Username or Email Address
Interforest migration involves relocating Active Directory (AD) objects between forests.You may have to migrate AD objects between forests at the time of moving test domain into your production environment or because of companies merger and the need to consolidate two (information technology) IT infrastructures.
In these series of articles, I’ll demonstrate to migrate objects (users, computers, and groups) between forests in Windows Server 2016 with the help of Active Directory Migration Tool (ADMT) 3.2.
In this first article, I’ll show you to install Password Export Server Service (PES) v3.1, establish trust between forests, and delegate permission to source user account in the target domain.
When you are migrating objects between forests (Interforest migration), Active Directory Migration Tool (ADMT) uses Password Export Server (PES) service to migrate passwords. You can download PES v3.1 (which is the latest version) from Microsoft Connect.
Following are few important points you should care before installing PES,
When you install PES service on source domain, it requires an encryption key. You can create an encryption key with ADMT on target domain and save it in a folder. Share that folder on the network or in a removable drive and then copy on source domain where PES is being installed.
Open PowerShell with elevated privileges. Execute the following command and replace parameters
Source domain specifies the DNS or NetBIOS name of source domain on which PES is being installed.
Keyfile specifies the name and path of the file where you would like to store encrypted key.
The password is an optional parameter which is used to protect the key. You can directly specify the password in command or you can just put asterisk ( *). Asterisk prompts for the password during execution as shown in below screenshot.
Step 1. Double-click en-US_pwdmig.msi and click Next
Step 2. Accept the terms of license agreement and click Next
Step 3. Click Browse and select the encryption file (you created in step 1) for this source domain. When you are done click Next
Step 4. Provide the password you set in step 1 and click OK
Step 5. Click Install. This may take few minutes so please be patient
Step 6. Provide the account you would like PES service to run under. If you would like to provide an authenticated account, specify in the format domain\username
Step 7. Click OK
Step 8. Click Finish
Step 9. Click Yes to restart the system so changes can take effect
When a system is rebooted, start the Password Export Server Service. Press Windows key + R to open Run. Type services.msc and hit enter from the keyboard. Locate Password Export Server Service, right-click it and then click Start.
Before you migrate objects between Active Directory domains in different forests, you must create a trust relationship between them. Trust relationship enables ADMT to move profiles, users, workstations or member servers, groups, and service accounts from the source domain to target domain.
You can create a one-way or two-way trust. However, to make things simple we will create a two-way trust so we can migrate objects from both sides of the trust relationship. Since domains and trusts are not the subjects of discussion for this post, you can read more about them on Technet.
Step 1. Open Active Directory Domains and Trusts snap-in. Right-click the domain you would like to create trust relationship with and then click Properties
Step 2. Open Trusts tab and then click New Trust
Step 3. Click Next
Step 4. Provide the DNS or NetBIOS name of the domain of the corresponding forest and click Next
Step 5. Click ‘Forest trust’ and then click Next
Step 6. Click ‘Two-way’ and then click Next
Step 7. Click ‘Both this domain and the specified domain’ to create both sides of forest trust and then click Next
Step 8. Provide credentials of an account having administrative privileges in the specified domain. Click Next
Step 9. Click Forest-wide authentication for local forest and then click Next
Step 10. Click Forest-wide authentication for corresponding forest and then click Next
Step 11. Click Next
Step 12. Click Next
Step 13. Click Next
Step 14. Click Yes, confirm the outgoing trust and then click Next
Step 15. You have successfully created the trust. Click Finish
Step 16. Now it’s time to validate the trust so you can be sure it is in place. Right-click the domain in ADDT snap-in and then click Properties. Select the specified domain in outgoing trusts and then click Properties
Step 17. On General tab, click Validate
Step 18. Click ‘Yes, validate the incoming trust’ to validate the incoming direction of trust. Provide credentials of an account having administrative privileges in the specified domain and then click OK
Step 19. Click OK. The trust you created is in place and active
So far, we have learned to install Password Export Server Service (PES) v3.1 on source domain, and establish trust between forests.
… (read the part 2).
Sample rating item
Microsoft, Software by Karim Buzdar
[…] In the previous article, we have installed Password Export Server Service (PES) v3.1 on source domain and establish trust between two forests. We will move ahead and delegate permissions to user account from source domain in the target domain, configure source and target domains for SID history migration. We will also see the difference in behavior of Active Directory objects in both interforest and intraforest migration and how to create an include file when migration large number of objects. […]
[…] previous articles (Part 1 and Part 2), we have installed Password Export Server Service (PES) 3.1, established trust, […]
You must be logged in to post a comment.