Microsoft KB Archive/325851

= How To Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration =

PSS ID Number: 325851

Article Last Modified on 6/29/2004

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows NT 4.0

-



This article was previously published under Q325851



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

IN THIS TASK

 * SUMMARY
 * ** How to Set Up ADMT for a Windows NT 4.0 to Windows Server 2003 Migration
 * *** Trusts
 * Groups
 * Auditing
 * Registry
 * Administrative Shares
 * User Rights
 * REFERENCES



SUMMARY
This article describes how to set up the Active Directory Migration Tool (ADMT) to perform a migration from a Windows NT 4.0-based domain to a Windows Server 2003-based domain.

You can use the ADMT to migrate users, groups, and computers from one domain to another, and to analyze the migration impact before and after the actual migration process. ADMT can install and run from any uplevel member of either the source or target domain (Windows 2000, Windows Server 2003, or Microsoft Windows XP). However, the simplest configuration is to install and run ADMT on a domain controller in the target forest.

back to the top

How to Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration
Before you upgrade a Windows NT 4.0 domain to a Windows Server 2003-based domain, the following domain and security configurations are required.

NOTE: This article assumes that the source domain is running Windows NT 4.0 Service Pack 4 (SP4) or later, and that the target domain is a Windows Server 2003-based domain in native mode.

Trusts

 * 1) Configure the source domain to trust the target domain.
 * 2) Configure the target domain to trust the source domain.

back to the top

Groups

 * 1) Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
 * 2) Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
 * 3) Create a new local group in the source domain called  $$$.

NOTE: There must be no members in this group.

back to the top

Auditing

 * 1) Enable auditing for the success and failure of user and group management on the source domain.
 * 2) Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.

back to the top

Registry
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

On the PDC in the source domain, add the TcpipClientSupport:REG_DWORD:0x1 value to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

back to the top

Administrative Shares
Administrative shares must exist on the domain controller in the target domain on which you run ADMT, and on any computers on which an agent must be dispatched.

back to the top

User Rights
You must log on to the computer on which you run ADMT with an account that has the following permissions:
 * Domain Administrator rights in the target domain.
 * A member of the Administrators group in the source domain.
 * Administrator rights on each computer that you migrate.
 * Administrator rights on each computer on which you translate security.

You will have the appropriate rights when you log on to the PDC that is the FSMO role holder in the target domain with the \Administrator account, assuming that the  \Domain Administrators group is a member of the Administrators group on each computer.

back to the top

