Before you use the Active Directory Migration Tool version 3.2 (ADMT v3.2), perform the following tasks:

  1. Before you use ADMT v3.2 to restructure domains, read the ADMT Guide: Migrating and Restructuring Active Directory Domains (http://go.microsoft.com/fwlink/?LinkId=93678).

    This migration guide has detailed information about Active Directory design and deployment. It also has information for you to consider when you restructure Active Directory domains. The migration guide includes best practices for ADMT migration.

  2. Ensure that 128-bit, high encryption is installed on the computer on which the Password Export Server (PES) service is installed in the source domain.

    This encryption is standard on computers running Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003.

  3. If you plan to migrate users, groups, or resources between Active Directory forests, verify that the appropriate trust relationships are established:

    • To migrate users and groups, establish a one-way trust between the source account domain and the target domain so that the source domain trusts the target domain.

    • To migrate resources or translate local profiles, create a one-way trust between the source resource domain and the target domain so that the source resource domain trusts the target domain.

    For more information about creating trusts for migration, see Determining Your Account Migration Process (http://go.microsoft.com/fwlink/?LinkId=183036).

  4. Assign the appropriate credentials for performing migration tasks:

    • A migration account that you use to migrate user accounts along with the security identifier (SID) history, global groups along with SID history, computers, and user profiles must have local administrator or domain administrator credentials in the source domain. The migration account also must have delegated permission on the user, group, and computer organizational units (OUs) in the target domain, with the extended right to migrate SID history on the user OU. The user must be a local administrator on the computer in the target domain on which ADMT is installed.

    • A migration account that you use to migrate workstations must have local administrator or source domain administrator credentials on the workstations, or both.

      Important

      If the computer has a managed service account installed, use an account that has permission to update the security descriptor of the managed service account in the target domain.

    • In the target domain, use an account that has delegated permissions on the computer OU and the user OU.

  5. Configure the target domain organizational unit (OU) structure for administering migrated objects.

    For more information about designing an OU structure, see Designing the Logical Structure for Windows Server 2008 AD DS (http://go.microsoft.com/fwlink/?LinkId=89024). For more information about administering OUs for migrated objects, see Restructuring Active Directory Domains Between Forests (http://go.microsoft.com/fwlink/?LinkId=105325).

  6. Ensure that the source and target domains operate at the Windows Server 2003 domain functional level or higher.

    For more information about how to raise the domain functional level, see Raise the Domain Functional Level (http://go.microsoft.com/fwlink/?LinkId=183262).

  7. Ensure that the server computer that you use to install ADMT is a member server running Windows Server 2008 R2 in the source or target domain environment. Also verify that the member server used to install ADMT is not running a Server Core installation or a read-only domain controller (RODC).

  8. If Windows Firewall is in use on workstation or member server computers that you are planning to migrate, enable the File and Printer Sharing exception. For more information, see Enable or Disable the File and Printer Sharing Firewall Rule (http://go.microsoft.com/fwlink/?LinkId=119315).