AcloudA

Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 3

Posted by Karim Buzdar on June 22, 2017
No ratings yet.

In previous articles, we have installed Password Export Server Service (PES) 3.1, established trust, delegated permissions to source user account in the target domain, configured source and target domains for SID history migration and understood the theory behind interforest migration. Now, we move ahead with actual migration.

Lab Topology Overview

I have two forests in my lab environment. One of the forests has domain yourdomain.com and the other forest has domain mydomain.com. Forest and domain functional levels are Windows Server 2016. Each of the domain has a single domain controller and they are running on Windows Server 2016.

Forest Trust Sheme

I am migrating AD objects from mydomain.com to yourdomain.com with both GUI and PowerShell.

Prerequisites

Interforest migration has following prerequisites:

  1. Install an ADMT in the target domain.
  2. Install password export server service in source domain for password migration.
  3. Establish trust between forests,
  4. Identify the source, target domain and OU for migration.
  5. Document the objects with their location in source and target domains. This can help you before and after migration, so you don’t miss any object.
  6. Create a test plan for some AD objects and carry out test migration so you can be sure the objects are properly migrating and working in target domain as expected.
  7. Create a rollback plan if something goes wrong during or after migration.
  8. Communicate to all stakeholders about migration schedule.

Migrating Active Directory (AD) Objects

Migrating Limited Users

Step 1. Log in with ADMT migration account on computer in target or parent domain where xADMT is installed

Step 2. Right-click Active Directory Migration tool and then click User Account Migration Wizard

Active Directory Migration Tool - User Account Migration Wizard - Snap-in

Figure 2: ADMT Snap-in

Step 3. Click Next

Active Directory Migration Tool - User Account Migration Wizard

Figure 3: User account migration wizard

Step 4. Provide or select NetBIOS or DNS name of the source and the target domains. Provide or select the name of domain controller of source and target domains (or select Any domain controller) and click Next

User Account Migration Wizard - Domain Selection

Figure 4: Source and target domains selection

Step 5. Click ‘Select users from domain’ radio button and then click Next

User Account Migration Wizard - User Selection Option

Figure 5: User selection method

Step 6. Click Browse and add desired user(s) you would like to migrate

User Account Migration Wizard - User Selection - Adding Users

Figure 6: Adding users

Step 7. Click Next

User Account Migration Wizard - User Selection

Figure 7: Adding users

Step 8. Click Browse to choose the target OU for newly migrating users

User Account Migration Wizard - Organizational Unit Selection - Browse

Figure 8: Target OU selection

Step 9. Click Next

User Account Migration Wizard - Organization Unit Selection - Target OU selection

Figure 9: Target OU selection

Step 10. Click ‘Migrate Passwords’ and check ‘Do not update passwords for existing users’. A complex password will be generated and stored in a file as shown in the following screenshot. Click Next

User Account Migration Wizard - Password Options

Step 11. Click Disable target accounts, check Migrate user SIDs to the target domain, ‘Days until source accounts expire’ and provide a value of 7 which is commonly used. Click Next

User Account Migration Wizard - Account Transition Option

Step 12. Provide the username, password, and domain of an account having administrative privileges in the source domain. Click Next

User Account Migration Wizard - User Account

Step 13. Check both Translate roaming profiles, and Update user rights. Ignore any warnings and click Next

User Account Migration Wizard - User Options

Figure 10: User migration options

Step 14. Click Next

User Account Migration Wizard - Object Property Exclusion

Step 15. Click ‘Do not migrate source object if a conflict is detected in the target domain’ radio button and click Next

User Account Migration Wizard - Conflict Management

Figure 11: User accounts conflict management

Step 16. Click Finish

User Account Migration Wizard - Completing the User Account Migration Wizard

Figure 12: Completing the user migration wizard

Step 17. Wait for the wizard to complete and look for any errors. Click Close

User Account Migration Wizard - Migration Progress

Figure 13: User migration progress

Step 18. Open Active Directory Users and Computers snap-in and verify the user account in target OU.

Migrating Large Number of Users Using Include File

Steps 1,2, 3, 4 are similar to single user migration wizard. However, proceed as follow after step 4.

– Click ‘Read object from an include file’ radio button and click Next

User Account Migration Wizard - User Selection Option

Figure 14: User selection method

– Click Browse and choose the path of include file from local hard drive of your computer

User Account Migration Wizard - Include File Selection - Open

Figure 15: Providing include file path

When you are done with above steps, proceed with step 8 of single user migration wizard and follow it till the end.

Migrating Limited Groups

Step 1. Log in with ADMT migration account on computer in target or parent domain where ADMT is installed

Step 2. In ADMT snap-in, right-click Active Directory Migration Tool and then click Group Account Migration Wizard

Active Directory Migration Tool - Group Account Migration Wizard - Snap-in

Figure 16: ADMT snap-in

Step 3. Click Next

Group Account Migration Wizard - Welcomes window

Figure 17: Group account migration wizard

Step 4. Provide or select NetBIOS or DNS name of the source and target domains. Provide or select the name of domain controller of source and target domains (or select Any domain controller) and click Next

Group Account Migration Wizard - Domain Selection

Figure 18: Source and target domains selection

Step 5. Click ‘Select groups from domain’ radio button and click Next

Group Account Migration Wizard - Group Selection Option

Figure 19: Group selection method

Step 6. Add the desired group(s) you would like to migrate and click Next

Group Account Migration Wizard - Group Selection - Select Groups

Figure 20: Adding groups

Step 7. Click Browse and choose the target OU for migrating group(s). When you are done click Next

Group Account Migration Wizard - Organizational Unit Selection - Browse

Figure 21: Choosing target OU

Step 8. Click Next and ignore any warnings if they appear

Group Account Migration Wizard - Group Options

Figure 22: Group options

Step 9. Provide the username and password of an account having administrative privileges in the source domain. Click Next

Group Account Migration Wizard - User Account

Step 10. Click Next

Group Account Migration Wizard - Object Property Exclusion

Step 11. Click ‘Do not migrate source object if a conflict is detected in the target domain’ radio button and click Next

Group Account Migration Wizard - Conflict Management

Figure 23: Group account conflict management

Step 12. Click Finish

Group Account Migration Wizard - Completing the Group Account Migration Wizard

Figure 24: Completing the group account migration wizard

Step 13. Wait for the wizard to complete and look for any errors. Click Close

Group Account Migration Wizard - Migration Progress

Figure 25: Group migration progress

Step 14. Open Active Directory Users and Computers snap-in and verify the group account in target OU.

Migrating Large Number of Groups Using Include File

When you are migrating multiple groups using an include file, first four steps are same from single group migration wizard. From step 5, proceed as follow.

– Click ‘Read objects from an include file’ radio button and click Next

Group Account Migration Wizard - Group Selection Option

Figure 26: Group selection method

– Click Browse and choose the path of include file from your local hard drive. When you are done click Next

Group Account Migration Wizard - Include File Selection - Open

Figure 27: Providing include file path

When you are done with above steps, proceed to step 7 of single group migration wizard and follow it till the end.

Migrating Limited Workstations or Member Servers

Step 1. Log in with ADMT migration account on computer in target or parent domain where ADMT is installed

Step 2. In ADMT snap-in, right-click Active Directory Migration Tool and then click Computer Migration Wizard

Active Directory Migration Tool - Computer Migration Wizard - Snap-in

Figure 28: ADMT snap-in

Step 3. Click Next

Computer Migration Wizard - Welcomes window

Figure 29: Computer migration wizard

Step 4. Provide or select NetBIOS or DNS name of the source and target domains. Provide or select the name of domain controller of source and target domains (or select Any domain controller) and click Next

Computer Account Migration Wizard - Domain Selection

Figure 30: Source and target domains selection

Step 5. Click ‘Select computers from domain’ and click Next

Computer Migration Wizard - Computer Selection Option

Figure 31: Computer selection method

Step 6. Add the desired computer(s) you want to migrate and click Next

Computer Migration Wizard - Computer Selection - Select Computers

Figure 32: Adding computers

Step 7. Click Next

Computer Migration Wizard - Computer Selection

Figure 33: Adding computers

Step 8. Click Browse and choose target OU. Click Next

Computer Migration Wizard - Organizational Unit Selection - Browse

Figure 34: Choosing target OU

Step 9. Click Next

Computer Migration Wizard - Organizational Unit Selection - Target OU

Figure 35: Choosing target OU

Step 10. Choose Local groups and User rights. Click Next

Computer Migration Wizard - Translate Objects

Figure 36: Computer translation options

Step 11. Choose Add and click Next. Ignore any warnings

Computer Migration Wizard - Security Translation Option

Figure 37: Security translation options

Step 12. Accept the default value and click Next

Computer Migration Wizard - Computer Options

Figure 38: Computer restart delay

Step 13. Click Next

Computer Migration Wizard - Object Property Exclusion

Figure 39: Computer properties exclusion

Step 14. Click ‘Do not migrate source object if a conflict is detected in the target domain’ radio button and click Next

Computer Migration Wizard - Conflict Management

Figure 40: Computer account conflict management

Step 15. Click Finish

Computer Migration Wizard - Completing the Computer Migration Wizard

Figure 41: Completing the computer migration wizard

Step 16. Wait for the wizard to complete and look for any errors

Computer Migration Wizard - Migration Progress

Figure 42: Computer migration progress

Step 17. Open Active Directory Users and Computers snap-in and verify the computer account in target OU.

Migrating Large Number of Workstations or Member Servers Using Include File

Follow the steps 1,2,3 and 4 from single computer migration wizard. After step 4, proceed as follow:

– Click ‘Read objects from an include file’ radio button and click Next

Computer Migration Wizard - Computer Selection Option

Figure 43: Computer selection method

– Click Browse and provide the path of include file on your hard drive. Click Next

Group Account Migration Wizard - Include File Selection - Open

Figure 44: Providing include file path

When you are done with above two steps, proceed with step 8 of single computer migration wizard and follow it till the end.

Migrating Objects from Child Domain to Parent Domain Using PowerShell

Log in with ADMT migration account on the computer in target or parent domain where ADMT is installed. open PowerShell with elevated privileges and execute one of the following cmdlets. After the migration, open Active Directory Users and Computers snap-in and verify the migrated objects in target OU.

Migrating Limited Users

The following table lists the required parameters, explanation and their syntax for migrating user accounts between forests.

Active Directory Migration Tool - Table with user command line parameters

Table 3: ADMT user command line parameters

 Following example illustrates the migration of single user using PowerShell.

Windows PowerShell - Migration single user using PowerShell

Figure 45: Migrating single user using PowerShell

Migrating Large Number of Users Using Include File

Following example illustrates the migration of users using an include file.

Windows PowerShell - Migration multiple users with include file

Figure 46: Migrating multiple users with include file

Migrating Limited Groups

The following table lists the required parameters and their syntax for migrating global groups between forests.

Active Directory Migration Tool - Table with group command line parameters

Table 4: ADMT group command line parameters

Following example illustrates the migration of single group using PowerShell.

Windows PowerShell - Migration single group using PowerShell

Figure 47: Migrating single group using PowerShell

Migrating Large Number of Groups Using Include File

Following example illustrates the migration of groups using an include file.

Windows PowerShell - Migrating multiple groups with include file

Figure 48: Migrating multiple groups with include file

Migrating Limited Workstations or Member Servers

Following table list the required parameters and their syntax for migrating workstations or member servers in intraforest.

Active Directory Migration Tool - Table with computer command line parameters

Table 5: ADMT computer command line parameters

Following example illustrates the migration of single computer using PowerShell.

Windows PowerShell - Migrating single computer using PowerShell

Figure 49: Migrating single computer using PowerShell

Migrating Large Number of Workstations or Member Servers Using Include File

Following example illustrates the migration of computers using an include file.

Windows PowerShell - Migrating multiple computers with include file

Figure 50: Migrating multiple computers with include file

Conclusion

In these series of articles, we have directly learn the process of migrating AD objects between two forests. We have also indirectly learn the various topics including installing PES service and establishing trust between two forests.

I hope you have enjoyed this lengthy article. If you have encountered any error (just like me) while following this guide, please let me know in comments and I’ll get back to you with a solution.

 

Related materials:

Views All Time
4
Views Today
14
Return to all posts

Deploying the Local Administrator Password Solution (LAPS)
Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 2

Please rate this

One Response to “Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 3”

  1. […] … to be continued. […]

Leave a Reply

You must be logged in to post a comment.