Before you use the Active Directory Migration Tool version 3.2 (ADMT v3.2), perform the following tasks:
- Before you use ADMT v3.2 to restructure domains, read the
ADMT Guide: Migrating and Restructuring Active Directory Domains
(http://go.microsoft.com/fwlink/?LinkId=93678).
This migration guide has detailed information about Active Directory design and deployment. It also has information for you to consider when you restructure Active Directory domains. The migration guide includes best practices for ADMT migration.
- Ensure that 128-bit, high encryption is installed on the
computer on which the Password Export Server (PES) service is
installed in the source domain.
This encryption is standard on computers running Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003.
- If you plan to migrate users, groups, or resources between
Active Directory forests, verify that the appropriate trust
relationships are established:
- To migrate users and groups, establish a
one-way trust between the source account domain and the target
domain so that the source domain trusts the target domain.
- To migrate resources or translate local
profiles, create a one-way trust between the source resource domain
and the target domain so that the source resource domain trusts the
target domain.
- To migrate users and groups, establish a
one-way trust between the source account domain and the target
domain so that the source domain trusts the target domain.
- Assign the appropriate credentials for performing migration
tasks:
- A migration account that you use to migrate
user accounts along with the security identifier (SID) history,
global groups along with SID history, computers, and user profiles
must have local administrator or domain administrator credentials
in the source domain. The migration account also must have
delegated permission on the user, group, and computer
organizational units (OUs) in the target domain, with the extended
right to migrate SID history on the user OU. The user must be a
local administrator on the computer in the target domain on which
ADMT is installed.
- A migration account that you use to migrate
workstations must have local administrator or source domain
administrator credentials on the workstations, or both.
Important If the computer has a managed service account installed, use an account that has permission to update the security descriptor of the managed service account in the target domain.
- In the target domain, use an account that has
delegated permissions on the computer OU and the user OU.
- A migration account that you use to migrate
user accounts along with the security identifier (SID) history,
global groups along with SID history, computers, and user profiles
must have local administrator or domain administrator credentials
in the source domain. The migration account also must have
delegated permission on the user, group, and computer
organizational units (OUs) in the target domain, with the extended
right to migrate SID history on the user OU. The user must be a
local administrator on the computer in the target domain on which
ADMT is installed.
- Configure the target domain organizational unit (OU) structure
for administering migrated objects.
For more information about designing an OU structure, see Designing the Logical Structure for Windows Server 2008 AD DS (http://go.microsoft.com/fwlink/?LinkId=89024). For more information about administering OUs for migrated objects, see Restructuring Active Directory Domains Between Forests (http://go.microsoft.com/fwlink/?LinkId=105325).
- Ensure that the source and target domains operate at the
Windows Server 2003 domain functional level or
higher.
For more information about how to raise the domain functional level, see Raise the Domain Functional Level (http://go.microsoft.com/fwlink/?LinkId=183262).
- Ensure that the server computer that you use to install ADMT is
a member server running Windows Server 2008 R2 in the
source or target domain environment. Also verify that the member
server used to install ADMT is not running a Server Core
installation or a read-only domain controller (RODC).
- If Windows Firewall is in use on workstation or member server
computers that you are planning to migrate, enable the File and
Printer Sharing exception. For more information, see Enable or
Disable the File and Printer Sharing Firewall Rule (http://go.microsoft.com/fwlink/?LinkId=119315).