ADMT: Configuring source and target domains for ADMT

This document deals with the prerequisites for configuring ADMT to migrate between two domains.

For this example, DOMAINA is the source domain. DOMAINB is the target domain.

When performing these steps in a production environment you should ensure that your networks are routable and firewall requirements have been met.

DOMAINB: Install ADMT
1. Install ADMT on a Windows Server 2008 server in the target domain
2. Configure the ADMT database to a central SQL Server in order for it to be backed up
3. Ensure the ADMT database is backed up
4. Ensure the ADMT server is backed up if possible

DOMAINA: Create ADMT Migrator account
1. Create ADMT Migrator account
2. Add ADMT Migrator account to DOMAINA\Domain Admins group
3. Ensure ADMT Migrator account is enabled

DOMAINB: Configure ADMT Migrator account
1. Add ADMT Migrator account to DOMAINB\Administrators group
2. Add ADMT Migrator account to ADMT Server local Administrators group
3. Add ADMT Migrator account to ADMT_Migrator, Account Migrator, Resource Migrator and Data Reader on the ADMT SQL database

DOMAINA: Source domain prerequisites
1. Do not create the DOMAINA$$$ group as ADMT sometimes does not like this group to be pre-created. ADMT will create this group automatically
2. Modify the registry on DOMAINA PDC Emulator
a. Browse to HKLM\SYSTEM\CurrentControlSet\Control\LSA
b. Add new DWORD value: TcpipClientSupport and set it to value: 1
3. Configure Audit Account Management
a. Open the Default Domain Controllers group policy
b. Browse to Computer ConfigurationàWindows SettingsàSecurity SettingsàLocal PoliciesàAudit Policy
Select Audit Account Management and enable for both Success and Failure
Click OK and close the Group Policy
Run gpupdate /force on all domain controllers in DOMAINA
Run rsop.msc on each domain controller in DOMAINA and confirm that the setting has applied successfully

DOMAINB: Destination domain prerequisites
4. Configure Audit Account Management
g. Open the Default Domain Controllers group policy
h. Browse to Computer ConfigurationàWindows SettingsàSecurity SettingsàLocal PoliciesàAudit Policy
Select Audit Account Management and enable for both Success and Failure
Click OK and close the Group Policy
Run gpupdate /force on all domain controllers in DOMAINB
Run rsop.msc on each domain controller in DOMAINB and confirm that the setting has applied successfully

DOMAINB: Configure PES (Password Encryption Service)
1. Create a user account to act as the PES service account called DOMAINA\SVC_PES
2. Generate PES encryption key on ADMT migration server
3. Log into the ADMT server
4. Run admt key /option:create /sourcedomain:DOMAINA /keyfile:c:\Folder /keypassword [Password ]
5. [Password] – Decide on a password to enter here and write it down – this password will need to be entered when importing the encryption key.

DOMAINA: Configure PES (Password Encryption Service)
1. Copy the encryption file to the PDC Emulator in the DOMAINA domain
2. Deploy PES on the PDC in DOMAINA domain:
Download pwdmig.msi to the PDC Emulator in DOMAINA domain
Execute pwdmig.msi
Click Next, accept the license agreement, click next
Browse for the encryption file and click next
Specify the password that was set on the file earlier
Specify the account to run the PES service under – this will be DOMAINA\SVC_PES
i. Use the password provided
Restart the PDC emulator to activate the PES and registry changes
Create 3 test users in NDS and have them replicate to DOMAINA
Create 3 test groups in DOMAINA and add the replicated test accounts to the 3 groups, which will be for testing the ADMT migration process

DOMAINB: Perform test migration using ADMT
Perform migration of a test group from DOMAINA to DOMAINB using ADMT and ensure successful migration of SID History
Make sure to log into migration server as the migration user DOMAINA\ADMT_migrator
Perform migration of the selected group using ADMT
Check the logs to see that SID history was successfully migrated
Check the migrated user account in ADSIEdit.msc to ensure SIDHistory is attached
Test for successful end to end migration by migrating a test account from DOMAINA to DOMAINB and merging the corresponding eDirectory accounts using an NDS Migrator console, and testing for group membership, password migration, SID History migration and access to resources as applicable