SUMMARY

You can use the Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another. This article describes how to set up ADMT to perform a migration from a Microsoft Windows NT 4.0-based domain to a Microsoft Windows 2000-based domain.

Notes

• You can also use the information in this article to set up ADMT to perform a migration from a Windows 2000-based domain to a Windows 2000-based domain in a separate forest.
• This article assumes that the source domain is running either Windows NT 4.0 Service Pack 6a or Windows 2000, and that the target domain is a Windows 2000-based domain in Native mode.

The Active Directory Migration Tool version 2 (ADMTv2) installs and runs correctly on any Windows 2000 Professional-based (or later) client or server computer. However, it is often best to install and run ADMTv2 on the console of a domain controller in the destination domain. The primary considerations when you decide which computer should host ADMTv2 are:

• Reliable RPC connectivity between the destination computer and the source domain or domains.
• No more than one instance of ADMT should be installed for the same migration project. The migration database (Protar.mdb) is not a replicated data store, so running ADMTv2 migration tasks from multiple nodes during the same project may result in invalid or inconsistent data when post-migration reports are generated.
• Certain migration tasks may require additional configuration to succeed.

To download ADMT version 2.0, visit the following Microsoft Web site:

Trusts

1. Configure the source domain to trust the target domain.
2. Configure the target domain to trust the source domain.

Groups

1. Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
2. Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
3. Create a new local group in the source domain called Source Domain$$$ (this group should have no members).

Auditing

1. Enable auditing for the success and failure of user and group management on the source domain.
2. Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.

Registry

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
On the primary domain controller (PDC) in the source domain, add the TcpipClientSupport:REG_DWORD:0x1 value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA.

Notes

• You must restart the computer to apply this registry change.
• If you are performing a migration from a Windows 2000-based domain, add the registry entry to the domain controller in the source domain that hosts the PDC emulator operations master role. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  234790 How to find servers that hold Flexible Single Master Operations roles

Administrative shares

Administrative shares must exist on the domain controller (DC) in the target domain on which you run ADMT, as well as on any computers on which an agent will be dispatched.

User rights

You must log on to the computer on which you run ADMT with an account that has the following rights:

• Domain Administrator rights in the target domain
• Is a member of the Administrators group in the source domain
• Administrator rights on each computer you migrate
• Administrator rights on each computer on which you translate security

Therefore, logging into the PDC that is the FSMO role holder in the target domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.