ADMT v2 Inter-Forest password migration
Step-by-step Procedure
1. Install 128-bit Internet Explorer on BDC
2. Configure a two-way trusts between source and target domain (using
AD Domains and Trusts on target domain and
User Manager or AD Domains and Trusts on source domain).
3. Add the Domain Admins global group from the source domain to the
Administrators local group in the target
domain.
4. Add the Domain Admins global group from the target domain to the
Administrators local group in the source
domain.
5. Create a new local group in the source domain called Source
Domain$$$.
6. Enable auditing for the success and failure of user and group
management on the source domain.
7. Enable auditing for the success and failure of Audit account
management on the target domain in the Default
Domain Controllers policy.
8. On the PDC in the source domain, add the
TcpipClientSupport:REG_DWORD:0x1 value to the following registry
key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
9. Check that Administrative shares exists on the domain controller in
the target domain on which you run ADMT,
and on any computers on which an agent must be dispatched.
10. The RestrictAnonymous value on the target domain controller should
be set to 0 during the migration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous
= 0
11. Read permissions on the Pre-Windows 2000 Compatible Access group
should be set to
CN=Server,CN=System,DC={targetdom},DC={tld}.
12. The Everyone group should be a member of the Pre-Windows 2000
Compatible Access group in the target domain
during the migration. This action is blocked by Active Directory Users
and Computers. To add the Everyone group,
run the following command: NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE
ACCESS" EVERYONE /ADD
13. If the target domain is Windows Server 2003-based, run this
command to make the following group a member of
the Pre-Windows 2000 Compatible Access group: NET LOCALGROUP
"PRE-WINDOWS 2000 COMPATIBLE ACCESS" "ANONYMOUS
LOGON" /ADD
14. Install ADMT (i386\admt\admigration.msi) on a Target DC
15. Create a key (on Target DC) that protects the password list
ADMT.exe key Source_Domain_Name folderpath [password]
16. Install Password Export Server (i386\admt\pwdmig\pwdmig.msi) on a
Source DC (using the key previously created)
17. Reboot Source and Target DC
regards
Johan Arwidmark
Windows User Group - Nordic
http://www.wug-nordic.net
Hi together,
I try to migrate accounts from winnt 4.0 domain to a win2k ad domain,
The wizzard in ADMTv2 allows to check "migrate password". When I do so, I
get the error: unable to establish a connection with the password support
server. The password server does not habe the password migration component
installed.
I cannot find out the reason for this error. Can anyoune help me ?
Thanks
Guenther
. Here is the