IN THIS TASK
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
You can use the Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another. This article describes how to set up ADMT to perform a migration from a Microsoft Windows NT 4.0-based domain to a Microsoft Windows 2000-based domain.
Notes- You can also use the information in this article to set up ADMT to perform a migration from a Windows 2000-based domain to a Windows 2000-based domain in a separate forest.
- This article assumes that the source domain is running either Windows NT 4.0 Service Pack 6a or Windows 2000, and that the target domain is a Windows 2000-based domain in Native mode.
The Active Directory Migration Tool version 2 (ADMTv2) installs and runs correctly on any Windows 2000 Professional-based (or later) client or server computer. However, it is often best to install and run ADMTv2 on the console of a domain controller in the destination domain. The primary considerations when you decide which computer should host ADMTv2 are:
- Reliable RPC connectivity between the destination computer and the source domain or domains.
- No more than one instance of ADMT should be installed for the same migration project. The migration database (Protar.mdb) is not a replicated data store, so running ADMTv2 migration tasks from multiple nodes during the same project may result in invalid or inconsistent data when post-migration reports are generated.
- Certain migration tasks may require additional configuration to succeed.
To download ADMT version 2.0, visit the following Microsoft Web site:
back to the top Trusts
- Configure the source domain to trust the target domain.
- Configure the target domain to trust the source domain.
back to the top Groups
- Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
- Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
- Create a new local group in the source domain called Source Domain$$$ (this group should have no members).
back to the top Auditing
- Enable auditing for the success and failure of user and group management on the source domain.
- Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
back to the top Registry
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
On the primary domain controller (PDC) in the source domain, add the TcpipClientSupport:REG_DWORD:0x1 value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA.
Notes- You must restart the computer to apply this registry change.
- If you are performing a migration from a Windows 2000-based domain, add the registry entry to the domain controller in the source domain that hosts the PDC emulator operations master role.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
234790
How to find servers that hold Flexible Single Master Operations roles
back to the top Administrative Shares
Administrative shares must exist on the domain controller (DC) in the target domain on which you run ADMT, as well as on any computers on which an agent will be dispatched.
back to the top User Rights
You must log on to the computer on which you run ADMT with an account that has the following rights:
- Domain Administrator rights in the target domain
- Is a member of the Administrators group in the source domain
- Administrator rights on each computer you migrate
- Administrator rights on each computer on which you translate security
Therefore, logging into the PDC that is the FSMO role holder in the target domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.
back to the top REFERENCES
For more information about ADMT, visit the following Microsoft Web site:
For more information about how to use ADMT to migrate from a Windows 2000-based domain to a Microsoft Windows Server 2003-based domain, click the following article number to view the article in the Microsoft Knowledge Base:
326480
How to use Active Directory Migration Tool version 2 to migrate from Windows 2000 to Windows Server 2003