AcloudA

Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 2

Posted by Karim Buzdar on June 16, 2017
No ratings yet.

In the previous article, we have installed Password Export Server Service (PES) v3.1 on source domain and establish trust between two forests. We will move ahead and delegate permissions to user account from source domain in the target domain, configure source and target domains for SID history migration. We will also see the difference in behavior of Active Directory objects in both interforest and intraforest migration and how to create an include file when migration large number of objects.

Delegating Permissions to User Account from Source Domain in the Target Domain

It is necessary to assign the appropriate permissions to user accounts you are using to migrate objects between forests with Active Directory Migration Tool.

Follow these steps to assign permissions to a domain admin user of the source domain.

Step 1. Log in to domain controller in the target domain with an account having domain admin privileges

Step 2. Open Active Directory Users and Computer snap-in. Click Builtin located under the domain name. On the right pane locate Administrators, right-click it and then click Properties

Active Directory Users and Computers window

Step 3. Go to Members tab and click Add

Active Directory Users and Computers - Administrators Properties

Step 4. Click Locations and choose source domain and then click OK

Active Directory Users and Computers - Administrators Properties - Locations

Step 5. Add the user and then click OK

Active Directory Users and Computers - Select Users, Computers, Service Accounts, or Group

Step 6. Click Apply and then OK. You are done

Active Directory Users and Computers - Administrators Properties - Members

Configuring Source and Target Domains for SID History Migration

Before interforest migration, you need to complete the following tasks:

  1. Create a local group in the source domain
  2. Enable auditing of account management and directory service access in both source and target domains

Creating a Local Group in the Source Domain

Open Active Directory Users and Computer (ADUC) Console in the source domain. Create an empty local group SourceDomainName$$$ in Users OU where SourceDomainName is the NetBIOS name of the source domain, for example, mydomain$$$.

Enabling Auditing in the Source and Target Domains

Perform the following steps in both source and target domains:

  1. Log in to any domain controller in the domain with an account having administrative privileges
  2. Press windows key + R from keyboard to open Run
  3. Type gpedit.msc and press enter key from keyboard
  4. In Group Policy Management Console, expand Forest -> Domains -> your domain name -> Domain Controllers
  5. Right-click Default Domain Controllers Policy and then click Edit
  6. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies- > Audit Policy
  7. In the right pane, right-click Audit account management and then click Properties. Check Define these policy settings, Success, and Failure boxes, click Apply and then OK
  8. In the right pane, right-click Audit directory service access and then click Properties. Check Define these policy settings and Success boxes, click Apply and then OK
  9. Open command prompt and execute gpupdate to update group policies

Difference Between Interforest and Intraforest Domain Objects Migration

The following table list some differences between interforest and intraforest domain objects migration.

Table with list of some differences between interforest and intraforest domain objects migration

How to Create an Include File

You can create an include file (which is a text file) when you are migrating hundred or thousand of AD objects to save time and energy. In migration wizard, you can specify the migrated objects by providing the path of an include file.

The following table lists the field of an include file with their explanation and examples.

Table with lists of explanation and examples

Following are possible examples of the contents of an include file.

SourceName

John

SourceName,TargetRDN

John, CN=johnny

SourceName,TargetRDN,TargetSAM

John, CN=johnny, johnnym

SourceName,TargetRDN,TargetSAM,TargetUPN

John, CN=johnny, johnnym, johnm@yourdomain.com

Renaming Objects in Target Domain

If you want AD objects so they get a new name in the target domain, you can specify the new name in the include file in the following format.

to be continued.

 

Related materials:

Views All Time
14
Views Today
26
Return to all posts

Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 3
[Azure Active Directory] Domain Services

Please rate this

2 Responses to “Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 2”

  1. […] … (read the part 2). […]

  2. […] Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2 Part 2 […]

Leave a Reply

You must be logged in to post a comment.