ADMT: Active Directory Domain Migration Tool


Windows Server 2019

ADMT (Active Directory Migration Tool) is a free Microsoft tool that allows the migration of objects (Users, Computers, and Groups) between two Active Directory domains.

ADMT

Some examples of using ADMT:

  • Enterprise merge to consolidate Active Directory.
  • Enterprise split to transfer the Active Directory objects to the new entity.
  • Deleting a child domain.

Prerequisites

  • A server dedicated to ADMT with a SQL Express database in 2008 version minimum.
  • An approval relationship must be in place between the two domains.
  • Use a user account in the BUILTIN \ Administrators group of both domains.
  • To migrate the computers, the target domain migration user account must also be the station’s local administrator.

The migration account will be configured during the first object migration that will be done between the two domains. In the tutorial, I used the admin account of the destination domain. In case you want to dedicate an account to ADMT, ADMT must be a member of the Domain Admins group of the target domain and a member of the BUILT\Administrators group of the source domain.

Download the necessary tools:

ADMT installation

Start executable 1 previously downloaded.

ADMT - Setup

When launching the installation wizard, click Next 1 .

ADMT - Setup wizard

Accept the license agreement, by selecting I Agree 1 then click on Next 2.

Wizard setup

Select the option that suits you about sending information to MS 1 and click Next 2 .

ADMT - Experience Improvement Program

Enter the SQL Server instance information 1 and click Next 2 .

SQL informations

Wait during the installation …

wait ...

Choose No, do not import data from an existing database 1 and click Next 2 .

Import ancienne installation d'ADMT / Import old installation of ADMT

The installation is complete, close the wizard by clicking on Finish 1 .

ADMT installé / ADMT installed

Installation of PES

In order to migrate the passwords between the two forests, we will need to configure and install PES.

On the server where ADMT is installed, create a shared folder in which we will put the encryption key of the passwords.

dossier partagé / shared folder

Open a command prompt in Administrator and enter the following command, adapting to your situation:

admt key /option:create /sourcedomain:old.lan /keyfile:D:\Passwords\migpwd.pes  /keypassword:password

Check that the migpwd.pes is present in the output folder.

PES file

Run the pwdmig file on the source domain controller (old.lan), launch the installation wizard, click Next 1 .

PES - Install

Accept license 1 and click Next 2 .

Accepte license

Indicate the location of the encryption key 1 and click Next 2 .

key encrypt

Enter the password 1 and click OK 2 .

Password

Click on Install 1 .

Click on Install

Configure the service with Local System Account 1 and click OK 2 .

PES - Account service

The installation is complete, close the wizard by clicking Finish 1 .

PES - installed

PES asks to restart, click Yes 1 .

Restart server

After the restart, find the Password Export Server Service service and start it.

Start service

Resolve the error during installation

It is possible that the password verification fails with the following message:

The supplied password does not match this encryption key’s password.
ADMT’s Password Migration Filter DLL will not install without a valid encryption key.

PES - Error install

Close the installation wizard, open a command window in Administrator and enter the following command to adapt according to the location of the pwdmig.msi file:

msiexec -i C:\Apps\pwdmig.msi

Object migration: preparation

Now that ADMT and PES are installed, it is advisable at first to create an OU that will receive the objects of the source domain.

OU pour les objets migrés avec ADMT / OU for objects migrated with ADMT

In the pages that follow we will see the migration of the following objects:

  • Groups
  • Users
  • Computers.

In order to make sure that the migration is going well, I advise you before creating a test group and user and testing the computer migration before the production objects.

It is also necessary to provide communication at the user level of the domain change, be careful that users log on to the new domain.

During the first object migration, you will be prompted to configure the audit on the source and destination domain for SID migration so that the migrated object can access unmigrated resources.

Object migration

ADMT: Migrating a group

From the ADMT console, right-click Active Directory Migration Tool 1 and click Group Account Migration Wizard 2 to launch the wizard.

ADMT menu migration

When launching the wizard, click Next 1 .

ADMT wizard migration


Select domain 1 and domain controller 2 source then do the same for destination domain 3 and controller 4 and click Next 5 .

ADMT select source and target

Select the Select group from domain 1 option and click Next 2 .

ADMT choose the selection

Click on Add 1 .

Add group

Select the group (s) to migrate 1 and click OK 2 .

ADMT : select group

Selected groups, click Next 1 .

group to migrate

Click on Browser 1 then select destination OR 2 and click OK 3 .

Select target OU for ADMT migration

The OU configured 1 , click Next 2 .

OU selected

Select migration options, check Migrate group SIDs to target domain 1 and click Next 2 .

ADMT migration options

A warning message appears indicating that the audit is not configured, this is necessary for the SID migration, click Yes 1 for the 3 messages.

Enter the identifier 1 and the password 2 of an Administrator account of the source domain then click Next 3 .

Account administrator source domain

It is possible to choose the attributes to migrate on this page, by default they are all migrated to the target domain. Click Next 1 .

attribute migrated by ADMT

ADMT behavior configuration in case of conflict, by default if a conflict is detected the object is not migrated. Click Next 1 .

ADMT : conflict configuration

A summary displays the actions that will be performed, click Finish 1 to start the migration.

summary of migration

A window opens that allows you to follow the migration. Once finished it is possible to see the logs. If the migration went well, click on Close 1 .

Migration completed

Example of log:

ADMT log

On the destination domain controller, check that group 1 is present in the OU. Also check that the attribute sIDHistory 2 is present and includes the SID of the source domain.

Group migrated in target dc

ADMT: Migrating a user

Now that we have seen how to migrate a group, we will migrate a user, the procedure is similar to groups.

To show you the features of ADMT, the user we are migrating is a member of the previously migrated group, after the user’s migration, the user will be a member of the group that was migrated just before.

From the ADMT console, right click on Active Directory Migration Tool 1 and click on User Account Migration WIzard 2 .

ADMT - migrate user

When launching the migration wizard, click Next 1 .

Wizard migration user

How for group migration, configure the domain and source and destination controller 1 then click Next 2 .

Source and Target configuration

Choose Select users from domain 1 and click Next 2 .

Select option

Select the user (s) to migrate 1 and click Next 2 .

ADMT - select user to migrate

Set destination OU 1 then click Next 2 .

Target OU

Select the option Migrate passwords 1 , indicate the source domain controller 2 and click Next 3 .

ADMT - password options

Configure the status of account 1 after the migration on the source and destination domain, check the box Migrate user SID to target domain 2 then click Next 3 .

Account options

For SID migration, enter the credentials of an Administrator account from source domain 1 and click Next 2 .

Account administrator

Configure migration options 1 then click Next 2 .

Options migration

If necessary configure the attributes to exclude and click Next 1 .

Attributs options

Configure conflict management and click Next 1 .

Conflict configuration

A summary of the migration settings is displayed, click Finish 1 to close the wizard and start the migration.

ADMT start migration user

When the migration is complete, close 1 the migration window.

Migration completed

On the destination domain controller, we see that the user has been successfully migrated.

ADMT : user migrated

In the account properties, the password change box has been activated, which implies that the user must change his password at the next logon.

Change password active

In the Member of tab, we also see that the user is a member of the previously migrated group.

user add in group

ADMT: Computer Migration

ADMT also allows the migration of Computer objects, it is always possible to take the computer out of the old domain and join it in the new one. If the computer migration is available is that it brings a more how:

  • Group tracking
  • Processing user profiles which avoids having to redo the user profile.

The same wizard windows for migrating groups and users will be moved faster in this part.

As a reminder, the destination domain account configured for migration must be a local administrator of the extension.

On the ADMT console, right-click on Active Directory Migration Tool 1 and click Computer Migration Wizard 2 .

ADMT - Computer migration

Click Next 1 .

Wizard migration computer

Configure the source and destination and click Next 1 .

source and target domain

Click Next 1 on the computer selection option.

ADMT - select computer option

Choose the computer to migrate 1 and click Next 2 .

Select computer

Validate the destination OU by clicking Next 1 .

Target OU

Select the objects to be transferred in the new domain 1 and click Next 2 .

Translete objects

Configure Object Transfer 1 and click Next 2 .

During the migration the computer will be restarted, set the 1 delay and click Next 2 .

restart time after migration

On the two windows that follow, click Next 1 .

Start the migration by clicking Finish 1 to close the wizard.

ADMT - start computer migration

A window opens to control the migration agent, Select Computer 1 and click Start 2 .

ADMT - agent control

Once the tests are validated, select Run pre-check and agent operation 1 and click Start 2 .

Start migration

Waiting during migration … You can follow the migration in detail by clicking on Agent Detail 1 .

ADMT - Agent detail

Once the migration is complete, we see that the computer is waiting to restart.

wait reboot

On the computer a message indicating that it will restart.

Alert message on computer

On the destination domain, we see that the computer is present in the migration OU.

Computer added on target

Once the post redemarred, we can see that it has been changed domain.

Computer detail

On the agent tracking window, we also see that the migration is complete.

Migration completed

ADMT: report generation

ADMT provides report generation to track migrated items. From the console, right-click on Active Directory Migration Tool 1 and click Report Wizard 2 .

Reporting wizard

When launching the wizard, click Next 1 .

ADMT - wizard reporting

Select the source and destination domains for report generation and click Next 1 .

select domain

Select the location of the reports and click Next 1 .

Folder save report

Choose the reports to generate 1 then click Next 2 .

Report selection - ADMT

Click Finish 1 to start generating reports.

Generate reports

They are accessible from the console by clicking on Reports 1 .

Reports

Sample reports:

Conclusion

ADMT is a convenient tool for environments where multiple domains coexist to either merge domains or to move objects from one domain to another in the event of a change of assignment for example.

Personally, I also use ADMT to migrate the objects of a corrumped forest to a new forest, this saved me from having to recreate all the objects (groups, computers and users) by hand.




Leave a Comment