- To optimize the arrangement of elements within the logical Active Directory structure.
- To assist in completing a business merger, acquisition, or divestiture.
- Best Practices for Active Directory Migration
- Interforest Active Directory Domain Restructure
- Intraforest Active Directory Domain Restructure
- Appendix: Advanced Procedures
- Troubleshooting ADMT
- Additional Resources
Migration consideration | Interforest restructure | Intraforest restructure |
---|---|---|
Object preservation
|
Objects are cloned rather than migrated. The original object remains in the source location to maintain access to resources for users.
|
User and group objects are migrated and no longer exist in the source location. Computer and managed service account objects copied and the original accounts remain enabled in the source domain.
|
Security identifier (SID) history maintenance
|
Maintaining SID history is optional.
|
SID history is required for user, group, and computer accounts, but not managed service accounts.
|
Password retention
|
Password retention is optional.
|
Passwords are always retained.
|
Local profile migration
|
You must use tools such as ADMT to migrate local profiles.
|
Local profiles are migrated automatically because the user’s globally unique identifier (GUID) is preserved.
|
Closed sets
|
You do not have to migrate accounts in closed sets. For more information, see Background Information for Restructuring Active Directory Domains Within a Forest (http://go.microsoft.com/fwlink/?LinkId=122123).
|
You must migrate accounts in closed sets.
|
[Migration] ;IntraForest=No ;SourceDomain="source_domain_name" ;SourceOu="source_ou_path" ;TargetDomain="target_domain_name" ;TargetOu="target_ou_path" ;PasswordOption=Complex ;PasswordServer="" ;PasswordFile="" ;ConflictOptions=Ignore ;UserPropertiesToExclude="" ;InetOrgPersonPropertiesToExclude="" ;GroupPropertiesToExclude="" ;ComputerPropertiesToExclude="" [User] ;DisableOption=EnableTarget ;SourceExpiration=None ;MigrateSIDs=Yes ;TranslateRoamingProfile=No ;UpdateUserRights=No ;MigrateGroups=No ;UpdatePreviouslyMigratedObjects=No ;FixGroupMembership=Yes ;MigrateServiceAccounts=No ;UpdateGroupRights=No [Group] ;MigrateSIDs=Yes ;UpdatePreviouslyMigratedObjects=No ;FixGroupMembership=Yes ;UpdateGroupRights=No ;MigrateMembers=No ;DisableOption=EnableTarget ;SourceExpiration=None ;TranslateRoamingProfile=No ;MigrateServiceAccounts=No [Security] ;TranslationOption=Add ;TranslateFilesAndFolders=No ;TranslateLocalGroups=No ;TranslatePrinters=No ;TranslateRegistry=No ;TranslateShares=No ;TranslateUserProfiles=No ;TranslateUserRights=No ;SidMappingFile="SidMappingFile.txt"
ADMT COMPUTER /N "" "" /O:".txt"
ADMT COMPUTER /F "" /IF:YES /SD:" ” /TD:" " /TO:" "
- The Security Accounts Manager (SAM) account name. To specify a computer name in this format, you must append a dollar sign ($) to the computer name. For example, to specify a computer with the name Workstation01, use Workstation01$.
- The relative distinguished name (also known as RDN), for example, cn= Workstation01. If you specify the account as a relative distinguished name, you must specify the source organizational unit (OU).
- The canonical name. You can specify the canonical name as DNS domain name/ou_path/object_name or ou_path/object_name, for example, Asia.trccorp.treyresearch.net/Computers/Workstation01 or Computers/Workstation01.
Note |
---|
The target UPN is generated only for user objects, and only a UPN prefix is generated. A UPN suffix is appended using an algorithm that depends on whether a UPN suffix is defined for the target OU or the target forest. If the object is a computer, the target SAM account name includes a "$" suffix. |
Note |
---|
A comma within the CN value must be preceded with an escape ("\") character or the operation will fail, and ADMT will record an invalid syntax error in the log file. |
- Use SourceName, TargetRDN, TargetSAM, and TargetUPN as column headings at the top of the include file. SourceName is the name of the source account, and it must be listed as the first column heading. The TargetRDN, TargetSAM, and TargetUPN column headings are optional, and you can list them in any order.
- You must specify the account name as user name, relative distinguished name, or canonical name. If you specify the account name as a relative distinguished name, you must also specify the source OU.
Important |
---|
You must specify CN= before using an RDN value. |
MSA_USER5$ MSA_USER6$
admt managedserviceaccount /ef:”exclude file name”
admt managedserviceaccount /en:”managed service account 1” “managed service account 2”
Option Explicit '---------------------------------------------------------------------------- ' ADMT Scripting Constants '---------------------------------------------------------------------------- ' PasswordOption constants Const admtComplexPassword = &H0001 Const admtCopyPassword = &H0002 ' Note that the following constant cannot be specified alone. ' It must be specified along with admtComplexPassword or admtCopyPassword. Const admtDoNotUpdatePasswordsForExisting = &H0010 ' ConflictOptions constants Const admtIgnoreConflicting = &H0000 Const admtMergeConflicting = &H0001 Const admtRemoveExistingUserRights = &H0010 Const admtRemoveExistingMembers = &H0020 Const admtMoveMergedAccounts = &H0040 ' DisableOption constants Const admtLeaveSource = &H0000 Const admtDisableSource = &H0001 Const admtTargetSameAsSource = &H0000 Const admtDisableTarget = &H0010 Const admtEnableTarget = &H0020 ' SourceExpiration constant Const admtNoExpiration = -1 ' Translation Option Const admtTranslateReplace = 0 Const admtTranslateAdd = 1 Const admtTranslateRemove = 2 ' Report Type Const admtReportMigratedAccounts = 0 Const admtReportMigratedComputers = 1 Const admtReportExpiredComputers = 2 Const admtReportAccountReferences = 3 Const admtReportNameConflicts = 4 ' Option constants Const admtNone = 0 Const admtData = 1 Const admtFile = 2 Const admtDomain = 3 Const admtRecurse = &H0100 Const admtFlattenHierarchy = &H0000 Const admtMaintainHierarchy = &H0200