ADMT is used to quickly move objects around in your forest. It is used during migrations or when you need to move users between domains during restructures or job changes. This video looks at how to install and use ADMT.
Installing ADMTBefore installing ADMT, it is worth downloading the ADMT guide (see link below). The guide will show you which installs are supported. If you download the latest version of ADMT or SQL express you may have install problems and need to implement a workaround. Reading this guide will tell you which combination of software will work.
http://www.microsoft.com/en-au/download/details.aspx?id=19188
Although possible, it is not recommended to install ADMT on a Domain Controller. The install itself may not work correctly and a workaround many need to be implemented in order to get ADMT to work correctly.
Inter-Forest Migration
This is when objects are being moved/copied between domains in different forests. The forest can be connected by any valid trust.
Intra-Forest Migration
This is when the objects are being moved/copied between domains that are in the same forest.
Sid History
A Sid is a unique number that every object in Active Directory has. When ADMT moves an object it essentially creates a new object in the target domain with the same properties. When a user is moved or copied, the user will have a different Sid than the old user. Because the new user has a different Sid, it will not be able to access any of the resources the old Sid had. Sid history allows Sid’s for the old user to be stored with the new user. This essentially allows the new user to access resources that were assigned using the old Sid’s.
Demonstration
In this demonstration ADMT 3.2 will be installed on Windows Server 2008 R2 with SQL Express 2008 SP1 providing the database support. We could not get SQL Express 2012 to work in this configuration and the ADMT guide recommended SQL Express 2008 SP1 to be used. If you run different version and have installation errors, search the Microsoft web site for the error. This may give you a workaround to get that configuration to work.
Once ADMT is installed, it is matter of running the required wizard depending on what you want to migrate. When migrating groups, ADMT can be configured to put the user in the same groups that they had in the old domain. In order for this to work, the new domain needs to have those groups created with the same name as the old domain.
If you want to migrate passwords between domains, you will need the Password Export Server to be installed in the other domain. Since the ADMT does not check the password policy of the new domain, the user will be asked to change their password when they login to the new domain.
References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 573 – 576
“Active Directory Migration Tool (ADMT) Guide” http://www.microsoft.com/en-au/download/details.aspx?id=19188
“Active Directory Migration Tool (ADMT) Guide“ http://www.microsoft.com/en-au/download/details.aspx?id=19188
Credits