Search This Blog

Thursday, April 2, 2009

ADMT plain and simple

Setting up ADMT to migrate objects between two forests.

The latest version is ADMT V3.1, which can be used on Windows Server 2008. If you are using Windows Server 2003, you will need to use v3.0. ADMT v3.0 can only be installed on Windows Server 2003.

This article discribes how to set up ADMT plain and Simple.

Create and test a two way trust between the two or more forest(s).

Create a migration account in the source forest and target forest. To make it simple, make the two service accounts member of the domain admin group. This is not really nescesarry to make both accounts domain admin, but both accounts need to have the permission to create, move and modify objects. If you do not like the idea of making to many domain admins, you could work by providing the nescesarry rights through delligations.

After the migration accounts have been created, you should add the migration account to the administrators group of the opposite forest. Add the Old\Migration to the New\administrators and vica versa.

Install ADMT on a member-server or domain controller within the target forest. Create the 128 encryption file to enable password migration between the two (or more forests). The password file is created by running following command in the ADMT\PES folder. Click start->RUN and type CMD. Than type "CD %Systemroot%\Admt\Pes" (or path to where you installed ADMT).

Than type: ADMT KEY /OPTION:CREATE /SOURCEDOMAIN:%Olddomain% /KEYFILE:%Systemroot%\ADMT\PES\%Name of the keyfile% /PWD:* and press Enter.

You will be promted to type a password, and retype that password.

Note: the /keyfile option directs ADMT where to create the keyfile. This does not have to be the prediscribed path. This path however does contain MIGPWD.MSI which is needed later on.

Create a share, and place the content of ADMT\PES and the keyfile in that share. Make sure that you can access the share from a domain controller in the source domain.

Logon to the source domain controller and access the share you have created, which contains the ADMT key file and migpwd.msi. Open the migpwd.msi which will kick off the ADMT Password Migration DLL installation. This installation will install the Password Export Server Service, which is required to safly migrate your passwords between the two forests.

The installation wizzard will ask you, where it can find the key file. Ones the key file has been located, it will prompt you for the password by which you encrypted the keyfile. Afer filling and confirming that password, th einstallation kicks off. At the end of the installation it will ask you by which account you will start the Password Export Server Service. Here you fill in the account of the migration user in the tarhet forest. This account will also be granted the "logon as a service" permissions. Ones the installation has finished, a reboot of the system is required.

After the reboot of the system you will see that the Password Export server services has been created in the services console (Services.msc). The start-up mode of this service is set to manual, so it will be required to start the service prior to starting the migration procedure.

Still on the source domain controller. Goto run and type regedit, goto HKLM\System\CurrentControlSet\Control\LSH and create following keys:

TCPIPClientSupport Value "1"

AllowPasswordExport Value "1"

Now all is set and ready to start a test migration.

Starting the test migration.

Log-on to the source Domain Controller and start the Password Export Service (Net start PESSVC).

Log-on to the target ADMT migration machine and open the ADMT with the user credentials of the migration user in the Source domain (RUNAS). Rightclick the Active Directory Migration Tool and sellect which object you which to upgrade.

Happy migration!

No comments:

Post a Comment