Migrate Source Domain(old) to Target Domain(new) with ADMT 3.2

Andy 51 Reputation points
2021-03-31T09:24:09.703+00:00

Old DC01(IP:10.0.0.1) OS Windows 2016
Old DC02(IP:10.0.0.2) OS Windows 2016
Old DC03(IP:10.0.0.3) OS Windows 2019
Domain Name: OldDomain.com

Client: Windows 10 (Version 20h2)

New DC01(IP:172.16.0.1) OS Windows 2019
New DC02(IP:172.16.0.2) OS Windows 2019

Domain Name: NewDomain.com

SQL Express 2008 R2 SP2

SQL Express 2008 R2 SP3 Update

ADMT 3.2 (For Service Account/Group/User/Computer Migration)
PSE3.1 (For Password Migration)

All DC forest level and domain functional level are Windows 2016
I will share experience with you step by step

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,173 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
408 questions
0 comments

14 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy 51 Reputation points
    2021-04-09T04:12:51.77+00:00

    ADMT Installation
    1.Download ADMT 3.2
    2. Install ADMT 3.2 in your old domain and new domain which has SQL Express installed(i.e Old DC03 and New DC02)
    85990-1admt-wizard.jpg
    86036-2license-agreement.jpg
    86091-3customer-experience-improvement-program.jpg
    86059-4database-selection.jpg
    86082-5database-import.jpg
    86083-6done.jpg

    You can Open ADMT on your New DC02 now(In my experience we can't open it correctly on our Old DC03 it's for run migration backend)

    86075-7migrator.jpg

    You will see errors if you run ADMT on your Old DC03

    86050-8error1.jpg86101-9error2.jpg

    1 person found this answer helpful.
  2. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-04-01T03:35:03.673+00:00
    0 comments
  3. Andy 51 Reputation points
    2021-04-01T08:50:32.017+00:00

    ADMT – DNS Setting
    The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.

    First of all make sure 10.0.0.1,10.0.0.2,10.0.0.3 and 172.16.0.1,172.16.0.2 can ping each other if you don't know please ask help from network guy in your team
    On Old DC01,Old DC02,Old DC03 you should setup 'Conditional Forwarding'
    1.Open DNS Manager on your Old DC01
    83520-dns-app.jpg

    2.Right Click Conditional to create new one
    83558-coditional-forward.jpg
    83590-ncf.jpg

    3.You can Name Domain(i.e NewDomain) and fill IP address(i.e 172.16.0.1 and 172.16.0.2) please ignore the red error just show you how to fill them here

    88064-new-conditional-forwarder.jpg
    4.You can see green tick icon if all setting is OK(You can change time out to 100 or more instead of default 5 if you are using lower bandwidth between two Domains)
    87995-conditional-ok.jpg

    5.Please repeat these 3 steps on Old DC02,Old DC03 and repeat these similar process on New DC01,New DC02 (i.e OldDomain) and fill IP address(i.e 10.0.0.1 ,10.0.0.2 and 10.0.0.3)please ignore the red error just show you how to fill them here
    87960-new-new-conditional-forwarder.jpg
    88071-new-conditional-ok.jpg

    In addition, we should set DNS suffix search list and the easiest way to do that is via group policy. On a domain controller > Administrative Tools > Group Policy Management Console.
    Link your group policy to the actual OU that your computers are in.
    1.Create New GPO(i.e DNS Setting)
    84009-dns-setting.jpg
    2.Link to actual OU and Edit GPO
    84091-edit-setting.jpg
    3.Enable DNS suffix search list we can navigate to
    Computer Configuration > Policies > Administrative Templates > Network > DNS Client >
    84043-old-dns-suffix-search-list.jpg
    4.Set DNS via Scripts(Startup) we can navigate to
    Computer Configuration > Policies > Windows Settings>Scripts(Startup/Shutdown)

    @Echo off

    set dnsserver=10.0.0.1

    set dnsserver2=172.16.0.1

    for /f "tokens=1,2,3*" %%i in ('netsh interface show interface') do (

    if %%i EQU Enabled (

    rem echo change "%%l" : %dnsserver%

    netsh interface ipv4 set dnsserver name="%%l" static %dnsserver% both

    netsh interface ipv4 add dnsserver name="%%l" %dnsserver2% index=2

    )

    )

    Save the command above between --- line as .bat format file and name it(i.e Set DNS.bat we will use it later)
    dnsserver= your actual old domain DNS
    dnsserver2=your actual new domain DNS

    88027-set-dns.jpg

    5.Repeat the procedure in the new domain(but the domain names and DNS will be the opposite way round)
    87797-dns.jpg

    Change DNS in .bat file (Change DNS opposite way as well)

  4. Andy 51 Reputation points
    2021-04-07T07:04:32.18+00:00

    ADMT-Domain Trust
    1.Open Active Directory Domains and Trusts

    85064-ad-trusts.jpg

    2.Right click OldDomain.com and choose Properties

    85049-ad-properties.jpg

    3.Trusts then New Trust...

    85082-trusts-and-new-trust.jpg

    We can choose Forest Trust or External Trust here is the tips If it's root domain trust(OldDomain.com and NewDomain.com) you can choose Forest Trust or External. If it's root domain with child domain(OldDomain.com and Corp.NewDomain.com) or child domain with child domain trust(Corp.OldDomain.com and Corp.NewDomain.com) you can choose External Trust Only

    4.Welcome to the new trust wizard

    85017-welcome-new-trust.jpg

    5.Trust Name

    85055-trust-name.jpg

    1. Choose External Trust or Forest Trust depends on your environment as I mentioned below

    85103-ex-trust.jpg

    7.Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the other domain(New Domain) > Next

    85076-two-way.jpg
    85112-both-domain.jpg
    85035-user-name-and-password.jpg

    8.Domain wide authentication > Next > Domain wide authentication > Next > Next

    85028-outgoing-from-newdomain.jpg
    85007-outgoing-from-local.jpg
    85008-trust-complete.jpg

    9.Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next

    85068-confirm-outgoing.jpg
    85036-comfirm-incoming.jpg

    10.Finish and you will see warning message about SID history we will deal with it later
    85222-sid.jpg

    0 comments
  5. Andy 51 Reputation points
    2021-04-08T08:03:47.41+00:00

    ADMT-Permission Assignment

    1.Create the user in your new domain(i.e NewDomain.com) then add that user to domain admins group(still in your new domain)
    Username: ADMT Admin (Can be anything you want)
    85681-new-user.jpg

    85682-new-user-admt.jpg

    85568-admt-admin.jpg

    2.We also need administrator permission in the old domain(OldDomain.com), we won’t be able to add ADMT Admin into the domain admins group, we need to add the ADMT Admin account from the New domain(NewDomain.com) into the Builtin\Administrators group on the Old domain(OldDomain.com).
    You can see the red up arrow between regular user icon and username( The user from other domain i.e NewDomain.com)

    85634-builtin-admin.jpg

    3.Additionally: the ADMT Admin needs to have local administrative rights to all the machines in the Old domain
    (i.e OldDomain.com). The easiest way to do that is again with a group policy.

    4.In the Old domain create a group, (Type: Domain Local)

    5.Group Name: GP-ADMT-Admins (You can call it something else if you want).

    85624-admt-group.jpg
    85676-new-group.jpg

    6.Add your ADMT Admin account to this group

    85625-add-admt-to-group.jpg
    7.On domain controller(OldDomain.com) then Open Group Policy Management Console.
    85570-gp-management.jpg

    8.Link the policy to your actual OU and Edit GPO
    85664-add-user-admt.jpg
    85665-edit-gpo.jpg

    Navigate to

    Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups

    Add Group > Select GP-ADMT-Admins > OK > Add (bottom option) > Administrators > OK.

    85626-add-group.jpg
    85588-add-group-gp.jpg
    85701-group-member.jpg
    You can see member of Administrators here after all steps
    85686-member-of-admin.jpg
    9.Run gpupdate /force on CMD
    make sure that the GP-ADMT-Admins group is actually in the local admins group(You can check one client in that actual OU)

    0 comments