Remigrating User Accounts and Migrating Workstations in Batches
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Remigrating user accounts and workstations in batches helps you track the migration process. For each batch of users, first translate local user profiles, and then migrate workstations. Verify that the profile and workstation migration succeeded, and then migrate the user accounts. Remigrate global groups after each batch. For more information, see Remigrating All Global Groups After All Batches Are Migrated, later in this guide.
Translating local user profiles
The Active Directory Migration Tool (ADMT) translates profiles for supported computer migration objects. For a list of which operating systems are supported for computer migration objects for different versions of ADMT, see Active Directory Migration Tool versions and supported environments.
User profiles are stored locally on the workstation. When a user logs on to another workstation, he or she must create a new, unique local user profile. Translate the local user profiles for the first batch of users immediately after migrating all user accounts.
Local profiles are translated in replace mode because if you perform the profile translation in add mode, certain aspects of software installation that use Group Policy software deployment might not work. Any application that is packaged with Windows Installer version 2.0 (which is included on workstations running Windows 2000 Server Service Pack 3 (SP3) or Service Pack 4 (SP4) and Windows XP Service Pack 1 (SP1) or Service Pack 2 (SP2), as well as in many common software packages) might not function after the profile is translated. For example, the application executable files might not be removed after the last user removed the application. When the ADMT Security Translation Wizard is translating local profiles in replace mode, it reverts to add mode if a profile is locked. This might result in a successful profile translation. However, application installations might not function after the profile is translated.
Note
The night before you notify the users to log on by using their new accounts in the target domain, translate the local user profiles. Translating profiles the night before ensures that the new user profile reflects the most current user settings.
You can translate local user profiles by using the ADMT snap-in, the ADMT command-line option, or a script.
To translate local user profiles by using the ADMT snap-in
For each workstation in the source domain that you migrate, add the ADMT resource migration account to the local Administrators group.
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
Use the Security Translation Wizard by performing the steps in the following table.
Wizard page Action Security Translation Options
Click Previously migrated objects.
Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Computer Selection Option
Click Select computers from domain, and then click Next. On the Computer Selection page, click Add to select the computers in the source domain for which you want to translate security, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Translate Objects
Click User Profiles.
Security Translation Options
Click Replace.
ADMT Agent Dialog
Select Run pre-check and agent operation, and then click Start.
Review the results that are displayed on the screen for any errors. After the wizard completes, click View Migration Log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log and is stored in the Windows\ADMT\Logs\Agents folder.
To translate local user profiles by using the ADMT command-line option
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type the
ADMT Securitycommand with the appropriate parameters, and then press ENTER.ADMT SECURITY /N "<computer_name1>" "<computer_name2>" /SD:" <source_domain>" /TD:" <target_domain>" /TO:" <target_OU>" /TOT:Replace /TUP:YESAs an alternative, you can include parameters in an option file that is specified at the command line as follows:
ADMT SECURITY /N "<computer_name1>" "<computer_name2>" /O "<option_file>.txt"The following table lists the common parameters that are used for migrating user accounts, along with the command-line parameter and option file equivalents.
Parameters Command-line syntax Option file syntax <Source domain>
/SD:"source_domain"SourceDomain="source_domain"<Target domain>
/TD:"target_domain"TargetDomain="target_domain"Security translation options
/TOT:REPLACETranslateOption=REPLACEModify local user profile security
/TUP:YESTranslateUserProfiles=YESReview the results that are displayed on the screen for any errors. After the wizard completes, click View Migration Log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log and is stored in the Windows\ADMT\Logs\Agents folder.
To translate local user profiles by using a script
Prepare a script that incorporates ADMT commands and options for translating local user profiles by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id=" TranslatingLocalProfilesBetweenForests" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objSecurityTranslation ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objSecurityTranslation = objMigration.CreateSecurityTranslation ' 'Specify general migration options. ' objMigration.SourceDomain = "source domain" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "Computers" ' 'Specify security translation specific options. ' objSecurityTranslation.TranslationOption = admtTranslateReplace objSecurityTranslation.TranslateUserProfiles = True ' 'Perform security translation on specified computer objects. ' objSecurityTranslation.Translate admtData, _ Array("computer name1" ,"computer name2" ) Set objSecurityTranslation = Nothing Set objMigration = Nothing </Script> </Job>
Migrating workstations in batches
After you migrate a batch of local user profiles, migrate the corresponding batch of user workstations. When you migrate a workstation between domains, the Security Accounts Manager (SAM) database is migrated along with the computer. Accounts in the local SAM database (such as local groups) that are used to enable access to resources always move with the computer. Therefore, these accounts do not have to be migrated.
If a workstation has managed service accounts installed and those accounts have been previously migrated, ADMT provides an option to reinstall the migrated managed service account on the migrated computer and update Service Control Manager. So that ADMT can perform this operation, the account performing the computer migration needs permissions to modify the security descriptor of the migrated managed service account.
Note
Use a low value for the RestartDelay parameter to restart workstations immediately after joining them to the target domain, or as soon as possible thereafter. Resources that are not restarted after migration are in an indeterminate state.
You can migrate workstations and member servers by using the AMDT snap-in, ADMT command-line option, or a script.
To migrate workstations by using the ADMT snap-in
On the computer in the target domain on which you installed ADMT, log on by using the ADMT resource migration account.
Use the Computer Migration Wizard by performing the steps in the following table.
Wizard page Action Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Computer Selection
Click Select computers from domain, and then click Next. On the Computer Selection page, click Add to select the computers in the source domain that you want to migrate, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Managed Service Account Information (appears if the computer has a managed service account installed)
Select any managed service accounts that do not have to be installed on the migrated computer in the target domain, and then click Skip/Include to mark the accounts as Skip.
Organizational Unit Selection
Click Browse.
In the Browse for Container dialog box, locate the target domain Computers container or the appropriate OU, and then click OK.
Translate Objects
Select the Local groups check box.
Select the User rights check box.
Security Translation Options
Click Add.
Computer Options
In the Minutes before computer restart after wizard completion box, accept the default value of 5 minutes or type a different value.
Object Property Exclusion
To exclude certain object properties from the migration, select the Exclude specific object properties from migration check box, select the object properties that you want to exclude and move them to Excluded Properties, and then click Next.
Conflict Management
Click Do not migrate source object if a conflict is detected in the target domain.
ADMT Agent Dialog
Select Run pre-check and agent operation, and then click Start.
Review the results that are displayed on the screen for any errors. After the wizard completes, click View Migration Log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log and is stored in the Windows\ADMT\Logs\Agents folder.
Open Active Directory Users and Computers, and verify that the workstations exist in the appropriate OU in the target domain.
To migrate workstations by using the ADMT command-line option
On the computer in the target domain on which ADMT is installed, log on by using the ADMT resource migration account.
At the command line, type the ADMT Computer command with the appropriate parameters, and then press ENTER.
ADMT COMPUTER /N "<computer_name1>" "<computer_name2>" /SD:"<source_domain>" /TD:"<target_domain>" /TO:"<target_OU>" [/M: “<managed service account name1>” “<managed service account name2>”] [/UALLMSA:Yes] /RDL:5As an alternative, you can include parameters in an option file that is specified at the command line as follows:
ADMT COMPUTER /N "<computer_name1>" "<computer_name2>" /O:" <option_file>.txt"The following table lists the common parameters that are used for workstation migration, along with the command-line parameter and option file equivalents.
Parameters Command-line syntax Option file syntax <Source domain>
/SD:"source_domain"SourceDomain="source_domain"<Source OU> location
/SO:"source_OU"SourceOU="source_OU"<Target domain>
/TD:"target_domain"TargetDomain="target_domain"Update all managed service accounts
/UALLMSA: YESUpdateAllManagedServiceAccounts=YesUpdate specified managed service accounts
.gif)
NoteThe /M parameter takes precedence over the /UALLMSA parameter. /M“name 1” “name 2”…UPDATEMSANAME=“name 1” “name 2”…<Target OU> location
/TO:"target_OU"TargetOU="target_OU"Restart delay (minutes)
/RDL:5RestartDelay=5Security translation option
/TOT:ADDTranslationOption=ADDTranslate user rights
/TUR:YESTranslateUserRights=YESTranslate local groups
/TLG:YESTranslateLocalGroups=YESReview the results that are displayed on the screen for any errors. The migration log lists computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file for that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log and is stored in the Windows\ADMT\Logs\Agents folder.
Open Active Directory Users and Computers and locate the target OU. Verify that the workstations and member servers exist in the target OU.
To migrate workstations by using a script
Prepare a script that incorporates ADMT commands and options for migrating workstations by using the following sample script Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id="MigratingWorkstationsBwtweenForest" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objComputerMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objComputerMigration = objMigration.CreateComputerMigration ' 'Specify general migration options. ' objMigration.SourceDomain = "source domain" objMigration.SourceOu = "Computers" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "Computers" ' 'Specify computer migration specific options. ' objComputerMigration.RestartDelay = 1 objComputerMigration.TranslationOption = admtTranslateAdd objComputerMigration.TranslateLocalGroups = True objComputerMigration.TranslateUserRights = True objComputerMigration.UpdateAllManagedServiceAccounts = True ' 'Migrate computer objects on specified computer objects. ' objComputerMigration.Migrate admtData, _ Array("computer name1" ,"computer name2" ) Set objComputerMigration = Nothing Set objMigration = Nothing </Script> </Job>
Remigrating user accounts in batches
After you have verified the success of local user profile and user workstation migration for the user batch, migrate the user accounts for that batch. You can migrate user accounts in batches by using the ADMT snap-in, the ADMT command-line option, or a script.
You can migrate user accounts by using the ADMT snap-in, by using the ADMT command-line option, or by using a script. If you are migrating user accounts that have authentication mechanism assurance enabled, use an include file. In the include file, specify the original user principal names (UPNs) from the source domain as the target UPNs to keep the authentication mechanism assurance working. For more information about using an include file, see Use an Include File.
Important
When you start a user migration with their security identifier (SID) history from the command line or from a script, you must perform the migration on a domain controller in the target domain. It is recommended that you use a full version of SQL Server when you install ADMT on a domain controller.
To migrate the current batch of user accounts by using the ADMT snap-in
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
Complete the User Account Migration Wizard by performing the steps in the following table.
Wizard page Action Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
User Selection
Click Select users from domain, and then click Next. On the User Selection page, click Add to select the users in the source domain that you want to migrate in the current batch, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Organizational Unit Selection
Ensure that ADMT lists the correct target OU. If it is not correct, type the correct OU, or click Browse.
In the Browse for Container dialog box, locate the target domain and OU, and then click OK.
Password Options
Click Migrate Passwords.
In Password migration source DC:, type the name of the password export server or accept the default value.
Account Transition Options
In Target Account State:, click Enable target accounts.
In Source Account Disabling Options:, click Days until source accounts expire:, and then type the numbers of days you want to keep the source account. A value of seven is commonly used.
Select the Migrate user SIDs to target domains check box.
User Account
Type the user name, password, and domain of a user account that has administrative credentials.
User Options
Select the Translate roaming profiles check box.
Select the Update user rights check box.
Clear the Migrate associated user groups check box.
Select the Fix users’ group memberships check box.
Object Property Exclusion
Clear the Exclude specific object properties from migration check box.
Conflict Management
Select the Migrate and merge conflicting objects check box.
Clear the Before merging remove user rights for existing target accounts check box.
Clear the Move merged objects to specified target Organizational Unit check box.
When the wizard has finished, click View Log, and review the migration log for any errors.
Open Active Directory Users and Computers, and verify that the user accounts exist in the appropriate OU in the target domain.
To migrate the current batch of users by using the ADMT command-line option
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type the ADMT User command with the appropriate parameters, and then press ENTER.
ADMT USER /N "<user_name1>" "<user_name2>" /SD:" <source_domain>" /TD:" <target_domain>" /TO:" <target_OU>" /MSS:YES /TRP:YES /UUR:YESAs an alternative, you can include parameters in an option file that is specified at the command line as follows:
ADMT USER /N "<user_name1>" "<user_name2>" /O "<option_file>.txt"The following table lists the common parameters that are used for migrating user accounts, along with the command-line parameter and option file equivalents.
Parameters Command-line syntax Option file syntax <Source domain>
/SD:"source_domain"SourceDomain="source_domain"<Source OU> location
/SO:"source_OU"SourceOU="source_OU"<Target domain>
/TD:"target_domain"TargetDomain="target_domain"<Target OU> location
/TO:"target_OU"TargetOU="target_OU"Migrate SIDs
/MSS:YESMigrateSIDs=YESConflict management
/CO:REPLACEConflictOptions=REPLACETranslate roaming profile
/TRP:YES(default)TranslateRoamingProfile=YESUpdate user rights
/UUR:YESUpdateUserRights=YESPassword options
/PO:COPY /PS:<name of PES server>PasswordOption=COPYPasswordServer=:<name of PES server>Source expiration
/SEP:7SourceExpiration=7Review the results that are displayed on the screen for any errors.
Open Active Directory Users and Computers, and locate the target OU. Verify that the users exist in the target OU.
To migrate the current batch of user accounts by using a script
Prepare a script that incorporates ADMT commands and options for migrating users by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id="MigratingUserAccountsInBatchesBetweenForests" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objUserMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objUserMigration = objMigration.CreateUserMigration ' 'Specify general migration options. ' objMigration.SourceDomain = "source domain" objMigration.SourceOu = "source container" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "target container" objMigration.PasswordOption = admtCopyPassword objMigration.PasswordServer = "password export server name" objMigration.ConflictOptions = admtReplaceConflicting ' 'Specify user migration specific options. ' objUserMigration.SourceExpiration = 7 objUserMigration.MigrateSIDs = True objUserMigration.TranslateRoamingProfile = True objUserMigration.UpdateUserRights = True objUserMigration.FixGroupMembership = True objUserMigration.MigrateServiceAccounts = False ' 'Migrate specified user objects. ' objUserMigration.Migrate admtData, Array("user name1" ,"user name2" ) Set objUserMigration = Nothing Set objMigration = Nothing </Script> </Job>
Remigrating all global groups after user account migration
A large user account migration might take place over an extended period of time. For this reason, you might have to remigrate global groups from the source to the target domain after you migrate each batch of users, to reflect changes made to the membership of groups in the source domain after the initial global group migration occurred. For more information about, and procedures, for remigrating global groups, see Remigrating All Global Groups After All Batches Are Migrated, later in this guide.