Information Technology Reference
In-Depth Information
In today's business world, companies grow, reorganize, and merge with other companies. Active
Directory is designed to accommodate this dynamic environment by allowing user, group, and
computer accounts to be moved between domains in the same forest and in different forests. You
can't simply delete an account in one domain and re-create it in another without losing the orig-
inal account's security identifiers (SIDs), however. For this purpose, Windows provides the
Active Directory Migration Tool so that administrators can migrate Active Directory objects
without losing their security assignments.
Using the Active Directory Migration Tool
The Active Directory Migration Tool
(ADMT) allows moving objects and restructuring Active Directory without users losing access
to network resources. ADMT has three main types of migration:
•
Intraforest migration
—Moving objects between domains in the same forest. The domain
from which objects are moved is the source domain, and the domain to which they're
being moved is the target domain.
Intraforest migration
is often done when a company
reorganizes, causing users to change their primary domain memberships, or when several
domains are consolidated into fewer domains. After an intraforest migration, objects that
were moved no longer exist in the original domain.
•
Interforest migration
—Moving objects between domains in different forests.
Interforest
migration
might be indicated when companies merge or a company breaks up into multi-
ple divisions. Migrated objects are actually copied and exist in both domains simultane-
ously so that users can continue working while the migration is in progress. You can also
roll back the migration, if necessary, with little effort.
•
Migration of an NT 4.0 domain to an Active Directory domain
—Migrating Windows NT
4.0 domains to Windows Server 2008 domains isn't supported. However, you can migrate
NT 4.0 domains to Windows 2000 Server or Windows Server 2003 domains.
10
ADMT isn't included in Windows Server 2008, but you can get it from the Microsoft down-
load Web site. ADMT 3.1 is the required version for Windows Server 2008. ADMT can be run
in wizard mode, from a command line, or from a script.
Active Directory migration is a complex procedure. Before attempting a migration, you
should review the Active Directory Migration guide thoroughly (a document weighing in at more
than 200 pages), which is available on the Microsoft Web site. The following list explains some
terms used for migration planning and implementation:
•
SID history
—When an account is migrated to another domain, it's assigned a new
SID. As you learned in Chapter 4, the SID is used to assign an object rights and per-
missions to resources and to determine group membership. If an object's SID changes,
the object loses resource access as well as group memberships. When an object is
migrated to another domain, its SID from the source domain is copied to the object's
sIDHistory attribute in the target domain. When a user logs on to the new domain, the
SID in sIDHistory is used along with the new SID for determining the object's rights
and permissions. Because most permissions are assigned via global group memberships,
global groups must be migrated before user accounts. Group objects also maintain
SID history.
•
Security translation
—In this process, ADMT examines every resource's ACL for an occur-
rence of the migrated account's SID in the source domain and changes it to the account's
SID in the target domain. In a large network with many resources and objects being
migrated, this process can be extensive. Most migrations use SID history to maintain user
access to resources during migration, and then perform security translation after the
migration is finished.
•
Password Export Server (PES)
—PES, a separate program, is used to migrate passwords
during an interforest migration. It must be installed on a domain controller in the source
domain.
Search WWH ::
Custom Search