Migration Active directory Inter-Forêt
Etape 1 :
Installation ADMT sur le contrôleur de domaine cible.
The following post will cover the installation process of Microsoft ADMT 3.2 on Windows 2008 R2 SP1 Domain Controller.
Please note: Microsoft recommended to install the ADMT 3.2 tool a non domain controller computer. Using ADMT 3.2 on Domain Controller may reduce the security level of all the Domain Controller in the organization.
The installation process in divided to four sections:
1. SQL 2008 Express installation.
2. ADMT 3.2 installation.
3. ADMT 3.2 Configuration.
4. Enable Password Migration.
Note: In the past ADMT tool used Access database to save the migration configurations and data. ADMT 3.2 require to use SQL database.
1. SQL Express Installation
1.1 Download SQL 2008 Express x64.
Microsoft® SQL Server® 2008 Express Edition Service Pack 1
Note: ADMT 3.2 doesn’t support SQL 2008 R2.
1.2 Logon into the target domain controller.
1.3 Launch « SQLEXPR_x64_ENU.exe » file.
1.4 Press on the link « Installation »:
1.5 Press on the link « New SQL Server stand-alone installation or add feathers to exiting installation« :
1.6 Press on « Ok » button and then press on « Next » button.
1.7 Mark the checkbox « I accept the license term » and press on « Next » button.
1.8 Press on « Install » button.
1.9 Press on « Next » button.
1.10 Mark the checkbox « Database Engine Services » and then Press on « Next » button.
1.11 Press on « Next » button.
1.12 Press on « Next » button.
1.13 Set the database engine to use « Administrator » account (or any equivalent domain account that is member of domain admins group) and press on « Next » button.
1.14 Add the domain admins group and Administrator account as « SQL Server Administrator » and press on « Next » button.
1.15 Press on « Next » button.
1.16 Press on « Next » button.
1.17 Press on « Install » button.
1.18 Press on « Close » button.
2 ADMT 3.2 Installation
2.1 Download Microsoft ADMT 3.2.
2.2 Logon into the target domain controller.
2.3 Run the following commands:
NET LOCALGROUP SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS /ADD
* The SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group should be created as local domain group.
* To user that using the ADMT 3.2 should be added to SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group.
SC SHOWSID MSSQL$SQLEXPRESS
MD %SystemRoot%ADMTData
ICACLS %systemroot%ADMTData /grant *S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143:F
S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143 = The SID that was obtained by using SC SHOWSID MSSQL$SQLEXPRESS command.
2.4 Launch ADMT 3.2 setup.
2.5 Approve the EULA and press on Next button.
2.6 Press on Next button (Don’t choose to participate in the CEIP program).
2.7 Point the ADMT 3.2 Installation to » .SQLEXPRESS » instance.
2.7 Press on « Next » button.
2.8 Press on « Finish » button.
3. ADMT 3.2 Configurations
During the first running of ADMT 3.2 the following changes would be done automatically on the domain controllers that handle the migration process (usually source and target domain controller hosting PDC Emulator FSMO).
I recommended to allow the ADMT 3.2 wizard to set the required settings automatically and not make this changes manually.
3.1 On the target domain PDC Emulator FSMO, set the following registry key:
HKLMSystemCurrentControlSetServicesNetlogonParameters
Registry value: AllowNT4Crypto
Type: REG_DWORD
Data: 1
3.2 On the PDC emulator of the old domain set the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA
Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.
3.3 On the target domain PDC Emulator FSMO set the following Group Policy:
3.3.1 Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.
3.3.2 Navigate to the following node: Forest | Domains | Domain | Domain Controllers | Default Domain Controllers Policy
Right-click Default Domain Controllers Policy and click Edit.
3.3.3 In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy
3.3.4 In the details pane, right-click Audit account management, and then click Properties.
3.3.5 Click Define these policy settings, and then click Success and Failure.
3.3.6 Click Apply, and then click OK.
3.3.7 In the details pane, right-click Audit directory service access and then click Properties.
3.3.8 Click defines these policy settings and then click Success.
3.3.9 Click Apply, and then click OK.
3.12 If the changes need to be immediately reflected on the domain controllesr, open an elevated command prompt and type gpupdate /force.
3.13 Reboot the PDC emulators servers in each domain.
4. Enable Password Migration
The PES service installation in the source domain requires an encryption key. However, you must create the encryption key on the computer running ADMT in the target domain.
This way, you can store it in a secure location and reformat it after the migration is completed.
4.1 On the target domain controller create a new encryption key:
admt key /option:create /sourcedomain: SourceDomainName.Local/keyfile:<KeyFilePath> /keypassword:{<password>|*}
Note: The source domain should set to: SourceDomainName.Local
4.2 On the old domain, logon into the PDC emulator.
4.3 Run the Pwdmig.msi that was created in the previous steps.
Note: You may need to provide the encryption
4.4 Follow the instructions bellow:
To configure the PES service in the source domain
1. On the domain controller that runs the PES service in the source domain, insert the encryption key disk.
2. Run Pwdmig.msi. If you set a password during the key generation process on the domain controller in the target domain, provide the password that was given when the key was created, and then click Next.
3. After installation completes, restart the domain controller.
4. After the domain controller restarts, to start the PES service, point to Start, point to All Programs, point to Administrative Tools, and then click Services.
5. In the details pane, right-click Password Export Server Service, and then click Start.
Note
Run the PES service only when you migrate passwords. Stop the PES service after you complete the password migration.
Source: Enabling Migration of Passwords
4.5 Navigate to the following registry subkey on the source domain: HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA
4.6 Verify that « AllowPasswordExport » (REG_DWORD) was set to 1.
4.7 Add target Domain Admin group as members of « Administrators » group in the source domain.