Checklist: Migrating Domains Between Two Forests

Review ADMT preinstallation instructions.

Before You Use ADMT v3.2

To migrate computers running Windows 2000, Windows XP, and Windows Server 2003 to a target domain with domain controllers running Windows Server 2008 or Windows Server 2008 R2, first set the following registry key on the target domain controllers:

Registry path: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

Registry value: AllowNT4Crypto

Type: REG_DWORD

Data: 1

	Note
	If you are running Group Policy with target Windows Server 2008 or Windows Server 2008 R2 domain controllers, make this change using Group Policy administration. This registry setting corresponds to the Allow cryptography algorithms compatible with Windows NT 4.0 setting in Group Policy.

For more information on making this change using Group Policy, see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=119321).

For any migration tasks that use agent deployment and where Windows Firewall is in use, enable the File and Printer Sharing exception. This can include migration for the following situations:

• Migrating workstation computers and member servers that are running under Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2
  
  
• Migrating security settings or performing security translation
  
  

For more information about making this change in Windows Firewall, see Enable or Disable the File and Printer Sharing Firewall Rule (http://go.microsoft.com/fwlink/?LinkID=119315).

Prepare to restructure Active Directory domains within a forest. This process has the following subtasks:

• Determine your account migration process.
  
  
• Assign object roles and locations.
  
  
• Develop a test plan for your migration.
  
  
• Create a rollback plan.
  
  
• Manage users, groups, and user profiles.
  
  
• Create a user communication plan.
  
  

Install ADMT v3.2

See "Planning to Restructure Active Directory Domains Between Forests" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Prepare the source and target domains. This process has the following subtasks:

• Install 128-bit encryption software.
  
  
• Establish trusts that are required for migration.
  
  
• Establish migration accounts for your migration.
  
  
• Configure the source and target domains for security identifier (SID) history migration.
  
  
• Configure the target domain organizational unit (OU) structure.
  
  
• Install ADMT in the target domain.
  
  
• Specify service accounts for your migration.
  
  

Install ADMT v3.2

See "Planning to Restructure Active Directory Domains Between Forests" in the ADMT Migration Guide.

Specify and transition service accounts using either the Service Account Migration Wizard or ADMT command-line tools. You can use the admt service command-line tool to specify service accounts in the source domain. You can use the admt user command-line tool to transition service accounts that you specify.

Service Account Migration Wizard; admt service; admt user

See "Transitioning Service Accounts in Your Migration" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate global groups using either the Group Account Migration Wizard or the admt group command-line tool.

Group Account Migration Wizard; admt group

See "Migration of Global Groups" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate user accounts and workstation accounts with their SID histories in batches. You can use either the User Account Migration Wizard or the admt user command-line tool to migrate user accounts.

User Account Migration Wizard; admt user

See "Migrating Accounts Using SID History" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate resources, such as member servers and domain controllers, and domain local groups. You can use either the Computer Account Migration Wizard or the admt computer command-line tool to migrate computer accounts. You can use the Group Account Migration Wizard or the admt group command-line tool to migrate groups.

Computer Migration Wizard; admt computer; Group Account Migration Wizard; admt group

See "Migrate User Accounts" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Translate security on servers to add the SIDs of the user and group accounts in the target domain to the access control lists (ACLs) of the resources. You can use either the Security Translation Wizard or the admt security command-line tool.

Security Translation Wizard; admt security

See "Translate Security in Add Mode" in the ADMT v3.1 Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Repeat a migration of user accounts, workstation computers, and member servers, including translating local user profiles to user and computer objects that you migrated earlier.

Computer Migration Wizard; admt computer; User Account Migration Wizard; admt user; Security Translation Wizard; admt security

See "Migration of Workstations and Member Servers" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate domain local groups using either the Group Account Migration Wizard or the admt group command-line tool.

Group Account Migration Wizard; admt group

See "Migrating Domain and Shared Local Groups" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate domain controllers.

See "Migration of Domain Controllers" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Complete post-migration tasks. This step has the following subtasks:

• Translate security on member servers.
  
  
• Decommission the source domains.
  
  

In the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678), see the following topics:

• "Translating Security on Your Member Servers"
  
  
• "Decommissioning the Source Domain"