RE: [ActiveDir] AD 2 AD Migration

[Rick Kingslan]

Graham,

Regarding the ADMT 2.0 password migration capability - yes it DOES work from NT 4.0 to 
AD, if the following is followed:  (Cut and paste from the ADMT docs)  It really is a 
straight-forward process, and blindingly simple.

Password Export Server Installation

This section describes the requirements for installing and using a Password Export 
Server (PES) to perform password migration with ADMT. You can find more detailed 
information in the Domain Migration Cookbook referenced under How to View This 
Document.
1.      We recommend that the source domain’s Password Export Server be a BDC 
dedicated for this purpose.
2.      128-bit encryption must be installed on any PES.
3.      128-bit encryption must be installed on the machine running ADMT.
4.      The Password Export Server installation will not complete without supplying an 
encryption key created on the ADMT machine. The key must be available on a local 
drive. This can be a floppy drive or a folder on the local hard drive. Network mapped 
drives or shares are not allowed. It is recommended that you  transport the key via a 
floppy and either store the floppy in a secure location or format it after the 
installation.
a.      On the ADMT machine, run ADMT.exe from the command line specifying “key” 
as the operation to perform (the syntax for this command is “ADMT.exe key 
%Source_Domain_NetBIOSName% %folder%: %Optional Password% (i.e. “c:\admt.exe key 
srcdomain a: pswrd”)). Type “ADMT.exe key” at the command line for more usage 
information.
b.      On the Password Export Server, make sure that the key is available on a local 
drive, either by inserting the floppy disk or copying the key to a local hard drive. 
You will be prompted on the Password Export Server for the location of the key during 
the installation. You will have to provide a matching password if one was given when 
creating the encryption key on the ADMT machine.
1.      The AllowPasswordExport registry key value (located in HKLM\ 
SYSTEM\CurrentControlSet\Control\Lsa on the Password Export Server) must be set to 
“1” to allow ADMT to use that Password Export Server for password migration. You 
can disable a Password Export Server from supporting password migration by setting 
that same value to “0”.
2.      “Everyone” must be added to the “Pre-Windows 2000 Compatible Access” 
group on the target domain in order for password migration to succeed. If this is not 
done, ADMT will log an “Access Denied” error. The command line syntax for this is 
“NET LOCALGROUP "Pre-Windows 2000 Compatible Access" Everyone /ADD” (The Active 
Directory Users and Computers snapin will not allow you to add “Everyone” to this 
group).
3.      Verify permissions on the server object. The PES requires that the 
“Pre-Windows 2000 Compatible Access” group has “Read All Properties” rights on 
the following object:
CN=Server,CN=System,DC=<domain_name>
4.      Verify that anonymous access is allowed to domain controllers in the target 
domain. Open the group policy editor for the domain, and navigate to the following 
setting:
Default Domain Controllers Policy/Computer Configuration/Windows Settings/Security 
Settings/Local Policies/Security Options/Additional restrictions for anonymous 
connections
Verify that either 'Rely on default permissions' or 'not defined' is selected. If 'No 
access without explicit anonymous permissions' is selected, password migration to the 
target domain will fail with “Access Denied”.
5.      If you are running ADMT on a .NET server, you also have to make sure that the 
“Let Everyone permissions apply to anonymous users” right has been enable on that 
machine, or that the Anonymous Logon user has been added to the Pre-Windows 2000 
Compatible Access group.


Hope this helps - if not, redirect and I'll answer.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone





> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner
> Sent: Saturday, January 25, 2003 5:06 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] AD 2 AD Migration
> 
> 
> Rick, just reviewing this note .
> 
> referring to ADMT v2.0 migrating user passwords.
> 
> is this applicable to an interforest migration only or does 
> it still apply to a migration of objects in an NT 4 domain to 
> an AD domain ??
> 
> GT
> ----- Original Message -----
> From: "Rick Kingslan" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, January 17, 2003 3:33 AM
> Subject: RE: [ActiveDir] AD 2 AD Migration
> 
> 
> Joeri,
> 
> We are in the final phases of a complete migration from one 
> forest to another.  We have migrated 25k plus machines, 11k 
> plus users, and some number of groups.
> 
> All of this was done with ADMT ver 2.0.  Though not perfect, 
> it did an absolutely fantastic job for our needs.  ADMT does 
> require that the destination domain be in native mode.  The 
> upside is that you can now migrate the user password.
> 
> Jimmy provided you with links on this, so have at it.  The 
> price - clearly, is right.  ;o)
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of 
> Mulder, Joeri 
> > (NL - Amsterdam)
> > Sent: Thursday, January 16, 2003 9:05 AM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] AD 2 AD Migration
> >
> >
> > Hello,
> >
> > Does anyone have experience migrating users and groups from 
> one forest 
> > to another? Is ADMT v2.0 the best tool to do this?
> >
> > Greets,
> > --Joeri--i .i jívҕ
> >
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/