In many cases, if there is a problem you can use the rollback feature to automatically restore previous structures. The tool also provides support for parallel domains, so you can maintain your existing Microsoft Windows NT 4.0 operating system domains while you deploy the Microsoft Windows 2000 operating system.
ADMT provides an effective tool that simplifies the process of migrating users, computers, and groups to new domains. At the same time, ADMT is designed to be flexible so that each organization can use it to implement a migration process that is adapted to its needs. This powerful tool lets you accomplish the following:
ADMT features let you manage domain migration efficiently and fine-tune the results to suit their requirements.
No need to manually load software onto all those computers. When using ADMT to migrate users and groups, you install the ADMT tool, typically in the target domain into which security principals or resources are being migrated. Beyond that, ADMT requires no additional software installation on the computers in the source domain from which security principals or resources are being migrated. When migrating computers or translating security on resources, ADMT automatically installs services (called agents) on the source computers. This means you do not need to manually load software onto each source computer to perform the migration. Once the agent's task is completed, it uninstalls itself.
Wizards make it easy. ADMT lets you use a series of wizards, including the User Migration wizard, Computer Migration wizard, Group Migration wizard, Service Account Migration wizard, Trust Migration wizard, and Reporting wizard to simplify various parts of the migration process.
Select the appropriate options among the many provided by the various wizards when performing a migration. For example, you can choose to copy users rights assigned in the source domain to the target domain; you can copy groups along with their members to the target domain; you can leave user accounts active in both the source and target domains; you can copy roaming profiles to the target domain for selected user accounts; and so on.
Restructure groups. Optionally, before migrating groups you can run the Group Mapping and Merging Wizard to map a group in the source domain to a new or existing group in the target domain. This mapping ensures that, when the group's members are migrated from the source domain into the target domain, group memberships will reflect the mapping. You can also merge multiple groups into one group.
Trial run. By selecting the Test the migration settings and migrate later option, you can run a wizard without actually making any changes in your network. Review the log files and reports generated by the wizards to identify and troubleshoot any potential problems before performing the actual migration.
Undo. You can undo the most recently performed user, group, or computer migration. Users maintain access to resources. During user and group migration, ADMT lets users retain their premigration access to resources such as files, shares, and applications through its sIDHistory feature or by updating those resources to refer to the migrated user. This capability keeps your security structure (the granting and denying of access to resources) intact but conveniently brings it into the new domain.
Users retain access to Exchange resources. If you need to update security permissions on Exchange mailboxes to reflect the migration, ADMT can also handle that.
Service accounts migrate too. ADMT also migrates service accounts. Many applications, such as Microsoft Exchange, use service accounts to run services with the same set of credentials on several network computers. Putting objects into OUs. In addition to consolidating Windows NT resource domains into Active Directory OUs, ADMT also lets you migrate selected users, groups, or computers to OUs in the target domain. Then, you can use Windows 2000 features to manage these OUs-for example, you can establish group policy configuration settings for a group of computers collected in a given OU. Handling trust relationships. A trust relationship connects two domains and lets users in the trusted domain access resources in the trusting domain. To maintain resource access during migration, the same trust relationships must be established in the target domain as exist in the source domain. The Trust Migration wizard does this for you-it compares the trust relationships in the source domain to the trust relationships in the target domain, and then creates in the target domain any trust relationships that exist in the source domain. Making use of the new universal group scope. In intra-forest migration (that is, when performing a migration between Windows 2000 domains in the same forest), when global groups are migrated from a native-mode source domain, the groups are created as universal groups in the target domain so that they can contain members from the source domain that have not yet been migrated.Global groups can contain only members from their own domain; universal groups can have members from any Windows 2000 domain in the forest.
ADMT System Requirements
Target domain. For target domains, ADMT can run on
any computer capable of running the Windows 2000 Server operating system.
Source domain. The source domain must be running either Windows 2000 or Windows NT 4.0.
The primary domain controller (PDC) of a Windows NT 4.0 source domain must have SP4 or higher installed. The ADMT agent (installed by ADMT on the source computers) can operate on computers running Windows NT 3.51 (with SP5); Windows NT 4.0 (with SP4 or higher); or Windows 2000.
To download: Windows 2000 Active Directory Migration Tool
- ClonePrincipal and ADMT Require Uplevel Trust to Migrate Objects Between Windows 2000 Domains
- Support WebCast: Domain Migration Using the Microsoft Active
Directory Migration Tool
1 hr 11 minutes
- You Cannot Update the SID History for Group with the Active Directory Migration Tool
- Windows 2000 Directory Interoperability & Migration Solution Matrix
- Best Practice Active Directory Deployment for Managing Windows Networks
- Domain Names with All Capital Letters Prevent ADMT User Migration
- Objects from Active Directory Are Ignored When Running the Active Directory Management Agent
- Cannot Delete Cloned User Accounts that Include Security Identifier History from Local Groups
- Domain Migration Cookbook - Chapter 4: Restructuring Tools
- Domain Migration Cookbook - Chapter 7: The Desired Structure and Migration Goals
- Domain Migration Cookbook - Chapter 9: Migration of a Windows NT 4.0 Account Domain to Active Directory
- Domain Migration Cookbook - Chapter 11: Intraforest Migration
- Chapter 6: Domain Migration and Consolidation
- How to Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration
- XADM: Service Account Admin Password Must Be Reset After Migration to Windows 2000
- ADMT Does Not Migrate the Exchange System Attendant Service
- How to Deploy Active Directory
- Chapter 6 - Domain Migration and Consolidation
- Optimizing Active Directory Topology for Group Policy