Admin Tip #124: Active Directory Migration Tool ( ADMT ) |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
In many cases, if there is a problem you can use the rollback feature to automatically restore previous structures. The tool also provides support for parallel domains, so you can maintain your existing Microsoft Windows NT 4.0 operating system domains while you deploy the Microsoft Windows 2000 operating system.
ADMT provides an effective tool that simplifies the process of migrating users, computers, and groups to new domains. At the same time, ADMT is designed to be flexible so that each organization can use it to implement a migration process that is adapted to its needs. This powerful tool lets you accomplish the following:
ADMT features let you manage domain migration efficiently and fine-tune the results to suit their requirements.
No need to manually load software onto all those computers. When using ADMT to migrate users and groups, you install the ADMT tool, typically in the target domain into which security principals or resources are being migrated. Beyond that, ADMT requires no additional software installation on the computers in the source domain from which security principals or resources are being migrated. When migrating computers or translating security on resources, ADMT automatically installs services (called agents) on the source computers. This means you do not need to manually load software onto each source computer to perform the migration. Once the agent's task is completed, it uninstalls itself.
Wizards make it easy. ADMT lets you use a series of wizards, including the User Migration wizard, Computer Migration wizard, Group Migration wizard, Service Account Migration wizard, Trust Migration wizard, and Reporting wizard to simplify various parts of the migration process.
Select the appropriate options among the many provided by the various wizards when performing a migration. For example, you can choose to copy users rights assigned in the source domain to the target domain; you can copy groups along with their members to the target domain; you can leave user accounts active in both the source and target domains; you can copy roaming profiles to the target domain for selected user accounts; and so on.
Restructure groups. Optionally, before migrating groups you can run the Group Mapping and Merging Wizard to map a group in the source domain to a new or existing group in the target domain. This mapping ensures that, when the group's members are migrated from the source domain into the target domain, group memberships will reflect the mapping. You can also merge multiple groups into one group.
Trial run. By selecting the Test the migration settings and migrate later option, you can run a wizard without actually making any changes in your network. Review the log files and reports generated by the wizards to identify and troubleshoot any potential problems before performing the actual migration.
Undo. You can undo the most recently performed user, group, or computer migration. Users maintain access to resources. During user and group migration, ADMT lets users retain their premigration access to resources such as files, shares, and applications through its sIDHistory feature or by updating those resources to refer to the migrated user. This capability keeps your security structure (the granting and denying of access to resources) intact but conveniently brings it into the new domain.
Users retain access to Exchange resources. If you need to update security permissions on Exchange mailboxes to reflect the migration, ADMT can also handle that.
Service accounts migrate too. ADMT also migrates service accounts. Many applications, such as Microsoft Exchange, use service accounts to run services with the same set of credentials on several network computers. Putting objects into OUs. In addition to consolidating Windows NT resource domains into Active Directory OUs, ADMT also lets you migrate selected users, groups, or computers to OUs in the target domain. Then, you can use Windows 2000 features to manage these OUs-for example, you can establish group policy configuration settings for a group of computers collected in a given OU. Handling trust relationships. A trust relationship connects two domains and lets users in the trusted domain access resources in the trusting domain. To maintain resource access during migration, the same trust relationships must be established in the target domain as exist in the source domain. The Trust Migration wizard does this for you-it compares the trust relationships in the source domain to the trust relationships in the target domain, and then creates in the target domain any trust relationships that exist in the source domain. Making use of the new universal group scope. In intra-forest migration (that is, when performing a migration between Windows 2000 domains in the same forest), when global groups are migrated from a native-mode source domain, the groups are created as universal groups in the target domain so that they can contain members from the source domain that have not yet been migrated.Global groups can contain only members from their own domain; universal groups can have members from any Windows 2000 domain in the forest.
ADMT System Requirements
Target domain. For target domains, ADMT can run on any computer capable of running the Windows 2000 Server operating system.
Source domain. The source domain must be running either Windows 2000 or Windows NT 4.0.
The primary domain controller (PDC) of a Windows NT 4.0 source domain must have SP4 or higher installed. The ADMT agent (installed by ADMT on the source computers) can operate on computers running Windows NT 3.51 (with SP5); Windows NT 4.0 (with SP4 or higher); or Windows 2000.
To download: Windows 2000 Active Directory Migration Tool
Related tips:
Most all the samples in the book are shown using VBScript, in addition to VB and C++. Chapter 10, "Active Directory Administration using Windows Script" has many examples of administration tasks. It also provides information on how to use WSH to automatically load the ActiveDS type library, and thus avoid having to do a bunch of CONST statements in VBScript.