Microsoft's Free AD Migration Tool Shines
While commercial product boast bells and whistles, Microsoft's free tool gets the job done.
Though free, Microsoft's Active Directory Migration Tool (ADMT) offers
most of the features found in commercial tools. It's fairly simple to
use, and its installation is based on an MSI that's located on the Windows
Server installation CD. ADMT operation basically consists of using the
right mouse button to click on Active Directory Migration Tool, accessing
the context menu and selecting the appropriate wizard to operate.
ADMT wizards support account, group, computer and service account migrations,
group remappings, security translations and more.
The operation of the wizards is straightforward. Identify the source
and target domains, the objects to migrate, the container to migrate them
to, and how to perform the migration. ADMT supports both reporting and
test migrations. It also migrates users through global groups, making
the migration simpler if your source groups are well organized. ADMT's
reporting tools provide comprehensive information on source domain objects,
letting you clearly identify which objects to filter before going ahead
with the migration.
ADMT supports SID history migrations, but only through the use of a Password
Export Server (PES), the same server required for both Quest Migrator
and BindView's bv-Admin for Windows products. The PES is installed on
a domain controller in the legacy network. It's best to use a dedicated
server for this operation since it's resource intensive. Therefore, you
should stage a new DC and dedicate it to this task. A PES is also required
to support password migration.
|ADMT offers most of the functions of commercial tools
when it comes to security principals migrations.
For the PES to work, your network needs to meet the following conditions:
- Auditing must be enabled on the source and target domains. If it isn't,
ADMT will offer to turn it on during the migration.
- Your target domain must be in Native mode.
- You must activate legacy access in the target domain by inserting
the Everyone group into the Pre-Windows 2000 Compatible Access group.
You'll have to remember to turn it off once the migration is complete.
In addition, ADMT version 2 supports scripting, letting you script migration
operations to have them run during off hours. As far as security principal
migrations are concerned, ADMT is pretty much as powerful as most commercial
tools. Its interface is fairly intuitive, since the wizards provided for
migration are listed in the order you would perform them in the context
menu. For many environments, ADMT can simply get the job done.
About the Author
Danielle Ruest and Nelson Ruest, both Microsoft MVPs, are IT professionals focused on technologies futures. They are authors of multiple books, including "Microsoft Windows Server 2008: The Complete Reference" (McGraw-Hill Osborne Media, 2008), which focuses on building virtual workloads with Microsoft's new OS.