Product Reviews

Microsoft's Free AD Migration Tool Shines

While commercial product boast bells and whistles, Microsoft's free tool gets the job done.

Though free, Microsoft's Active Directory Migration Tool (ADMT) offers most of the features found in commercial tools. It's fairly simple to use, and its installation is based on an MSI that's located on the Windows Server installation CD. ADMT operation basically consists of using the right mouse button to click on Active Directory Migration Tool, accessing the context menu and selecting the appropriate wizard to operate.

ADMT wizards support account, group, computer and service account migrations, group remappings, security translations and more.

The operation of the wizards is straightforward. Identify the source and target domains, the objects to migrate, the container to migrate them to, and how to perform the migration. ADMT supports both reporting and test migrations. It also migrates users through global groups, making the migration simpler if your source groups are well organized. ADMT's reporting tools provide comprehensive information on source domain objects, letting you clearly identify which objects to filter before going ahead with the migration.

ADMT supports SID history migrations, but only through the use of a Password Export Server (PES), the same server required for both Quest Migrator and BindView's bv-Admin for Windows products. The PES is installed on a domain controller in the legacy network. It's best to use a dedicated server for this operation since it's resource intensive. Therefore, you should stage a new DC and dedicate it to this task. A PES is also required to support password migration.

Microsoft's ADMT
ADMT offers most of the functions of commercial tools when it comes to security principals migrations.

For the PES to work, your network needs to meet the following conditions:

  • Auditing must be enabled on the source and target domains. If it isn't, ADMT will offer to turn it on during the migration.
  • Your target domain must be in Native mode.
  • You must activate legacy access in the target domain by inserting the Everyone group into the Pre-Windows 2000 Compatible Access group. You'll have to remember to turn it off once the migration is complete.

In addition, ADMT version 2 supports scripting, letting you script migration operations to have them run during off hours. As far as security principal migrations are concerned, ADMT is pretty much as powerful as most commercial tools. Its interface is fairly intuitive, since the wizards provided for migration are listed in the order you would perform them in the context menu. For many environments, ADMT can simply get the job done.

About the Author

Danielle Ruest and Nelson Ruest, both Microsoft MVPs, are IT professionals focused on technologies futures. They are authors of multiple books, including "Microsoft Windows Server 2008: The Complete Reference" (McGraw-Hill Osborne Media, 2008), which focuses on building virtual workloads with Microsoft's new OS.


  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.