Migrating Users on Windows 2003 Domains

Steve and I have often been stumped with migrating users simply because there’s not an easy to follow “how to”. So here’s an easy-to-follow “how to”.

To migrate users across domains, you will need the Active Directory Migration Tool from Microsoft. Install this on both servers.

First thing’s first – you’ll need to create a trust between the two domains. To create a trust:

  1. Set up a secondary DNS zone on each domain controller you plan to use. You need to enable Zone transfers on the DNS servers, and then create a secondary zone on each server of the other domain.
  2. Create a domain admin user account on each domian with the same username and password.
  3. On one of the servers you are working on, access Administrative Tools > Active Directory Sites and Trusts. Right-click on the domain you are using – and then click properties. From here, you can create a two-way trust between each domain.

Now we’re ready to migrate users. If you need the passwords migrated as well, you will need to complete these steps. If not – skip to the next part.

  1. On the source domain controller, you will need to create a key file. Open up the command prompt and type in the following (replace with your own domain and .pes file):
    <code>admt key /option:create /sourcedomain:your.domain /keyfile:C:\MyKey.pes /keypassword:*</code>
  2. Once the key file has been created – you need to install the Password Server. Run
    <code>%systemroot%\admt\pes\pwdmig.exe</code>

    to install. During the installation, you will need to use the key file that we created in the previous step. You will also need to specify a domain administrative account to run the service.

  3. Now copy the keyfile to the target server. We need to manually import the key so that the passwords will transfer:
    <code>admt key /option:import /sourcedomain:<em>your.domain</em> /keyfile:<em>C:\MyKey.pes</em>/keypassword:*</code>

    Enter the same domain and pasword you used in step 1.

  4. On the source domain controller – open Active Directory Users and Computers, and double-click on the BUILTIN\Administrators group. Add the target domain administrator to the group (eg. targetdomain\administrator).

Now to migrate those accounts! Woo!

  1. Open the ADMT tool from Administrative Tools
  2. Right-click on the Active Directory Migration Tool folder
  3. Click User Account Migration Wizard
  4. Select the source and target domain
  5. Select the users either with a file or though the AD tool
  6. Select the target OU where you would like the users to be migrated to in your new domain
  7. Select how you would like passwords to be handled. If you are migrating the passwords, you will need to start the Password Migration Server Service on the source domain now.
  8. Answer the remaining questions appropriately.
  9. Job done!

The new user accounts will appear in the new domain.