Creates encryption keys that the Password Export Server (PES) service uses to migrate passwords when you perform an interforest migration.
Admt key is a command-line tool that is available in the Active Directory Migration Tool (ADMT). To run admt key, at the command prompt, type admt key with the appropriate parameters, and then press ENTER.
For examples of how to use this command, see Examples.
Syntax
admt key /option:create /sourcedomain:"<SourceDomain>" /keyfile:"<KeyFilePath>" [/keypassword:{"<Password>"|*]]
Parameters
- /option:create
- Specifies the creation of the encryption key.
- /sourcedomain:"<SourceDomain>"
- Specifies the name of the source domain in which to install the PES service. You can specify this parameter as either the Domain Name System (DNS) or NetBIOS name.
- /keyfile:"<KeyFilePath>"
- Specifies the path to the location to store the encryption key.
- /keypassword:"<Password>"|*
- Specifies an optional password for key encryption. To protect the shared key, type the password or an asterisk (*) at the command prompt. The asterisk causes ADMT to prompt you for a password that does not appear on the screen.
Remarks
You can install the PES service on any write-enabled domain controller in the source domain that supports 128-bit encryption. The PES service cannot be installed on read-only domain controllers (RODCs).
Although installing the PES service in the source domain requires an encryption key, you must create that key on the computer running ADMT in the target domain. When you create the encryption key in the target domain, save the key to removeable media, and then store it in a secure location. After the migration is complete, reformat the disk.
Examples
The following example creates an encryption key for the Contoso.com domain with the path C:\temp\key.pes to the encryption key file.
admt key /option:create /sourcedomain:"contoso.com" /keyfile:"C:\temp\key.pes"