Migration of Global Groups
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To preserve the global group user memberships, you must migrate global groups before you migrate users.
Note
Do not migrate global groups during peak work hours. The global group migration process can consume a large amount of network resources and resources on the domain controller that is running ADMT.
Global group migration involves the following steps:
The administrator selects global group objects in the source domain.
A new global group object is created in the target domain. A new primary SID is created for the object in the target domain.
To preserve resource access, ADMT adds the SID of the global group in the source domain to the SID history attribute of the new global group in the target domain.
Following the migration, events are logged in both the source and the target domain.
Note
If the user account migration process takes place over an extended period of time, then you might need to remigrate global groups from the source to the target domain to propagate membership changes that are made in the source domain before the migration process is complete. For more information about remigrating global groups, see "Remigrating All Global Groups After All Batches Are Migrated" later in this chapter.
You can migrate global groups by using the Active Directory Migration Tool console, by using the ADMT command-line option, or by using a script.
To migrate global groups by using the ADMT console
On the domain controller in the target domain on which ADMT installed, log on by using the ADMT account migration account.
Open the Active Directory Migration Tool, and then select Group Account Migration Wizard.
Complete the Group Account Migration Wizard by using the information in Table 11.8.
Table 11.8 Using the Group Account Migration Wizard to Migrate Groups
Wizard Page Action Test or Make Changes
Click Migrate Now?
Domain Selection
In the Source domain box, type the NetBIOS or DNS name of the source domain or select the name from a list.
In the Target domain box, type the NetBIOS or DNS name of the target domain.
If ADMT includes the names of the source and target domains, ensure that they are correct.
Group Selection
Click Add.
In the Select Groups dialog box, select all the global groups that you want to migrate (except built-in groups), click Add, and then click OK.
Organizational Unit Selection
Type the name of the OU, or click Browse.
In the Browse for Container dialog box, locate the container in the target domain you want to move the global groups into, and then click OK.
Group Options
Click Migrate Group SIDs to target domain.
Click Do not rename accounts
Make sure that all other options are not selected.
User Account
Type the user name, password, and domainof an account that has administrative rights in the source domain.
Naming Conflicts
Click Ignore conflicting accounts and don’t migrate.
When the wizard has finished running, click View Log, and review the migration log for any errors.
Open the Active Directory Users and Computers console and locate the target OU. Verify that the global groups exist in the target domain OU.
To migrate global groups by using the ADMT command-line option
On the domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type:
ADMT GROUP /N "group_name1" "group_name2" /SD:"source_domain" /TD:"target_domain" /TO:"target_OU" [parameters]Alternatively, you can include parameters in an option file that is specified on the command line as follows:
ADMT GROUP /N "group_name1" "group_name2" /O: "option_file.txt"Table 11.9 lists the common parameters used for migrating global groups, along with the command-line parameter and option file equivalents.
Table 11.9 Common Parameters Used for Global Group Migrations
Parameters Command-Line Syntax Option File Syntax Source domain
/SD:"source_domain"SourceDomain="source_domain"Source OU location
/SO:"source_OU"SourceOU="source_OU"Target domain
/TD:"target_domain"TargetDomain="target_domain"Target OU location
/TO:"target_OU"TargetOU="target_OU"Migrate GG SIDs
/MSS:YESMigrateSIDs=YESDo not rename accts
/RO:DONT(default)RenameOption=DONTIgnore conflicting accts and do not migrate them
/CO:IGNORE(default)ConflictOptions=IGNOREReview the results that are displayed on the screen for any errors.
Open the Active Directory Users and Computers console and locate the target OU. Verify that the global groups exist in the target domain OU.
To migrate global groups by using a script
Prepare a script that incorporates ADMT commands and options for migrating global groups by using the sample script shown in Listing 11.5
Listing 11.5 Migrating Global Groups Between Forests
<Job id=" MigratingGlobalGroupsBetweenForests" > <Script language=" VBScript" src=" AdmtConstants.vbs" /> <Script language=" VBScript" > Option Explicit Dim objMigration Dim objGroupMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject(" ADMT.Migration" ) Set objGroupMigration = objMigration.CreateGroupMigration ' 'Specify general migration options. ' objMigration.SourceDomain = " source domain" objMigration.SourceOu = " source container" objMigration.TargetDomain = " target domain" objMigration.TargetOu = " target container" ' 'Specify group migration specific options. ' objGroupMigration.MigrateSIDs = True ' 'Migrate specified group objects. ' objGroupMigration.Migrate admtData, Array(" group name1" ," group name2" ) Set objGroupMigration = Nothing Set objMigration = Nothing </Script> </Job>For a script file to assist you in creating a script to migrate global groups, see "Migrating Global Groups Between Forests" (DSSREER_5.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating Global Groups Between Forests" on the Web at https://www.microsoft.com/reskit).