Steve and I have often been stumped with migrating users simply because there’s not an easy to follow “how to”. So here’s an easy-to-follow “how to”.
To migrate users across domains, you will need the Active Directory Migration Tool from Microsoft. Install this on both servers.
First thing’s first – you’ll need to create a trust between the two domains. To create a trust:
- Set up a secondary DNS zone on each domain controller you plan to use. You need to enable Zone transfers on the DNS servers, and then create a secondary zone on each server of the other domain.
- Create a domain admin user account on each domian with the same username and password.
- On one of the servers you are working on, access Administrative Tools > Active Directory Sites and Trusts. Right-click on the domain you are using – and then click properties. From here, you can create a two-way trust between each domain.
Now we’re ready to migrate users. If you need the passwords migrated as well, you will need to complete these steps. If not – skip to the next part.
- On the source domain controller, you will need to create a key file. Open up the command prompt and type in the following (replace with your own domain and .pes file):
<code>admt key /option:create /sourcedomain:your.domain /keyfile:C:\MyKey.pes /keypassword:*</code>
- Once the key file has been created – you need to install the Password Server. Run
<code>%systemroot%\admt\pes\pwdmig.exe</code>
to install. During the installation, you will need to use the key file that we created in the previous step. You will also need to specify a domain administrative account to run the service.
- Now copy the keyfile to the target server. We need to manually import the key so that the passwords will transfer:
<code>admt key /option:import /sourcedomain:<em>your.domain</em> /keyfile:<em>C:\MyKey.pes</em>/keypassword:*</code>
Enter the same domain and pasword you used in step 1.
- On the source domain controller – open Active Directory Users and Computers, and double-click on the BUILTIN\Administrators group. Add the target domain administrator to the group (eg. targetdomain\administrator).
Now to migrate those accounts! Woo!
- Open the ADMT tool from Administrative Tools
- Right-click on the Active Directory Migration Tool folder
- Click User Account Migration Wizard
- Select the source and target domain
- Select the users either with a file or though the AD tool
- Select the target OU where you would like the users to be migrated to in your new domain
- Select how you would like passwords to be handled. If you are migrating the passwords, you will need to start the Password Migration Server Service on the source domain now.
- Answer the remaining questions appropriately.
- Job done!
The new user accounts will appear in the new domain.