Password Migration
One of ADMT 2.0's more interesting features is its ability to migrate passwords. ADMT's password migration merits special attention because it requires additional settings on both the source and target DCs and a service running on the source domain. The service relies on a key, which the target domain supplies to the source domain, to encode and decode password information. Separating the password migration configuration process from the user-account migration configuration tends to result in fewer problems, and you can isolate those problems much more quickly.
Password migration configuration starts on the target DC. The first step is to extend the permissions associated with the target domain's Everyone group to include anonymous users. To do so, open the MMC Domain Security Policy snap-in. Expand Local Policies and Security Options to get the list of available security options. Enable the Network access: Let Everyone permissions apply to anonymous users option, as Figure 6 shows.
The next step is to generate a password key file on the target DC (IKDOM2, in our sample scenario). ADMT provides a command-line utility for generating this key; a sample key-generating command is
admt key ikdom01 C:\test *
in which key specifies that you want to generate a key, ikdom01 specifies the source domain, C:\test specifies the folder in which to create the key file, and * triggers a prompt to enter a password for the key file during the key-generation process. Figure 7 shows that the sample command created the key file C:\test\4A662TSJ.pes. Also at the command line on the target DC, type on one line
net localgroup
"Pre-Windows 2000
Compatible Access"
Everyone /Add
then restart the target DC.
Now turn your attention to the source domain. Although we used the IKDOM01 domain PDC as the source machine during user-account migration, Microsoft recommends using a production BDC as the password export server. You have less exposure if an error occurs, the BDC typically has unused cycles, and the configuration requires a reboot, which you might rather do on your BDC than your PDC. However, using a BDC isn't mandatory; you can install the necessary software on a PDC. You'll find the software in the pwdmig subfolder of the folder that the admt2.exe file created when you ran the file on the target DC. Copy the pwdmig folder and the key file you generated on the target DC to the source DC, then run the password export server installation file on the source DC. On an NT 4.0 system, you must run the \pwdmig\pwdmig.exe file to install the password export server (on a Windows 2003 or Win2K system, you need to run the \pwdmig\pwdmig.msi file).
The password export server installation will prompt you for the path to the *.pes key file. The installation will also prompt you for the password (if any) that you specified for this file. After the password export server is installed, you need to reboot the system, but first edit the registry on the source DC so that you need to reboot only once. Set the DWORD value AllowPasswordExport under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1 to enable password export. After changing this setting, reboot the source DC.
After the reboot, you can use the User Account Migration Wizard on the target DC to migrate passwords along with user accounts. I've found the password migration process to be error prone, so I recommend reviewing the Microsoft article "How to Troubleshoot Inter-Forest Password Migration with ADMTv2" (http://support.microsoft.com/?kbid=322981) for troubleshooting advice.
Going Forward with ADMT
You've seen how to work with ADMT 2.0 from its GUI and, to a lesser extent, its command-line interface. One new capability of version 2.0 that I haven't shown you how to use is its scripting interface. This interface doesn't just give you the ability to reference ADMT's command-line command set from within a script—it exposes an entire set of object interfaces that administrative scripts can reference. If you want to use ADMT in a script, start with the sample script that's installed with the tool. Templatescript.vbs lists the standard parameters for working with the various interfaces in addition to providing sample code that creates and manipulates the ADMT.Migration interface.
ADMT 2.0 is a robust tool that supports not only the transition from one version of Windows to a newer version but also the ongoing maintenance and consolidation of domains within your enterprise. By leveraging its enhanced capabilities for migrating directory objects, you can support changes to your production directory and the dynamic growth of your enterprise infrastructure. Future versions of ADMT will undoubtedly enhance the ability to consolidate and eventually perhaps even separate elements of your directory structure. ADMT will continue as an important tool in your AD maintenance toolkit.
Register
