JSI Tip 2695. The Active Directory Migration Tool.

Jerold Schulman

August 9, 2000

7 Min Read
ITPro Today logo in a gray background | ITPro Today

"The Active DirectoryTM Migration Tool (ADMT) provides an easy, secure, and fast way to migrate from Windows NT® to the Windows® 2000 Server Active Directory service. You can also use ADMT to restructure your Windows 2000 Active Directory domains. This tool can help a system administrator diagnose any possible problems before starting migration operations. The task-based wizards will then allow you to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations.

In many cases, if there is a problem you can use the rollback feature to automatically restore previous structures. The tool also provides support for parallel domains, so you can maintain your existing Microsoft Windows NT 4.0 operating system domains while you deploy the Microsoft Windows 2000 operating system.

Benefits

ADMT provides an effective tool that simplifies the process of migrating users, computers, and groups to new domains. At the same time, ADMT is designed to be flexible so that each organization can use it to implement a migration process that is adapted to its needs. This powerful tool lets you accomplish the following:

  • Migrate from Windows NT. You can use ADMT to migrate from Windows NT to Windows 2000. This migration lets you benefit from several important features introduced by Active Directory, including:

    • Improved scalability. The improved scalability available in an Active Directory forest-you can have millions of objects-lets you reconfigure your current Windows NT domains into fewer, larger Windows 2000 Active Directory domains. Simplifying your domain structure- frequently, into just one domain-also makes administration of users, groups, and group policy easier.

    • Administrative delegation. Consolidating Windows NT resource domains into Active Directory organizational units (OUs) lets you delegate administrative control over specific OUs to administrators who have authority over only part of a domain.

    • Trust simplification. If your current domain structure requires a complex mesh of trust relationships, you can benefit from a redesign that lets you use fewer trusts by using the bi-directional transitive trust relationships available in Windows 2000.

  • Restructure Windows 2000. You can use ADMT to reorganize your Windows 2000 domain structure. As when you migrate from Windows NT to Windows 2000, migration within Windows 2000 also lets you consolidate multiple domains into fewer domains, and possibly a single domain.

  • Tailor the move to your needs. ADMT lets you specify how to handle user, password, computer, group, group membership, security translation, and monitoring options during the migration process.

ADMT Features

ADMT features let you manage domain migration efficiently and fine-tune the results to suit their requirements.

  • No need to manually load software onto all those computers.

    • When using ADMT to migrate users and groups, you install the ADMT tool, typically on the console in the target domain (the domain into which security principals or resources are being migrated). Beyond that, ADMT requires no additional software installation on the computers in the source domain (the domain from which security principals or resources are being migrated).

    • When migrating computers or translating security on resources, ADMT automatically installs services (called agents) on the source computers. This means you do not need to manually load software onto each source computer to perform the migration. Once the agent's task is completed, it uninstalls itself.

  • Wizards make it easy. ADMT lets you use a series of wizards, including the User Migration wizard, Computer Migration wizard, Group Migration wizard, Service Account Migration wizard, Trust Migration wizard, and Reporting wizard to simplify various parts of the migration process.

  • Options to suit you. Select the appropriate options among the many provided by the various wizards when performing a migration. For example, you can choose to copy users rights assigned in the source domain to the target domain; you can copy groups along with their members to the target domain; you can leave user accounts active in both the source and target domains; you can copy roaming profiles to the target domain for selected user accounts; and so on.

  • Restructure groups. Optionally, before migrating groups you can run the Group Mapping and Merging Wizard to map a group in the source domain to a new or existing group in the target domain. This mapping ensures that, when the group's members are migrated from the source domain into the target domain, group memberships will reflect the mapping. You can also merge multiple groups into one group.

  • Trial run. By selecting the Test the migration settings and migrate later option, you can run a wizard without actually making any changes in your network. Review the log files and reports generated by the wizards to identify and troubleshoot any potential problems before performing the actual migration.

  • Undo. You can undo the most recently performed user, group, or computer migration.

  • Users maintain access to resources. During user and group migration, ADMT lets users retain their premigration access to resources such as files, shares, and applications through its sIDHistory feature or by updating those resources to refer to the migrated user. This capability keeps your security structure (the granting and denying of access to resources) intact but conveniently brings it into the new domain.

  • Users retain access to Exchange resources. If you need to update security permissions on Exchange mailboxes to reflect the migration, ADMT can also handle that.

  • Service accounts migrate too. ADMT also migrates service accounts. Many applications, such as Microsoft Exchange, use service accounts to run services with the same set of credentials on several network computers.

  • Putting objects into OUs. In addition to consolidating Windows NT resource domains into Active Directory OUs, ADMT also lets you migrate selected users, groups, or computers to OUs in the target domain. Then, you can use Windows 2000 features to manage these OUs-for example, you can establish group policy configuration settings for a group of computers collected in a given OU.

  • Handling trust relationships. A trust relationship connects two domains and lets users in the trusted domain access resources in the trusting domain. To maintain resource access during migration, the same trust relationships must be established in the target domain as exist in the source domain. The Trust Migration wizard does this for you-it compares the trust relationships in the source domain to the trust relationships in the target domain, and then creates in the target domain any trust relationships that exist in the source domain.

  • Making use of the new universal group scope. In intra-forest migration (that is, when performing a migration between Windows 2000 domains in the same forest), when global groups are migrated from a native-mode source domain, the groups are created as universal groups in the target domain so that they can contain members from the source domain that have not yet been migrated.Global groups can contain only members from their own domain; universal groups can have members from any Windows 2000 domain in the forest.

ADMT System Requirements

  • Target domain. For target domains, ADMT can run on any computer capable of running the Windows 2000 Server operating system.

  • Source domain. The source domain must be running either Windows 2000 or Windows NT 4.0.

The primary domain controller (PDC) of a Windows NT 4.0 source domain must have SP4 or higher installed. The ADMT agent (installed by ADMT on the source computers) can operate on computers running Windows NT 3.51 (with SP5); Windows NT 4.0 (with SP4 or higher); or Windows 2000.

Back to Top

Download ADMT
Exploring Directory Services
Microsoft and Mission Critical Software Announce Licensing Agreement To Accelerate Migrations to Windows 2000
Planning Migration from Windows NT to Windows 2000
Planning Domain Migration Strategies
Domain Migration Cookbook
Domain Migration Strategies and Windows 2000
How to Migrate Your Windows NT 4.0 Directory Services to Windows 2000 Active Directory"


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like