Share via

Migrate Source Domain(old) to Target Domain(new) with ADMT 3.2

Andy 51 Reputation points
2021-03-31T09:24:09.703+00:00

Old DC01(IP:10.0.0.1) OS Windows 2016
Old DC02(IP:10.0.0.2) OS Windows 2016
Old DC03(IP:10.0.0.3) OS Windows 2019
Domain Name: OldDomain.com

Client: Windows 10 (Version 20h2)

New DC01(IP:172.16.0.1) OS Windows 2019
New DC02(IP:172.16.0.2) OS Windows 2019

Domain Name: NewDomain.com

SQL Express 2008 R2 SP2

SQL Express 2008 R2 SP3 Update

ADMT 3.2 (For Service Account/Group/User/Computer Migration)
PSE3.1 (For Password Migration)

All DC forest level and domain functional level are Windows 2016
I will share experience with you step by step

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Server | User experience | Other
0 comments

14 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy 51 Reputation points
    2021-04-09T03:54:56.627+00:00

    ADMT – Database Requirement
    1.Download SQL Express 2008 R2 SP2 and SQL Express 2008 R2 SP3 Update

    2.Install SQL Express 2008 R2 SP2 in one of your old domain (i.e old DC03) and one of your new domain(i.e new DC02)

    86013-1new-install.jpg
    86014-1license-terms.jpg
    85959-2setup-support-rules.jpg
    85960-3feature-selection.jpg
    86041-4instance-configuration.jpg

    Account is NewDomain\ADMT Admin

    86027-5server-configuration.jpg

    Add NewDomain\ADMT Admin to Specify SQL Server Administrators

    86028-6database-engine-configuration.jpg
    86051-7error-reporting.jpg
    86042-8done.jpg

    3.Install SQL Express 2008 R2 SP3 Update

    85926-1sp3-update.jpg
    86052-2license-terms.jpg
    86053-3select-features.jpg
    86054-4check-files-in-use.jpg
    85995-5ready-to-update.jpg
    85927-6done.jpg

    4.Grant Permission of SQL on Domain Controllers

    Open CMD run the following commands(On Domain which you installed SQL Express i.e Old DC03 and New DC02)

    NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD

    SC SHOWSID MSSQL$SQLEXPRESS

    {Copy the SID to the clipboard you will need it later}
    MD %SystemRoot%\ADMT\Data
    ICACLS %Systemroot%\ADMT\Data /grant *{Paste the SID from above}:F
    i.e.
    ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F

    86029-grant-permission.jpg

    0 comments
  2. Andy 51 Reputation points
    2021-04-09T07:56:41.607+00:00

    Disabling SID Filtering

    1.On your Old Domain(i.e Old DC03) run CMD with administrator rights then run the following command

    NETDOM TRUST {source-domain} /domain:{target-domain} / UserO:{username} /PasswordO:{password} /Quarantine:NO

    i.e NETDOM TRUST OldDomain.com /Domain:NewDomain.com /UserO:Administrator /PasswordO:P@$$W0rd /Quarantine:NO

    (I use Administrator and P@$$W0rd) you should type your actual password

    Remember the SID warning message in Domain Trust part that's why we should disabling SID filtering 86019-sid.jpg

    ADMT: Set up Password Export Server

    1.On your New Domain(i.e New DC02) run CMD with administrator rights then run the following command

    admt key /option:create /sourcedomain:{source-domain} /keyfile:”C:\PES.pes” /keypassword:{password}

    i.e admt key /option:create /sourcedomain:OldDomain.com /keyfile:”C:\PES.pes” /keypassword:PE$W0rd

    **- source-domain: OldDomain.com

    • keyfile: Where you want to save the keyfile.(I name it PES and save it in C:)
    • keypassword: We will need it to setup the password export server, so don’t forget it.**

    You will see PES.pes in your C:\ if everything runs OK

    86115-pes.jpg

    1. Copy PES.pes from NewDomain(i.e New DC02) to OldDomain(i.e Old DC03)
    2. Download Password Export Server 3.1
    3. Install Password Export Server 3.1 in OldDomain(i.e Old DC03) (Install it via command line or you will see error messages later although your keypassword is correct ) We can copy that downloaded file to C:\ then open CMD with administrator rights run msiexec /i C:\pwdmig

    86039-pwdmig.jpg 86183-1admt-password-migration.jpg 86153-2license-agreement.jpg Choose PES.pes you copy from NewDomain(i.e New DC02) to OldDomain(i.e Old DC03) Before 86120-3encryption-file.jpg Type in password the same as keypassword when you create PES.pes (i.e PE$W0rd my password)(Install via command line in the beginning or you will get error message here although your password is correct)

    86164-4password.jpg 86204-password-error.jpg 86191-5ready-to-install.jpg Choose account NewDomain\admtadmin 86192-6account.jpg 86193-7finish.jpg

    Open Services on your OldDomain(i.e DC03) Change Start up Type to Automatic then start it 86110-services.jpg 86196-automatic.jpg 86165-8pess.jpg

    0 comments
  3. Andy 51 Reputation points
    2021-04-13T01:11:37.413+00:00

    ADMT-Agent deployment Pre-Setting
    For computer and security translations required ADMT Agent installed in computers on Old Domain

    Disable local firewall and services setting

    1.Create GPO and link to actual OU
    87213-1create-gpo.jpg

    2.Name GPO (i.e disable local firewall)
    87144-2new-gpo.jpg

    1. Edit GPO

    87214-3edit-gpo.jpg

    1. Navigate to

    Computer Configuration >Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

    87184-4firewall.jpg

    Computer Configuration > Polices > Windows Settings > Security Settings > System Services
    88038-remote-registry.jpg
    Make sure ADMT Admin added to security

    0 comments
  4. Andy 51 Reputation points
    2021-04-14T09:54:31.97+00:00

    ADMT-Migration
    Login as ADMT Admin on your NewDomain which installed ADMT(i.e DC03)
    Make sure you follow this order for Migration

    1. Services Account Migration
    2. Groups Migration
    3. Users Migration
    4. Computer Security Translation
    5. Computer Migration

    And I suggest you can create actual OU on your NewDomain(i.e Migrated Items)
    87753-new-ou.jpg

    Services Account Migration

    Replaces any service accounts on the Old Domain(OldDomain.com) machines with migrated service accounts from the New Domain(NewDomain.com)

    1.Open ADMT on your New Domian(i.e DC02)

    87588-1admt.jpg

    2.Choose Service Account Migration Wizard

    87589-2service-account-migration-wizard.jpg

    3.Migration

    87668-3welcome.jpg
    87686-4domain-selection.jpg
    87703-4dc.jpg
    87687-5update-information.jpg
    87704-6computer-selection-option.jpg
    87673-7add-computer.jpg
    87688-9pre-check-and-agent.jpg
    87669-10serviceaccount.jpg
    87549-11done.jpg

    0 comments
  5. Andy 51 Reputation points
    2021-04-14T10:01:52.64+00:00

    Services Account Migration(User)
    87715-12migrated-services-account.jpg

    87716-13welcome.jpg

    87698-14domain-selection.jpg
    88039-4dc.jpg

    87658-15user-selection.jpg

    87717-16add-user.jpg

    87718-17ou.jpg

    87719-18password-options.jpg

    87722-19account-transition.jpg87723-20user-account.jpg

    87761-21user-option.jpg

    87724-22object-property-exclusion.jpg

    87762-23conflict-management.jpg

    87725-24service-account-information.jpg

    87763-25finish.jpg

    87675-26done.jpg

    87726-27service.jpg

    If everything runs OK you can see(The machine on olddomain) the service account has been changed(i.e newdomain\syncservice)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.