AcloudA

Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 1

Posted by Karim Buzdar on June 7, 2017
No ratings yet.

Interforest migration involves relocating Active Directory (AD) objects between forests.You may have to migrate AD objects between forests at the time of moving test domain into your production environment or because of companies merger and the need to consolidate two (information technology) IT infrastructures.

Forest Trust Sheme

Interforest migration involves relocating Active Directory (AD) objects between forests.You may have to migrate AD objects between forests at the time of moving test domain into your production environment or because of companies merger and the need to consolidate two (information technology) IT infrastructures.

In these series of articles, I’ll demonstrate to migrate objects (users, computers, and groups) between forests in Windows Server 2016 with the help of Active Directory Migration Tool (ADMT) 3.2.

In this first article, I’ll show you to install Password Export Server Service (PES) v3.1, establish trust between forests, and delegate permission to source user account in the target domain.

Installing Password Export Server Service (PES) v3.1

When you are migrating objects between forests (Interforest migration), Active Directory Migration Tool (ADMT) uses Password Export Server (PES) service to migrate passwords. You can download PES v3.1 (which is the latest version) from Microsoft Connect.

Following are few important points you should care before installing PES,

  1. Before you move with PES Installation, install ADMT (Active Directory Migration Tool) on target domain
  2. Install PES on any writeable domain controller in the source domain that supports 128-bit encryption
  3. Do not install PES on read-only domain controller (RODC)

When you install PES service on source domain, it requires an encryption key. You can create an encryption key with ADMT on target domain and save it in a folder. Share that folder on the network or in a removable drive and then copy on source domain where PES is being installed.

Creating an Encryption Key

Open PowerShell with elevated privileges. Execute the following command and replace parameters

Where,

Source domain specifies the DNS or NetBIOS name of source domain on which PES is being installed.

Keyfile specifies the name and path of the file where you would like to store encrypted key.

The password is an optional parameter which is used to protect the key. You can directly specify the password in command or you can just put asterisk ( *). Asterisk prompts for the password during execution as shown in below screenshot.

Windows PowerShell Console

Installing PES on Source Domain

Step 1. Double-click en-US_pwdmig.msi and click Next

ADMT Password Migration DLL Setup

Step 2. Accept the terms of license agreement and click Next

ADMT Password Migration DLL - End-User License Agreement

Step 3. Click Browse and select the encryption file (you created in step 1) for this source domain. When you are done click Next

ADMT Password Migration DLL - Encryption file - Browse

Step 4. Provide the password you set in step 1 and click OK

ADMT Password Migration DLL - Password and Confirmation window

Step 5. Click Install. This may take few minutes so please be patient

ADMT Password Migration DLL Setup - Ready to install

Step 6. Provide the account you would like PES service to run under. If you would like to provide an authenticated account, specify in the format domain\username

ADMT Password Migration DLL - the password Export Server Service

Step 7. Click OK

ADMT Password Migration DLL - Log On

Step 8. Click Finish

ADMT Password Migration DLL Setup wizard

Step 9. Click Yes to restart  the system so changes can take effect

ADMT Password Migration DLL Setup - Restart System confirmation window

When a system is rebooted, start the Password Export Server Service. Press Windows key + R to open Run. Type services.msc and hit enter from the keyboard. Locate Password Export Server Service, right-click it and then click Start.

Establishing Required Trusts between Forests

Before you migrate objects between Active Directory domains in different forests, you must create a trust relationship between them. Trust relationship enables ADMT to move profiles, users, workstations or member servers, groups, and service accounts from the source domain to target domain.

You can create a one-way or two-way trust. However, to make things simple we will create a two-way trust so we can migrate objects from both sides of the trust relationship. Since domains and trusts are not the subjects of discussion for this post, you can read more about them on Technet.

Step 1. Open Active Directory Domains and Trusts snap-in. Right-click the domain you would like to create trust relationship with and then click Properties

Active Directory Domains and Trusts - Properties

Step 2. Open Trusts tab and then click New Trust

Active Directory Domains and Trusts - Properties - Trusted Domain

Step 3. Click Next

New Trust Wizard - New Trust Wizard

Step 4. Provide the DNS or NetBIOS name of the domain of the corresponding forest and click Next

New Trust Wizard - Trust Name

Step 5. Click ‘Forest trust’ and then click Next

New Trust Wizard - Trust Type

Step 6. Click ‘Two-way’ and then click Next

New Trust Wizard - two-way Direction of Trust

Step 7. Click ‘Both this domain and the specified domain’ to create both sides of forest trust and then click Next

New Trust Wizard - Sides of Trust

Step 8. Provide credentials of an account having administrative privileges in the specified domain. Click Next

New Trust Wizard - User Name and Password

Step 9. Click Forest-wide authentication for local forest and then click Next

New Trust Wizard - Outgoing Trust Authentication Level - Local Forest - Forest-wide authentication

Step 10. Click Forest-wide authentication for corresponding forest and then click Next

New Trust Wizard - Outgoing Trust Authentication Level-Specified Forest

Step 11. Click Next

New Trust Wizard - Trust Selections Complete

Step 12. Click Next

New Trust Wizard - Route Name Suffixes - Local forest

Step 13. Click Next

New Trust Wizard - Trust Creation Complete

Step 14. Click Yes, confirm the outgoing trust and then click Next

New Trust Wizard - Confirm Outgoing Trust

Step 15. You have successfully created the trust. Click Finish

New Trust Wizard - Completing the New Trust Wizard

Step 16. Now it’s time to validate the trust so you can be sure it is in place. Right-click the domain in ADDT snap-in and then click Properties. Select the specified domain in outgoing trusts and then click Properties

Active Directory Domain Tools - Properties - Trusts

Step 17. On General tab, click Validate

Active Directory Domain Tools - Properties - General - Validate

Step 18. Click ‘Yes, validate the incoming trust’ to validate the incoming direction of trust. Provide credentials of an account having administrative privileges in the specified domain and then click OK

Active Directory Domain Services - Properties - Validate Incoming Trust

Step 19. Click OK. The trust you created is in place and active

Active Directory Domain Services - Validated window

So far, we have learned to install Password Export Server Service (PES) v3.1 on source domain, and establish trust between forests.

(read the part 2).

Related materials:

Views All Time
21
Views Today
53
Return to all posts

[Azure Active Directory] Domain Services
Microsoft Azure Expanding Regions to Africa

Please rate this

2 Responses to “Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 1”

  1. […] In the previous article, we have installed Password Export Server Service (PES) v3.1 on source domain and establish trust between two forests. We will move ahead and delegate permissions to user account from source domain in the target domain, configure source and target domains for SID history migration. We will also see the difference in behavior of Active Directory objects in both interforest and intraforest migration and how to create an include file when migration large number of objects. […]

  2. […] previous articles (Part 1 and Part 2), we have installed Password Export Server Service (PES) 3.1, established trust, […]

Leave a Reply

You must be logged in to post a comment.