect the migration being successful.
The last option, fix users group memberships, will attempt to make the user members of the
same groups that they were a member of in the old domain. To do this, ADMT will look
for groups of the same name in the target domain.
The next screen of the wizard will now ask if any particular properties of a user are
not to be migrated. You can see there are a lot of options here. For example, if the
users are being moved from one office to another, you may decide not to migrate information
about the location of the user such as their office and company address, since this will
now be incorrect. The next screen asks what to do if there is
a conflict. On large networks there is a good chance that two users will have the same user
name. The default option will be to not migrate the object when there is a conflict. The second
option gives you several different options to choose from for when the user already exists
in the target domain. That’s it for all the options. Once the
wizard is complete you will find that all users have now been migrated. To ensure that
all users have been migrated correctly, select the button at the bottom view log. This will
open the log file showing you how the migration when, which options were used and at the bottom
you can see that the two users that I selected have been migrated correctly.
This covers the basics of the Active Directory Migration Tool. For the Active Directory exam
you will only require a basic understanding on how to use the ADMT tool. Thanks for watching
another free video from IT Free Training. See you next time.