Re: [ActiveDir] AD 2 AD Migration

Sat, 25 Jan 2003 11:21:56 -0800 

Rick, its Sat evening so i wont take this all in - but on the face of it
looks like a winner.

as long as i can get the workstation based user profiles (have read ADMT
v2.0 RC1 is the goer and not RC2) as part of the migration this looks to
have removed any impact on end user

thanks very much for this reply post in the meanwhile

hope the weather is ok in what i assume to be your US homeland - it is
appalling in the UK !!

GT
----- Original Message -----
From: "Rick Kingslan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 5:48 PM
Subject: RE: [ActiveDir] AD 2 AD Migration


Graham,

Regarding the ADMT 2.0 password migration capability - yes it DOES work from
NT 4.0 to AD, if the following is followed:  (Cut and paste from the ADMT
docs)  It really is a straight-forward process, and blindingly simple.

Password Export Server Installation

This section describes the requirements for installing and using a Password
Export Server (PES) to perform password migration with ADMT. You can find
more detailed information in the Domain Migration Cookbook referenced under
How to View This Document.
1. We recommend that the source domain’s Password Export Server be a BDC
dedicated for this purpose.
2. 128-bit encryption must be installed on any PES.
3. 128-bit encryption must be installed on the machine running ADMT.
4. The Password Export Server installation will not complete without
supplying an encryption key created on the ADMT machine. The key must be
available on a local drive. This can be a floppy drive or a folder on the
local hard drive. Network mapped drives or shares are not allowed. It is
recommended that you  transport the key via a floppy and either store the
floppy in a secure location or format it after the installation.
a. On the ADMT machine, run ADMT.exe from the command line specifying “key”
as the operation to perform (the syntax for this command is “ADMT.exe key
%Source_Domain_NetBIOSName% %folder%: %Optional Password% (i.e. “c:\admt.exe
key srcdomain a: pswrd”)). Type “ADMT.exe key” at the command line for more
usage information.
b. On the Password Export Server, make sure that the key is available on a
local drive, either by inserting the floppy disk or copying the key to a
local hard drive. You will be prompted on the Password Export Server for the
location of the key during the installation. You will have to provide a
matching password if one was given when creating the encryption key on the
ADMT machine.
1. The AllowPasswordExport registry key value (located in HKLM\
SYSTEM\CurrentControlSet\Control\Lsa on the Password Export Server) must be
set to “1” to allow ADMT to use that Password Export Server for password
migration. You can disable a Password Export Server from supporting password
migration by setting that same value to “0”.
2. “Everyone” must be added to the “Pre-Windows 2000 Compatible Access”
group on the target domain in order for password migration to succeed. If
this is not done, ADMT will log an “Access Denied” error. The command line
syntax for this is “NET LOCALGROUP "Pre-Windows 2000 Compatible Access"
Everyone /ADD” (The Active Directory Users and Computers snapin will not
allow you to add “Everyone” to this group).
3. Verify permissions on the server object. The PES requires that the
“Pre-Windows 2000 Compatible Access” group has “Read All Properties” rights
on the following object:
CN=Server,CN=System,DC=<domain_name>
4. Verify that anonymous access is allowed to domain controllers in the
target domain. Open the group policy editor for the domain, and navigate to
the following setting:
Default Domain Controllers Policy/Computer Configuration/Windows
Settings/Security Settings/Local Policies/Security Options/Additional
restrictions for anonymous connections
Verify that either 'Rely on default permissions' or 'not defined' is
selected. If 'No access without explicit anonymous permissions' is selected,
password migration to the target domain will fail with “Access Denied”.
5. If you are running ADMT on a .NET server, you also have to make sure that
the “Let Everyone permissions apply to anonymous users” right has been
enable on that machine, or that the Anonymous Logon user has been added to
the Pre-Windows 2000 Compatible Access group.


Hope this helps - if not, redirect and I'll answer.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone





> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner
> Sent: Saturday, January 25, 2003 5:06 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] AD 2 AD Migration
>
>
> Rick, just reviewing this note .
>
> referring to ADMT v2.0 migrating user passwords.
>
> is this applicable to an interforest migration only or does
> it still apply to a migration of objects in an NT 4 domain to
> an AD domain ??
>
> GT
> ----- Original Message -----
> From: "Rick Kingslan" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, January 17, 2003 3:33 AM
> Subject: RE: [ActiveDir] AD 2 AD Migration
>
>
> Joeri,
>
> We are in the final phases of a complete migration from one
> forest to another.  We have migrated 25k plus machines, 11k
> plus users, and some number of groups.
>
> All of this was done with ADMT ver 2.0.  Though not perfect,
> it did an absolutely fantastic job for our needs.  ADMT does
> require that the destination domain be in native mode.  The
> upside is that you can now migrate the user password.
>
> Jimmy provided you with links on this, so have at it.  The
> price - clearly, is right.  ;o)
>
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
>
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of
> Mulder, Joeri
> > (NL - Amsterdam)
> > Sent: Thursday, January 16, 2003 9:05 AM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] AD 2 AD Migration
> >
> >
> > Hello,
> >
> > Does anyone have experience migrating users and groups from
> one forest
> > to another? Is ADMT v2.0 the best tool to do this?
> >
> > Greets,
> > --Joeri--i .i jívҕ
> >
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
>
> List info   :
> http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to