Migration Active directory Inter-Forêt

Etape 1 :

Installation ADMT sur le contrôleur de domaine cible.

The following post will cover the installation process of Microsoft ADMT 3.2 on Windows 2008 R2 SP1 Domain Controller.

Please note: Microsoft recommended to install the ADMT 3.2  tool a non domain controller computer. Using ADMT 3.2  on Domain Controller may reduce the security level of all the Domain Controller in the organization.

The installation process in divided to four sections:

1. SQL 2008 Express installation.

2. ADMT 3.2 installation.

3. ADMT 3.2 Configuration.

4. Enable Password Migration.

Note: In the past ADMT tool used Access database to save the migration configurations and data. ADMT 3.2 require to use SQL database.


1. SQL Express Installation

1.1 Download SQL 2008 Express x64.

Microsoft® SQL Server® 2008 Express Edition Service Pack 1

Note: ADMT 3.2 doesn’t support SQL 2008 R2.

1.2  Logon into the target domain controller.

1.3 Launch « SQLEXPR_x64_ENU.exe » file.

1.4  Press on the link « Installation »:


1.5 Press on the link  « New SQL Server stand-alone installation or add feathers to exiting  installation« :


1.6 Press on « Ok » button and then press on « Next » button.


1.7  Mark the checkbox « I accept the license term » and press on « Next » button.


1.8 Press on « Install » button.


1.9 Press on « Next » button.


1.10 Mark the checkbox « Database Engine Services » and then Press on « Next » button.


1.11 Press on « Next » button.


1.12 Press on « Next » button.


1.13 Set the database engine to use « Administrator » account (or any equivalent domain account that is member of domain admins group) and press on « Next » button.


1.14 Add the domain admins group and Administrator account as « SQL Server Administrator » and press on « Next » button.


1.15 Press on « Next » button.


1.16 Press on « Next » button.


1.17 Press on « Install » button.


1.18 Press on « Close » button.



2 ADMT 3.2 Installation

2.1 Download Microsoft ADMT 3.2.

2.2 Logon into the target domain controller.

2.3 Run the following commands:


* The SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group should be created as local domain group.

* To user that using the ADMT 3.2 should be added to SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group.


MD %SystemRoot%ADMTData

ICACLS %systemroot%ADMTData /grant *S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143:F

S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143 = The SID that was obtained by using SC SHOWSID MSSQL$SQLEXPRESS command.

Source:  ADMT 3.2 installation incomplete, MMC console error « cannot open database ‘ADMT’ requested by the login »

2.4 Launch ADMT 3.2 setup.


2.5 Approve the EULA and press on Next button.


2.6 Press on Next button (Don’t choose to participate in the CEIP program).


2.7 Point the ADMT 3.2 Installation to  » .SQLEXPRESS » instance.


2.7 Press on « Next » button.


2.8 Press on « Finish » button.



3. ADMT 3.2 Configurations

During the first running of ADMT 3.2 the following changes would be done automatically on the domain controllers that handle the migration process (usually source and target domain controller hosting PDC Emulator FSMO).

I recommended to allow the ADMT 3.2 wizard to set the required settings automatically and not make this changes manually.

3.1 On the target domain PDC Emulator FSMO, set the following registry key:


Registry value: AllowNT4Crypto


Data: 1

3.2  On the PDC emulator of the old domain set the following registry key:


Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

3.3 On the target domain PDC Emulator FSMO set the following Group Policy:

3.3.1  Click Start, point to All Programs, point to Administrative Tools, and   then click Group Policy Management.

3.3.2  Navigate to the following node: Forest | Domains | Domain | Domain Controllers | Default Domain Controllers Policy

Right-click Default Domain Controllers Policy and click Edit.

3.3.3  In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

3.3.4  In the details pane, right-click Audit account management, and then click Properties.

3.3.5  Click Define these policy settings, and then click Success and Failure.

3.3.6  Click Apply, and then click OK.

3.3.7  In the details pane, right-click Audit directory service access and then click Properties.

3.3.8  Click defines these policy settings and then click Success.

3.3.9  Click Apply, and then click OK.

3.12   If the changes need to be immediately reflected on the domain controllesr, open an elevated command prompt and type gpupdate /force.

3.13  Reboot the PDC emulators servers in each domain.


4. Enable Password Migration

The PES service installation in the source domain requires an encryption key. However, you must create the encryption key on the computer running ADMT in the target domain.

This way, you can store it in a secure location and reformat it after the migration is completed.


4.1 On the target domain controller create a new encryption key:

admt key /option:create /sourcedomain: SourceDomainName.Local/keyfile:<KeyFilePath> /keypassword:{<password>|*}

Note: The source domain should set to: SourceDomainName.Local

4.2  On the old domain, logon into the PDC emulator.

4.3 Run the Pwdmig.msi that was created in the previous steps.

Note: You may need to provide the encryption

4.4 Follow the instructions bellow:

To configure the PES service in the source domain

1. On the domain controller that runs the PES service in the source domain, insert the encryption key disk.

2. Run Pwdmig.msi. If you set a password during the key generation process on the domain controller in the target domain, provide the password that was given when the key was created, and then click Next.

Wizard page Action
Welcome to the ADMT Password Migration DLL Installation Wizard Click Next.
Encryption File To install the ADMT Password Migration dynamic-link library (DLL), you must specify a file that contains a valid password encryption key for this source domain. The key file must be located on a local drive.

You use the admt key command to generate the key files. For more information, see the previous procedure « To create an encryption key. »

Run the service as Specify the account that you want the PES service to run under. You can specify either of the following accounts:

· The local System account

· A specified user account

If you plan to run the PES service as an authenticated user account, specify the account in the format domainuser_name.
Summary Click Finish to complete the PES service installation.

To use the password migration of ADMT, you must restart the server where you installed the PES service.

3. After installation completes, restart the domain controller.

4. After the domain controller restarts, to start the PES service, point to Start, point to All Programs, point to Administrative Tools, and then click Services.

5. In the details pane, right-click Password Export Server Service, and then click Start.

Run the PES service only when you migrate passwords. Stop the PES service after you complete the password migration.

Source:  Enabling Migration of Passwords

4.5  Navigate to the following registry subkey on the source domain: HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA

4.6 Verify that « AllowPasswordExport » (REG_DWORD) was set to 1.

4.7 Add target Domain Admin group as members of « Administrators » group in the source domain.