Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

PART 2 : MIGRATE ACTIVE DIRECTORY USERS TO ANOTHER DOMAIN USING ADMT

August 26, 2016 09:43AM

As below diagram I have few users in Parent domain (vcloud-lab.com) and I will be migrating them to Child domain (child.vcloud-lab.com) using ADMT tool installed earlier in PART 1
 Active Directory migration tools ADMT DiagramHere are some gotchas I found while using ADMT Tool (Active Directory Migration Tool) between Parent and child domain.
1) When migrating users note down what group they are in. If they are domain local group, membership will be removed after migration.
2) If you would like to retain user's group memberships, Convert associated groups to Universal Group, as you can keep users from other domain in forest.
3) When migration is done domain controller with Infrastructure role is doing all the task, Make sure all the Forest AD domain controllers are reaching each other and in fully sync.
4) Once AD Objects are migrated Users will be moved from Parent domain to child domain.
5) Make sure you have enterprise admins permissions while performing this operations.
6) Password will be retained but change password at next logon will be set.
7) There must be a trust between domains in forest.

PART 1 : INSTALLING ADMT TOOL (ACTIVE DIRECTORY MIGRATION TOOL)
PART 2 : MIGRATE ACTIVE DIRECTORY USERS TO ANOTHER DOMAIN USING ADMT

Just to show this is how my Active directory forest looks like, I have parent domain name vcloud-lab.com and it has one child domain child.vcloud-lab.com. On the left side of the screenshot the users I want to migrate from vcloud-lab.com, and have been moved users in separate OU (Organization Unit). I have created universal group, and users need to migrate are member of this group (just to show group memberships are not removed even after migration). On the right hand side at child domain OU is blank and i will migrate users there.
Active directory users and computers dsa.msc migrate users and group to another domain

Launch Active Directory Migration Tool, right click on the node and click User Account Migration Wizard, there are other context menu for migrating group, computer, service account and etc.

Active Directory Migration tool User Account Migration Wizard

Once User Account migration Wizard launched it shows this wizard helps you migrate users accounts between AD domains in a different forest (interforest migration) or the same forest (intraforest migration), I am using intraforest migration, next right hand side screen shows to define source and target domain. Source is my Parent Domain vcloud-lab.com and Target is Child.vcloud-lab.com. You can select the domain controller from the list, What i found is you must select DC holding Infrastructure role., As in my environment each and every DC is connected to each other, I am keeping it default, and it will automatically select required domain controllers.

User Account migration wizard ADMT, Interforest or intraforest, Domain Selection Source and Target

Next screen is Use selection options from Parent domain, I will take the default select users from domain, (It is possible to read user list from file). and on the next screen right side choose and add users in the list, click next.

ADMT User Account Migration Wizard Select Users from domain, User selection add from dc or file, select user dsa.msc

Once users are selected click browse on target child domain controller to choose OU to move users to.

ADMT Organizational Unit Selection enter the targe OU to keep users

When migrating users this tool can translate roaming profile, Update user rights and migrate associated user groups. I am keeping default checkbox Update user rights, this way ADMT will try to maintain group memberships of user (to retain those membership if possible make sure you are changing associated group to universal (Global group memberships still will lose), Please read Microsoft documents impact before making such changes), Next is Migrate associated user groups, is self explanatory, User groups are also moved to target domain, check this box very carefully as users can lose global group memberships and can cause inability to access. Admt translate roaming profiles, Update user rights, migrate associated user groups, fix users group memberships

next screen is about conflict management, Migration conflicts occur when an object in the target domain conflicts with an object being migrated from the source domain. Default option is do not migrate if there is conflict and right side is the finish screen of the wizard and summary, check out the logfile location it defaults to c:\windows\ADMT\logs\migration.log, helpful later if there are any error.

admt do no migrate source object if conflict is detected in the target domain and task description and migration.log

Once I finished it shows the migration process screen, shows status, If i see users status it is copied and successful, if there are any error it can be troubleshooted using view logs.

Active directory migration tool migration process examined copied errors, view logs

Now I verify in my active directory users and computers console to view migrated objects (Compare with earlier pasted screenshot in the top, press F5 button or right click on domain refresh), universal group membership are retained for users. One thing to not, Password are retained but change password at next logon property is checked now. Some of the errors I faced was this user account had configured exchange active sync and I had to delete those mobile devices from exchange server and ADSIEDIT tool before migration.

Admt Active directory migration tools users and computers universal group migration completed from source to target

Next article will be about Active Directory Migration reports.

Go Back

We have completed a test migration just as the one in the description above. However, we are having issues with exchange email. For some reason, we are able to access mailboxes over OWA but not able to have the accounts configured on Outlook/Activesync cell phone clients. Any suggestion here? Is there something we need to perform on the Exchange side in order to have it fixed? Thanks.

Thanks for comment, I had faced same issue, There are some settings need to be done on adsiedit.msc under users account, remove some exchange key.



Comment