Rick, its Sat evening so i wont take this all in - but on the face of it looks like a winner.
as long as i can get the workstation based user profiles (have read ADMT v2.0 RC1 is the goer and not RC2) as part of the migration this looks to have removed any impact on end user thanks very much for this reply post in the meanwhile hope the weather is ok in what i assume to be your US homeland - it is appalling in the UK !! GT ----- Original Message ----- From: "Rick Kingslan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 25, 2003 5:48 PM Subject: RE: [ActiveDir] AD 2 AD Migration Graham, Regarding the ADMT 2.0 password migration capability - yes it DOES work from NT 4.0 to AD, if the following is followed: (Cut and paste from the ADMT docs) It really is a straight-forward process, and blindingly simple. Password Export Server Installation This section describes the requirements for installing and using a Password Export Server (PES) to perform password migration with ADMT. You can find more detailed information in the Domain Migration Cookbook referenced under How to View This Document. 1. We recommend that the source domain’s Password Export Server be a BDC dedicated for this purpose. 2. 128-bit encryption must be installed on any PES. 3. 128-bit encryption must be installed on the machine running ADMT. 4. The Password Export Server installation will not complete without supplying an encryption key created on the ADMT machine. The key must be available on a local drive. This can be a floppy drive or a folder on the local hard drive. Network mapped drives or shares are not allowed. It is recommended that you transport the key via a floppy and either store the floppy in a secure location or format it after the installation. a. On the ADMT machine, run ADMT.exe from the command line specifying “key” as the operation to perform (the syntax for this command is “ADMT.exe key %Source_Domain_NetBIOSName% %folder%: %Optional Password% (i.e. “c:\admt.exe key srcdomain a: pswrd”)). Type “ADMT.exe key” at the command line for more usage information. b. On the Password Export Server, make sure that the key is available on a local drive, either by inserting the floppy disk or copying the key to a local hard drive. You will be prompted on the Password Export Server for the location of the key during the installation. You will have to provide a matching password if one was given when creating the encryption key on the ADMT machine. 1. The AllowPasswordExport registry key value (located in HKLM\ SYSTEM\CurrentControlSet\Control\Lsa on the Password Export Server) must be set to “1” to allow ADMT to use that Password Export Server for password migration. You can disable a Password Export Server from supporting password migration by setting that same value to “0”. 2. “Everyone” must be added to the “Pre-Windows 2000 Compatible Access” group on the target domain in order for password migration to succeed. If this is not done, ADMT will log an “Access Denied” error. The command line syntax for this is “NET LOCALGROUP "Pre-Windows 2000 Compatible Access" Everyone /ADD” (The Active Directory Users and Computers snapin will not allow you to add “Everyone” to this group). 3. Verify permissions on the server object. The PES requires that the “Pre-Windows 2000 Compatible Access” group has “Read All Properties” rights on the following object: CN=Server,CN=System,DC=<domain_name> 4. Verify that anonymous access is allowed to domain controllers in the target domain. Open the group policy editor for the domain, and navigate to the following setting: Default Domain Controllers Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Additional restrictions for anonymous connections Verify that either 'Rely on default permissions' or 'not defined' is selected. If 'No access without explicit anonymous permissions' is selected, password migration to the target domain will fail with “Access Denied”. 5. If you are running ADMT on a .NET server, you also have to make sure that the “Let Everyone permissions apply to anonymous users” right has been enable on that machine, or that the Anonymous Logon user has been added to the Pre-Windows 2000 Compatible Access group. Hope this helps - if not, redirect and I'll answer. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner > Sent: Saturday, January 25, 2003 5:06 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] AD 2 AD Migration > > > Rick, just reviewing this note . > > referring to ADMT v2.0 migrating user passwords. > > is this applicable to an interforest migration only or does > it still apply to a migration of objects in an NT 4 domain to > an AD domain ?? > > GT > ----- Original Message ----- > From: "Rick Kingslan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, January 17, 2003 3:33 AM > Subject: RE: [ActiveDir] AD 2 AD Migration > > > Joeri, > > We are in the final phases of a complete migration from one > forest to another. We have migrated 25k plus machines, 11k > plus users, and some number of groups. > > All of this was done with ADMT ver 2.0. Though not perfect, > it did an absolutely fantastic job for our needs. ADMT does > require that the destination domain be in native mode. The > upside is that you can now migrate the user password. > > Jimmy provided you with links on this, so have at it. The > price - clearly, is right. ;o) > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > Mulder, Joeri > > (NL - Amsterdam) > > Sent: Thursday, January 16, 2003 9:05 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] AD 2 AD Migration > > > > > > Hello, > > > > Does anyone have experience migrating users and groups from > one forest > > to another? Is ADMT v2.0 the best tool to do this? > > > > Greets, > > --Joeri--i .i jívҕ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/