Reducing the number of Active Directory domains in your forest simplifies the following tasks or reduces the time required to complete them:

If you frequently reassign users to different domains, you might also migrate objects between domains on a regular basis. Restructuring Active Directory domains within a forest differs from migration between forests, and it requires careful planning and testing.

Note

This checklist summarizes the migration process and the tasks that you can use Active Directory Migration Tool (ADMT) to perform to complete your migration project. For detailed information about this process, see the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Task Reference

Review ADMT preinstallation instructions.

Before You Use ADMT v3.2

To migrate computers running Windows 2000, Windows XP, and Windows Server 2003 to a target domain with domain controllers running Windows Server 2008 or Windows Server 2008 R2, first set the following registry key on the target domain controllers:

Registry path: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

Registry value: AllowNT4Crypto

Type: REG_DWORD

Data: 1

Note

If you are running Group Policy with target Windows Server 2008 or Windows Server 2008 R2 domain controllers, make this change using Group Policy administration. This registry setting corresponds to the Allow cryptography algorithms compatible with Windows NT 4.0 setting in Group Policy.

For more information about making this change using Group Policy, see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=119321).

For any migration tasks that use agent deployment and where Windows Firewall is in use, enable the File and Printer Sharing exception. This can include migration for the following situations:

  • Migrating workstation computers and member servers that are running Windows Vista®, Windows 7, Windows Server 2008, or Windows Server 2008 R2

  • Migrating security settings or performing security translation

For more information, see Enable or Disable the File and Printer Sharing Firewall Rule (http://go.microsoft.com/fwlink/?LinkID=119315).

Prepare to restructure Active Directory domains within a forest. This process has the following subtasks:

  • Evaluate the new Active Directory domain structure.

  • Assign domain object roles and locations.

  • Plan for group and text migration.

  • Create a rollback plan and a user communication plan.

  • Create migration account groups.

  • Install ADMT.

  • Plan to transition service accounts.

Install ADMT v3.2

See "Preparing to Restructure Active Directory Domains Within a Forest" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate universal and global groups using either the Group Account Migration Wizard or the admt group command-line tool.

Group Account Migration Wizard; admt group

See "Migrate Groups" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate service accounts using either the Service Account Migration Wizard or ADMT command-line tools, such as admt service to identify service accounts in the source domain and admt user to migrate service accounts that you specify.

Service Account Migration Wizard; admt service; admt user

See "Migrate Service Accounts" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate user accounts using either the User Account Migration Wizard or the admt user command-line tool.

User Account Migration Wizard; admt user

See "Migrate User Accounts" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Translate local user profiles using either the Security Translation Wizard or the admt security command-line tool.

Security Translation Wizard; admt security

See "Translate Local User Profiles" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate workstation computers and member servers using either the Computer Migration Wizard or the admt computer command-line tool.

Computer Migration Wizard; admt computer

See "Migrate Workstations and Member Servers" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Migrate domain local groups using either the Group Account Migration Wizard or the admt group command-line tool.

Group Account Migration Wizard; admt group

See "Migrate Domain Local Groups" in the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678).

Complete post-migration tasks. This step has the following subtasks:

  • Examine migration logs for errors.

  • Verify group types.

  • Translate security on member servers.

  • Decommission the source domains.

In the ADMT Migration Guide (http://go.microsoft.com/fwlink/?LinkId=93678), see the following topics:

  • "Examine Migration Logs for Errors"

  • "Verify Group Types"

  • "Translate Security on Member Servers"

  • "Decommission the Source Domain"