Inter-Forest Active Directory Migration Using ADMT
Objective
To successfully migrate users, groups, computers, and associated resources from Company A's Active Directory forest to Company B's forest using the Active Directory Migration Tool (ADMT), ensuring minimal disruption, preservation of security identifiers (SIDs), and maintenance of user access to resources.
1. Understanding the Migration Scenario
In scenarios such as mergers, acquisitions, or organizational restructuring, it's often necessary to consolidate Active Directory environments. An inter-forest migration involves moving objects between two separate AD forests, which can be complex due to differences in configurations, policies, and trust relationships.
2. Pre-Migration Planning
2.1. Assess the Current Environments
- Inventory Objects: List all users, groups, computers, and service accounts in Company A's forest.
- Analyze Dependencies: Identify applications and services that rely on AD authentication.
- Review Group Policies: Document existing Group Policy Objects (GPOs) and their settings.
- Check DNS Configurations: Ensure DNS settings are correctly configured for name resolution between forests.
2.2. Define the Target Environment
- Design OU Structure: Plan the Organizational Unit (OU) hierarchy in Company B's forest to accommodate migrated objects.
- Establish Naming Conventions: Decide on consistent naming for users, groups, and computers.
- Set Up GPOs: Prepare necessary GPOs in the target environment to maintain security and compliance.
3. Establishing Trust Between Forests
3.1. Create Forest Trust
- Use Active Directory Domains and Trusts: On a domain controller in Company B's forest, open the tool and create a new forest trust pointing to Company A's forest.
- Select Trust Type: Choose "Forest Trust" and ensure it's transitive.
- Set Trust Direction: Configure the trust as two-way to allow bidirectional authentication.
3.2. Verify Trust
- Validate Trust: Use the "Validate" option to ensure the trust is functioning correctly.
- Check Name Resolution: Confirm that DNS name resolution works between forests.
4. Preparing the Migration Environment
4.1. Install ADMT
- Download ADMT: Obtain the latest version of ADMT from Microsoft's official website.
- Install on Target Domain: Set up ADMT on a member server in Company B's forest.
- Configure SQL Server: ADMT requires a SQL Server instance; install SQL Server Express if necessary.
4.2. Set Up Password Export Server (PES)
- Install PES on Source Domain: On a domain controller in Company A's forest, install the PES service.
- Generate Encryption Key: On the ADMT server, run the following command:
admt key /option:create /sourcedomain:CompanyA.local /keyfile:"C:\Key\key.pes" /keypassword:YourPassword
- Transfer Key File: Copy the generated key file to the PES server in Company A's forest.
- Configure PES: During installation, provide the path to the key file and the corresponding password.
5. Configuring Source and Target Domains
5.1. Enable Auditing
To migrate SID history, auditing must be enabled on both source and target domains.
Edit Default Domain Controllers Policy:
- Navigate to
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. - Enable "Audit account management" and "Audit directory service access" for success and failure.
- Navigate to
Update Group Policy:
gpupdate /force
5.2. Create Migration Group
In the source domain (Company A), create a local group named CompanyA$$$. This group is required for SID history migration.
- Using Active Directory Users and Computers:
- Create a new group in the "Users" container.
- Name it
CompanyA$$$. - Set the group scope to "Domain Local" and type to "Security".
5.3. Modify Registry for TcpipClientSupport
On the primary domain controller in the source domain, enable TcpipClientSupport.
Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaAdd DWORD:
TcpipClientSupportwith a value of1.- Restart Server: Reboot the domain controller to apply changes.
6. Performing the Migration
6.1. Migrate Groups
- Open ADMT: Launch the ADMT console on the target domain.
- Select Group Account Migration Wizard: Follow the wizard to select source and target domains.
- Choose Groups: Select the groups to migrate.
- Configure Options:
- Enable SID history migration.
- Update group memberships.
- Run Migration: Execute the migration and review the logs for any errors.
6.2. Migrate Users
- Select User Account Migration Wizard: In ADMT, choose the user migration wizard.
- Choose Users: Select users from the source domain.
- Set Target OU: Specify the Organizational Unit in the target domain.
- Configure Options:
- Migrate passwords using PES.
- Enable SID history migration.
- Translate roaming profiles and user rights.
- Run Migration: Start the process and monitor for issues.
6.3. Migrate Computers
- Select Computer Migration Wizard: Use ADMT to initiate computer migration.
- Choose Computers: Select the computers to migrate.
- Install Agent: ADMT will install an agent on each computer to facilitate the migration.
- Configure Options:
- Translate local profiles.
- Update user rights.
- Run Migration: Execute and ensure computers reboot into the new domain.
6.4. Security Translation
To maintain access to resources, perform security translation.
- Select Security Translation Wizard: In ADMT, choose this option.
- Choose Objects: Select users and computers requiring translation.
- Configure Options:
- Translate file and folder permissions.
- Update local group memberships.
- Translate user profiles.
- Run Translation: Execute and verify access to resources.
7. Post-Migration Tasks
7.1. Validate Migration
- Check Object Integrity: Ensure all users, groups, and computers exist in the target domain.
- Verify Access: Confirm users can access necessary resources.
- Review Logs: Analyze ADMT logs for any errors or warnings.
7.2. Decommission Source Domain
- Disable Accounts: In Company A's domain, disable migrated user and computer accounts.
- Monitor for Issues: Wait for a predefined period to ensure stability.
- Remove Trust: Once confident, remove the trust relationship between forests.
- Decommission Domain Controllers: Safely demote and decommission domain controllers in the source domain.
Conclusion
By following this detailed guide, organizations can effectively migrate Active Directory objects between forests using ADMT. Proper planning, thorough testing, and careful execution are critical to ensure a smooth transition with minimal impact on users and services.