ADMT (Active Directory Migration Tool) Domain Migration – Part 4

KB ID 0001308 

Problem

On the homeward stretch now, back in Part Three, we migrated service accounts, groups, and users. Now we turn our attention to our machines.

Note ADMT 3.2 Only support the migration of Operating Systems up to Windows 7, (that doesn’t mean Windows 8 and Windows 10 wont work, it just means they are not supported). Migrating Windows 8 and 10 throws a lot of security translation errors, because of the way it treats ‘Apps’, so I’d recommend you do a LOT of testing before carrying out a live migration.

Solution

ADMT Computer Security Translation

Migrating computers is a two-step procedure, you do a security translation on a machine, then you migrate the machine. The security translation adds the security for the user(s) in newdomain.com to all the objects (files, folders, user profiles, and registry hives, etc) that their user account in olddomain.com did. like doing the service account migration (above) the plan is to get everything ready to ‘work’ before the machine is migrated.

Real World Note: This can take a while, (up to an hour for some machines,) and it’s best done without anyone being logged in (to prevent any profiles, or registry hives being locked). So take time to plan when this is done – rush it and you will have problems, and the very users who are too busy to be interrupted, are the very ones that shout the loudest if there’s a problem post migration. I would (if possible) have a stock of prebuilt machines on the new domain in case there’s any migration dramas, at least then you can get people working quickly.

ADMT Security Translation

This should be getting familiar by now, accept the defaults.

ADMT Migration Local Profiles

Select your computer(s) > Select all the options > SELECT ADD > Finish.

Security Tranlation

Agent Note: You are about to deploy the ADMT agent, make sure you have followed part one and part two. This process will be familiar if you carried out the service translation wizard earlier.

ADMT Agen Location

Run the pre check, and agent deploy.

ADMT Migration Local Profiles

What you will find after translation is all the profiles, and files etc will have the new domain users added alongside the old one with the same rights.

ADMT Rights Added to Folders

ADMT Computer Migration

Now finally to migrate the machines, ADMT > Computer Migration Wizard.

ADMT Compute rMigration

Select the computers.

Computer Migraiton Wizard

Select the Target OU > Tick everything > Add > Select the amount of time to wait before rebooting the machine into the new domain.

Hang About Haven’t we done some of this? Yes, but because you have done the security translation already it can see the ACLs exist as it goes through and skips creating them.

ADMT Reboot after migration

As usual I’m not filtering any attributes > I’ll quit if theres a conflict > Migration should then complete.

Migrating computers with ADMT

Can I migrate Servers With ADMT?

Yes, but you need to have a good think about doing so first? For simple file and print servers that should be OK (Obviously back them up first etc). DONT try and do this with an Exchange server, or any other server that relies on Active directory for its very existence! And wherever possible if you can create clean new servers and migrate your data into them do so!

 

What about Microsoft Exchange and User Mailboxes?

I mentioned Exchange briefly on the user migration, Exchange migrations between domains, are possible, depending on your setup it may be easier to export all the mail form the old system and import it into the new one (use the search bar above. I’ve already written a load of stuff about doing this). In the not to distant future I’ll cover Exchange Inter Organisation Mail migrations.

Readers Note:

As with all the articles here, please provide feedback below, if one thing you have found can save another reader sweat and toil, then that’s the very reason for this site! If you have been with this since part one thanks for staying till the end (PL).

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

21 Comments

  1. These instructions were spot on. I appreciate all the help, advice and experience you provided. I owe you big time.

    Post a Reply
  2. Amazing article, one of the best I have ever seen.

    Post a Reply
  3. Yes, with the exception of a few little things, like stating which server to run the ADMT on and ensuring that you start the ADMT with the account that you defined security for (admtadmin), this absolutely perfect! One of the best, if not the best, help pages I’ve ever run across.

    Post a Reply
  4. this is the excellent SOP, well step by step explanation..

    Thanks a lot…

    Post a Reply
  5. Thank you for article, and I want to ask you.

    What if there is a Microsoft exchange in an existing environment? Is there an impact on the Microsoft Exchange server by using a new domain controller?

    Post a Reply
    • Great Question! Look at my Cross forest Exchange Article.

      Post a Reply
      • Can you show me link to your article?

        Post a Reply
        • If you can’t find the search function, them perhaps a cross forest Exchange and Domain migration might be better outsourced?

          Post a Reply
  6. Has anyone found a reliable method of migrating the Win10 machines and their associated user profiles? We have a forest migration next weekend and only know am discovering that the ADMT 3.2 tool may not play nicely with those clients. I asked for more testing time early on but the bosses want this done sooner that later. :>(

    I have looked at the ForensIT Profile Migration Wizard tool but am unsure where in the ADMT process I would invoke that. I don’t have very many Win10 clients (maybe 10), but they mostly exist within our upper management sections so I do not want to have too many problems with them if I can avoid it. :>)

    Thanks,
    Mike

    Post a Reply
  7. This is the first ever article I have seen which has human touch, experiences, expection. Most of the article has robotic flavour where we just read, this is the first one where i felt the article.

    Post a Reply
    • Thanks for the feedback 🙂

      Post a Reply
  8. We are re-structuring the Domain, from Single Forest, 1 Tree Domain to Single Forest, Multi-Tree Domain. Several OUs will be represented by different Domains in the new structure. Can a single ADMT server do the job or we need an ADMT server for each Tree.

    Also, is there a way to sync User migration so it performs 2-3 times a day for new users or users who changed their password; until the migration is complete.

    Post a Reply
    • I’d do the migrations one domain at a time, and to sync things Microsoft do a an Identification services, sync tool that lets you do full and delta syncs, Ive only used it once, so I’m not an expert.

      Post a Reply
  9. Thank you soo much for this write up! Spot on and works great!
    You saved me a lot!

    Post a Reply
  10. Great write up.
    Please can you advise though at what point and tool would we a good idea in todays world to do the local user profiles on the windows 7, 8 and 10 machines.
    This all seems to be directory based….. or am I being a thicko?

    Thanks

    R

    Post a Reply
    • This is an old article – If I were migrating profiles these days I’d use a third party tool

      Post a Reply
  11. A question, if I disable the migrated source account will the migrated account in the target domain still work with SID history for resources in the source domain?

    Post a Reply
    • I believe so yes, it will be easy to test though.

      Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *