How to use Active Directory Migration Tool version 2 to migrate from Windows 2000 to Windows Server 2003

This article describes how to set up the Active Directory Migration Tool (ADMT) to migrate from a Microsoft Windows 2000-based domain to a Microsoft Windows Server 2003-based domain.

You can use ADMT to migrate users, groups, and computers from one domain to another, and analyze the migration affect before and after the actual migration process.

Note This article assumes that the source domain is a Windows 2000-based domain, and that the target domain is a Windows Server 2003-based domain in Windows 2000 Native mode or later.

How to set up ADMT for a Windows 2000 to Windows Server 2003 migration

You can install the Active Directory Migration Tool version 2 on any computer that is running Windows 2000 or later, including:

• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server
• Microsoft Windows XP Professional
• Microsoft Windows Server 2003

The computer on which you install ADMT must be a member of either the source or the target domain.

Intraforest migration

Intraforest migration does not require any special domain configuration. The account you use to run ADMT must have enough permissions to perform the actions that are requested by ADMT. For example, the account must have the right to delete accounts in the source domain, and to create accounts in the target domain.

Intraforest migration is a move operation instead of a copy operation. These migrations are said to be destructive because after the move, the migrated objects no longer exist in the source domain. Because the object is moved instead of copied, some actions that are optional in interforest migrations occur automatically. Specifically, the sIDHistory and password are automatically migrated during all intraforest migrations.

Interforest migration

ADMT requires the following permissions to run properly:

• Administrator rights in the source domain.
• Administrator rights on each computer that you migrate.
• Administrator rights on each computer on which you translate security.

Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain, you must make some domain and security configurations. Computer migration and security translation do not require any special domain configuration. However, each computer you want to migrate must have the administrative shares, C$ and ADMIN$.

The account you use to run ADMT must have enough permissions to complete the required tasks. The account must have permission to create computer accounts in the target domain and organizational unit, and must be a member of the local Administrators group on each computer to be migrated.

User and group migration

You must configure the source domain to trust the target domain. Optionally, the target may be configured to trust the source domain. While this may ease configuration, it is not required to finish the ADMT migration.

Requirements for optional migration tasks

You can complete the following tasks automatically by running the User Migration Wizard in Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT must be an Administrator in both the source and the target domains for the automatic configuration to succeed.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

1. Create a new local group in the source domain that is named %sourcedomain%$$$. There must be no members in this group.
2. Turn on auditing for the success and failure of Audit account management on both domains in the Default Domain Controllers policy.
3. Configure the source domain to allow RPC access to the SAM by configuring the following registry entry on the PDC Emulator in the source domain with a DWORD value of 1:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport
   You must restart the PDC Emulator after you make this change.

Note For Windows 2000 domains, the account you use to run ADMT must have domain administrator permissions in both the source and target domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more information, see Windows Server 2003 Help & Support.

You can turn on interforest password migration by installing a DLL that runs in the context of LSA. By running in this protected context, passwords are shielded from being viewed in cleartext, even by the operating system. The installation of the DLL is protected by a secret key that is created by ADMT, and must be installed by an administrator.

To install the password migration DLL:

1. Log on as an administrator or equivalent to the computer on which ADMT is installed.
2. At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to create the password export key file (.pes). In this example, sourcedomain is the NetBIOS name of the source domain and path is the file path where the key will be created. The path must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or writable CD media. If you type the optional password at the end of the command, ADMT protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a password, and the system will not echo it as it is typed.
3. Move the .pes file you created in step 2 to the designated Password Export Server in the source domain. This can be any domain controller, but make sure it has a fast, reliable link to the computer that is running ADMT.
4. Install the Password Migration DLL on the Password Export Server by running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003 installation media, or the folder to which you downloaded ADMT from the Internet.
5. When you are prompted to do so, specify the path to the .pes file that you created in step 2. This must be a local file path.
6. After the installation completes, you must restart the server.
7. If you are ready to migrate passwords, modify the following registry key to have a DWORD value of 1. For maximum security, do not complete this step until you are ready to migrate.
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport

To download ADMT, visit the following Microsoft Web site: For more information about how to use ADMT to perform a migration, see ADMT Help. Start the Active Directory Migration Tool, click Help Topics on the Help menu, click the Contents tab, and then click Active Directory Migration Tool.

For more information about ADMT, visit the following Microsoft Web site: The Active Directory Migration Tool version 2 is included in the I386\Admt folder on the Windows Server 2003 CD.