Microsoft released Active Directory Migration Tool (ADMT) 2.0 in conjunction with Windows Server 2003, and most of us associate the tool with migrating from one version of Windows to another. ADMT is, in fact, the tool of choice for large organizations that have migrated from earlier implementations of Windows to Windows 2003 or Windows 2000 Server. However, ADMT was designed to migrate an Active Directory (AD) schema from one forest to another whether or not a change in OSs is involved. ADMT supports not only migration from Windows NT 4.0 to AD but also interforest migration (i.e., consolidating domains that live in separate forests) and intraforest migration (i.e., migrating domains that are part of the same forest).
ADMT 2.0 has several new features, including a command-line interface and a slightly better interface for working with Microsoft Exchange Server. Additionally, ADMT 2.0 supports user-account password migration.
ADMT's role as a schema mover is important because after you implement an AD schema, you can't modify it directly. If you need to make a change, you must delete the structure and start from scratch, unless you use ADMT, which lets you migrate to a different schema without starting over.
That important point noted, I intend to demonstrate how to use ADMT 2.0 to migrate an NT 4.0 domain to Windows 2003. I created a simple virtual environment, then added an NT 4.0 source domain named IKDOM01 and a Windows 2003 target domain with the Fully Qualified Domain Name (FQDN) IKDOM2.ORG. ADMT must run on the target PDC. If the target directory is replicated, the selected server should also be the Operations Master for replication purposes (i.e., the server designated to hold the Flexible Single-Master Operation—FSMO—role).
ADMT 2.0 is compatible with both Windows 2003 and Win2K Server. You can download the tool at http://www.microsoft.com/downloads/details.aspx?familyid=788975b1-5849-4707-9817-8c9773c25c6c&displaylang=en. After downloading the admt2.exe file, extract its contents into a directory with a name such as ADMT. One of the extracted files, admigration.msi, installs ADMT on the selected server; by default, ADMT is installed in the system root in \Program Files\Active Directory Migration Tool. After you've installed the tool, it's time to prepare the two domains for migration.
Preparing for Migration
Windows 2003 offers two modes of operation for AD: native and mixed. Windows 2003 offers some security features that earlier versions don't support. If your environment is controlled exclusively with Windows 2003, you can configure AD to run in native mode, which is more secure but isn't compatible with older DCs. Mixed, or compatibility, mode lets administrators run AD and NT 4.0 servers in a shared security environment but renders many of native mode's security enhancements unavailable. ADMT requires the new domain to run in native mode. If you aren't certain whether the new domain is using native mode, open a Microsoft Management Console (MMC) AD administration snap-in such as Active Directory Users and Computers and right-click the domain object. In the context menu, select Raise Functional Level if that option is available; otherwise, select All Tasks, Raise Functional Level. The resulting dialog box shows the domain's current functional level and lets you raise the level from compatibility to native mode. For more information about domain functional levels, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_levels.asp and the Microsoft article "HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003" (http://support.microsoft.com/?kbid=322692). Keep in mind that after you raise the level, you can't lower it.
Next, you need to create a two-way trust between the target and source domains. On the Windows 2003 system, open the MMC Active Directory Domains and Trusts console and right-click the target domain (IKDOM2.ORG) object. Select Properties from the context menu to open the Properties dialog box. On the Trusts tab, click New Trust to open the New Trust Wizard, which walks you through the steps of setting up the first half of your two-way trust with the NT 4.0 IKDOM01 domain.
To set up the second half of the trust (from the source domain to the target domain), on the NT 4.0 PDC for the IKDOM01 domain, open User Manager for Domains from the Administrative Tools menu. From the Policies menu, select the Trust Relationships option, then define a two-way trust relationship with the target domain. After modifying both domains, close the Active Directory Domains and Trusts console on the Windows 2003 PDC, but leave User Manager for Domains open on IKDOM01.
The next step is to ensure that the administrative user accounts that the migration process will use have rights in both domains. In User Manager for Domains, double-click the Administrators object under the IKDOM01 object, then add the administrators for the target domain (IKDOM2.ORG\Domain Admins) to grant them permission on the source domain. The source domain configuration process has an option to create a group related to SID migration, but ADMT will automatically create this group on the source domain and name it after the domain (in my sample scenario, the name would be IKDOM01$$$). Close User Manager for Domains.
Previous
Register
