How to configure the Active Directory Migration Tool to migrate user passwords from a Windows NT 4.0 domain to a Windows Server 2003 domain (832221)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft BackOffice Small Business Server 4.5
  • Microsoft Windows NT 4.0


Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

IN THIS TASK

SUMMARY

This article describes how to configure the Active Directory Migration Tool (ADMT) to migrate user passwords from a Microsoft Windows NT 4.0 domain to a Microsoft Windows Server 2003 domain.

Note This article assumes that you have already installed ADMT v2, that the source domain is a Windows NT 4.0 domain, and that the target domain is a Windows Server 2003 domain that is running in Microsoft Windows 2000-or-later native mode.

back to the top

Configure the destination domain

ADMT must be installed on a domain controller to migrate SID history and password information.To do this, follow these steps:
  1. Turn on auditing for the success and the failure of account management auditing in the Default Domain Controllers policy. To do so:
    1. Start Active Directory Users and Computers.
    2. Expand your domain, right-click Domain Controllers, and then click Properties.
    3. Click the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.
    4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
    5. In the right pane, double-click Audit account management.
    6. Click to select the Define these policy settings check box if it is not already selected, and then click to select both of the following check boxes:

      Success
      Failure

    7. Click OK, quit the Group Policy Object Editor, and then click OK.
    8. Permit sufficient time for the Group Policy changes to propagate throughout the domain.
  2. Log on as an administrator to a domain controller where ADMT v2 is installed.
  3. At a command prompt, type the following command to create a password export key file (.pes)

    admt key sourcedomainpathpassword

    where sourcedomain is the NetBIOS name of the Windows NT 4.0 source domain, where path is the path where you want to create the password export key, and where password is an optional password or the asterisk (*) character to help protect the .pes file.

    Note You must specify a local path for the .pes file. This path can point to a drive with removable media, such as to a floppy drive, to a ZIP drive, or to a CD-R or a CD-RW drive. Additionally, if you type a password, ADMT helps protect the file with the password. If you type an asterisk (*), ADMT prompts you to enter and confirm a password. The operating system does not echo the password as you type it.
  4. Move the .pes file that you created to the server that you designate as the Password Export Server in the source domain. This can be any domain controller in the Windows NT 4.0 domain that has a fast and reliable link to the Windows Server 2003-based computer where ADMT is installed.
back to the top

Configure the source domain

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Configure the Windows NT 4.0 source domain for the password migration operation. To do so:
  1. Configure a new local group and name it sourcedomain$$$, where sourcedomain is the NetBIOS name of the Windows NT 4.0 source domain. This group must not contain any members.
  2. On the primary domain controller (PDC), turn on auditing for the success and the failure of user and group management in the domain. To do so:
    1. Start User Manager for Domains.
    2. On the Policies menu, click Audit.
    3. Click Audit These Events, and then click to select both of the following check boxes for the User and Group Management item:

      Success
      Failure

    4. Click OK.
  3. Configure the source domain to permit remote procedure call (RPC) access to the security accounts manager (SAM) database by setting the TcpipClientSupport registry value to 1. To do so, follow these steps.
    1. On the PDC, click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Name the new value TcpipClientSupport.
    5. Right-click TcpipClientSupport, and then click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. Quit Registry Editor.
    Note You must restart the computer to apply this registry change. However, you do not have to restart the computer until you install the ADMT Password Migration DLL component.
  4. Install the ADMT Password Migration DLL on the PDC. To do this, run Pwdmig.exe from the I386\ADMT\Pwdmig folder on the Windows Server 2003 CD-ROM or from the location where you downloaded ADMT.

    When you run the ADMT Password Migration DLL Installation Wizard, you are prompted for the path of the .pes file that you moved to the Windows NT 4.0 domain. You must specify a local path for this file. You are also prompted for the password that you used when you created this file.
  5. After the ADMT Password Migration DLL installation is completed successfully, click Yes when you are prompted to restart the server.
  6. When you are ready to migrate passwords from the Windows NT 4.0 domain, change the AllowPasswordExport registry value to 1. To do so, follow these steps:
    1. On the PDC, click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    3. In the right pane, right-click AllowPasswordExport, and then click Modify.
    4. In the Value data box, type 1, and then click OK.
    5. Quit Registry Editor.
back to the top

REFERENCES

Active Directory Migration Tool v2 is included in the I386\Admt folder on the Windows Server 2003 CD-ROM. For more information, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/c283b699-6124-4c3a-87ef-865443d7ea4b1033.mspx

back to the top
Modification Type:MajorLast Reviewed:2/24/2006
Keywords:kbHOWTOmaster kbinfo KB832221 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.