Migration Active directory Inter-Forêt
Etape 1 :
Installation ADMT sur le contrôleur de domaine cible.
The following post will cover the installation process of Microsoft ADMT 3.2 on Windows 2008 R2 SP1 Domain Controller.
Please note: Microsoft recommended to install the ADMT 3.2 tool a non domain controller computer. Using ADMT 3.2 on Domain Controller may reduce the security level of all the Domain Controller in the organization.
The installation process in divided to four sections:
1. SQL 2008 Express installation.
2. ADMT 3.2 installation.
3. ADMT 3.2 Configuration.
4. Enable Password Migration.
Note: In the past ADMT tool used Access database to save the migration configurations and data. ADMT 3.2 require to use SQL database.
1. SQL Express Installation
1.1 Download SQL 2008 Express x64.
Microsoft® SQL Server® 2008 Express Edition Service Pack 1
Note: ADMT 3.2 doesn’t support SQL 2008 R2.
1.2 Logon into the target domain controller.
1.3 Launch « SQLEXPR_x64_ENU.exe » file.
1.4 Press on the link « Installation »:
1.5 Press on the link « New SQL Server stand-alone installation or add feathers to exiting installation« :
1.6 Press on « Ok » button and then press on « Next » button.
1.7 Mark the checkbox « I accept the license term » and press on « Next » button.
1.8 Press on « Install » button.
1.9 Press on « Next » button.
1.10 Mark the checkbox « Database Engine Services » and then Press on « Next » button.
1.11 Press on « Next » button.
1.12 Press on « Next » button.
1.13 Set the database engine to use « Administrator » account (or any equivalent domain account that is member of domain admins group) and press on « Next » button.
1.14 Add the domain admins group and Administrator account as « SQL Server Administrator » and press on « Next » button.
1.15 Press on « Next » button.
1.16 Press on « Next » button.
1.17 Press on « Install » button.
1.18 Press on « Close » button.
2 ADMT 3.2 Installation
2.1 Download Microsoft ADMT 3.2.
2.2 Logon into the target domain controller.
2.3 Run the following commands:
NET LOCALGROUP SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS /ADD
* The SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group should be created as local domain group.
* To user that using the ADMT 3.2 should be added to SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group.
SC SHOWSID MSSQL$SQLEXPRESS
MD %SystemRoot%ADMTData
ICACLS %systemroot%ADMTData /grant *S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143:F
S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143 = The SID that was obtained by using SC SHOWSID MSSQL$SQLEXPRESS command.
2.4 Launch ADMT 3.2 setup.
2.5 Approve the EULA and press on Next button.
2.6 Press on Next button (Don’t choose to participate in the CEIP program).
2.7 Point the ADMT 3.2 Installation to » .SQLEXPRESS » instance.
2.7 Press on « Next » button.
2.8 Press on « Finish » button.
3. ADMT 3.2 Configurations
During the first running of ADMT 3.2 the following changes would be done automatically on the domain controllers that handle the migration process (usually source and target domain controller hosting PDC Emulator FSMO).
I recommended to allow the ADMT 3.2 wizard to set the required settings automatically and not make this changes manually.
3.1 On the target domain PDC Emulator FSMO, set the following registry key:
HKLMSystemCurrentControlSetServicesNetlogonParameters
Registry value: AllowNT4Crypto
Type: REG_DWORD
Data: 1
3.2 On the PDC emulator of the old domain set the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA
Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.
3.3 On the target domain PDC Emulator FSMO set the following Group Policy:
3.3.1 Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management.
3.3.2 Navigate to the following node: Forest | Domains | Domain | Domain Controllers | Default Domain Controllers Policy
Right-click Default Domain Controllers Policy and click Edit.
3.3.3 In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy
3.3.4 In the details pane, right-click Audit account management, and then click Properties.
3.3.5 Click Define these policy settings, and then click Success and Failure.
3.3.6 Click Apply, and then click OK.
3.3.7 In the details pane, right-click Audit directory service access and then click Properties.
3.3.8 Click defines these policy settings and then click Success.
3.3.9 Click Apply, and then click OK.
3.12 If the changes need to be immediately reflected on the domain controllesr, open an elevated command prompt and type gpupdate /force.
3.13 Reboot the PDC emulators servers in each domain.
4. Enable Password Migration
The PES service installation in the source domain requires an encryption key. However, you must create the encryption key on the computer running ADMT in the target domain.
This way, you can store it in a secure location and reformat it after the migration is completed.
4.1 On the target domain controller create a new encryption key:
admt key /option:create /sourcedomain: SourceDomainName.Local/keyfile:<KeyFilePath> /keypassword:{<password>|*}
Note: The source domain should set to: SourceDomainName.Local
4.2 On the old domain, logon into the PDC emulator.
4.3 Run the Pwdmig.msi that was created in the previous steps.
Note: You may need to provide the encryption
4.4 Follow the instructions bellow:
To configure the PES service in the source domain
1. On the domain controller that runs the PES service in the source domain, insert the encryption key disk.
2. Run Pwdmig.msi. If you set a password during the key generation process on the domain controller in the target domain, provide the password that was given when the key was created, and then click Next.
Wizard page Action Welcome to the ADMT Password Migration DLL Installation Wizard Click Next. Encryption File To install the ADMT Password Migration dynamic-link library (DLL), you must specify a file that contains a valid password encryption key for this source domain. The key file must be located on a local drive. You use the admt key command to generate the key files. For more information, see the previous procedure « To create an encryption key. »
Run the service as Specify the account that you want the PES service to run under. You can specify either of the following accounts: · The local System account
· A specified user account
Note
If you plan to run the PES service as an authenticated user account, specify the account in the format domainuser_name. Summary Click Finish to complete the PES service installation.
Note
To use the password migration of ADMT, you must restart the server where you installed the PES service. 3. After installation completes, restart the domain controller.
4. After the domain controller restarts, to start the PES service, point to Start, point to All Programs, point to Administrative Tools, and then click Services.
5. In the details pane, right-click Password Export Server Service, and then click Start.
Note
Run the PES service only when you migrate passwords. Stop the PES service after you complete the password migration.
![clip_image028[1]](http://blogs.microsoft.co.il/blogs/yuval14/clip_image0281_49AA4F86.gif "clip_image028[1]"){kind=small}
![clip_image028[2]](http://blogs.microsoft.co.il/blogs/yuval14/clip_image0282_228F9044.gif "clip_image028[2]"){kind=small}
Source: Enabling Migration of Passwords
4.5 Navigate to the following registry subkey on the source domain: HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA
4.6 Verify that « AllowPasswordExport » (REG_DWORD) was set to 1.
4.7 Add target Domain Admin group as members of « Administrators » group in the source domain.
About Author
