question

Andy-7143 avatar image
0 Votes"
Andy-7143 asked Andy-7143 edited

Migrate Source Domain(old) to Target Domain(new) with ADMT 3.2

Old DC01(IP:10.0.0.1) OS Windows 2016
Old DC02(IP:10.0.0.2) OS Windows 2016
Old DC03(IP:10.0.0.3) OS Windows 2019
Domain Name: OldDomain.com
Client: Windows 10 (Version 20h2)


New DC01(IP:172.16.0.1) OS Windows 2019
New DC02(IP:172.16.0.2) OS Windows 2019
Domain Name: NewDomain.com


SQL Express 2008 R2 SP2
SQL Express 2008 R2 SP3 Update


ADMT 3.2 (For Service Account/Group/User/Computer Migration)
PSE3.1 (For Password Migration)



All DC forest level and domain functional level are Windows 2016
I will share experience with you step by step

windows-serverwindows-server-migration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

ADMT – DNS Setting
The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.


First of all make sure 10.0.0.1,10.0.0.2,10.0.0.3 and 172.16.0.1,172.16.0.2 can ping each other if you don't know please ask help from network guy in your team
On Old DC01,Old DC02,Old DC03 you should setup 'Conditional Forwarding'
1.Open DNS Manager on your Old DC01
83520-dns-app.jpg

2.Right Click Conditional to create new one
83558-coditional-forward.jpg
83590-ncf.jpg





3.You can Name Domain(i.e NewDomain) and fill IP address(i.e 172.16.0.1 and 172.16.0.2) please ignore the red error just show you how to fill them here

88064-new-conditional-forwarder.jpg
4.You can see green tick icon if all setting is OK(You can change time out to 100 or more instead of default 5 if you are using lower bandwidth between two Domains)
87995-conditional-ok.jpg


5.Please repeat these 3 steps on Old DC02,Old DC03 and repeat these similar process on New DC01,New DC02 (i.e OldDomain) and fill IP address(i.e 10.0.0.1 ,10.0.0.2 and 10.0.0.3)please ignore the red error just show you how to fill them here
87960-new-new-conditional-forwarder.jpg
88071-new-conditional-ok.jpg

In addition, we should set DNS suffix search list and the easiest way to do that is via group policy. On a domain controller > Administrative Tools > Group Policy Management Console.
Link your group policy to the actual OU that your computers are in.
1.Create New GPO(i.e DNS Setting)
84009-dns-setting.jpg
2.Link to actual OU and Edit GPO
84091-edit-setting.jpg
3.Enable DNS suffix search list we can navigate to
Computer Configuration > Policies > Administrative Templates > Network > DNS Client >
84043-old-dns-suffix-search-list.jpg
4.Set DNS via Scripts(Startup) we can navigate to
Computer Configuration > Policies > Windows Settings>Scripts(Startup/Shutdown)


@echo off

set dnsserver=10.0.0.1

set dnsserver2=172.16.0.1

for /f "tokens=1,2,3*" %%i in ('netsh interface show interface') do (

if %%i EQU Enabled (

rem echo change "%%l" : %dnsserver%

netsh interface ipv4 set dnsserver name="%%l" static %dnsserver% both

netsh interface ipv4 add dnsserver name="%%l" %dnsserver2% index=2

)

)


Save the command above between --- line as .bat format file and name it(i.e Set DNS.bat we will use it later)
dnsserver= your actual old domain DNS
dnsserver2=your actual new domain DNS

88027-set-dns.jpg

5.Repeat the procedure in the new domain(but the domain names and DNS will be the opposite way round)
87797-dns.jpg

Change DNS in .bat file (Change DNS opposite way as well)





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Welcome to share here you you have any updates.

0 Votes 0 ·
Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

ADMT-Domain Trust
1.Open Active Directory Domains and Trusts

85064-ad-trusts.jpg


2.Right click OldDomain.com and choose Properties

85049-ad-properties.jpg

3.Trusts then New Trust...

85082-trusts-and-new-trust.jpg

We can choose Forest Trust or External Trust here is the tips If it's root domain trust(OldDomain.com and NewDomain.com) you can choose Forest Trust or External. If it's root domain with child domain(OldDomain.com and Corp.NewDomain.com) or child domain with child domain trust(Corp.OldDomain.com and Corp.NewDomain.com) you can choose External Trust Only

4.Welcome to the new trust wizard

85017-welcome-new-trust.jpg

5.Trust Name

85055-trust-name.jpg

  1. Choose External Trust or Forest Trust depends on your environment as I mentioned below

85103-ex-trust.jpg

7.Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the other domain(New Domain) > Next

85076-two-way.jpg
85112-both-domain.jpg
85035-user-name-and-password.jpg

8.Domain wide authentication > Next > Domain wide authentication > Next > Next

85028-outgoing-from-newdomain.jpg
85007-outgoing-from-local.jpg
85008-trust-complete.jpg

9.Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next

85068-confirm-outgoing.jpg
85036-comfirm-incoming.jpg

10.Finish and you will see warning message about SID history we will deal with it later
85222-sid.jpg



two-way.jpg (33.0 KiB)
ex-trust.jpg (35.1 KiB)
both-domain.jpg (38.0 KiB)
ad-trusts.jpg (46.3 KiB)
ad-properties.jpg (23.7 KiB)
trust-name.jpg (49.9 KiB)
trust-complete.jpg (35.2 KiB)
sid.jpg (34.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

ADMT-Permission Assignment

1.Create the user in your new domain(i.e NewDomain.com) then add that user to domain admins group(still in your new domain)
Username: ADMT Admin (Can be anything you want)
85681-new-user.jpg


85682-new-user-admt.jpg

85568-admt-admin.jpg

2.We also need administrator permission in the old domain(OldDomain.com), we won’t be able to add ADMT Admin into the domain admins group, we need to add the ADMT Admin account from the New domain(NewDomain.com) into the Builtin\Administrators group on the Old domain(OldDomain.com).
You can see the red up arrow between regular user icon and username( The user from other domain i.e NewDomain.com)

85634-builtin-admin.jpg

3.Additionally: the ADMT Admin needs to have local administrative rights to all the machines in the Old domain
(i.e OldDomain.com). The easiest way to do that is again with a group policy.

4.In the Old domain create a group, (Type: Domain Local)

5.Group Name: GP-ADMT-Admins (You can call it something else if you want).

85624-admt-group.jpg
85676-new-group.jpg

6.Add your ADMT Admin account to this group


85625-add-admt-to-group.jpg
7.On domain controller(OldDomain.com) then Open Group Policy Management Console.
85570-gp-management.jpg

8.Link the policy to your actual OU and Edit GPO
85664-add-user-admt.jpg
85665-edit-gpo.jpg

Navigate to

Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups

Add Group > Select GP-ADMT-Admins > OK > Add (bottom option) > Administrators > OK.

85626-add-group.jpg
85588-add-group-gp.jpg
85701-group-member.jpg
You can see member of Administrators here after all steps
85686-member-of-admin.jpg
9.Run gpupdate /force on CMD
make sure that the GP-ADMT-Admins group is actually in the local admins group(You can check one client in that actual OU)



new-user.jpg (44.7 KiB)
new-user-admt.jpg (17.4 KiB)
admt-admin.jpg (19.2 KiB)
builtin-admin.jpg (17.6 KiB)
admt-group.jpg (36.3 KiB)
add-user-admt.jpg (27.8 KiB)
gp-management.jpg (67.7 KiB)
add-user-admt.jpg (27.8 KiB)
edit-gpo.jpg (15.3 KiB)
add-group.jpg (49.9 KiB)
add-group-gp.jpg (20.2 KiB)
group-member.jpg (45.8 KiB)
member-of-admin.jpg (17.3 KiB)
new-group.jpg (65.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

ADMT – Database Requirement
1.Download SQL Express 2008 R2 SP2 and SQL Express 2008 R2 SP3 Update

2.Install SQL Express 2008 R2 SP2 in one of your old domain (i.e old DC03) and one of your new domain(i.e new DC02)

86013-1new-install.jpg
86014-1license-terms.jpg
85959-2setup-support-rules.jpg
85960-3feature-selection.jpg
86041-4instance-configuration.jpg

Account is NewDomain\ADMT Admin

86027-5server-configuration.jpg

Add NewDomain\ADMT Admin to Specify SQL Server Administrators

86028-6database-engine-configuration.jpg
86051-7error-reporting.jpg
86042-8done.jpg

3.Install SQL Express 2008 R2 SP3 Update

85926-1sp3-update.jpg
86052-2license-terms.jpg
86053-3select-features.jpg
86054-4check-files-in-use.jpg
85995-5ready-to-update.jpg
85927-6done.jpg

4.Grant Permission of SQL on Domain Controllers

Open CMD run the following commands(On Domain which you installed SQL Express i.e Old DC03 and New DC02)





NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD

SC SHOWSID MSSQL$SQLEXPRESS

{Copy the SID to the clipboard you will need it later}
MD %SystemRoot%\ADMT\Data
ICACLS %Systemroot%\ADMT\Data /grant {Paste the SID from above*}:F
i.e.
ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F



86029-grant-permission.jpg







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

ADMT Installation
1.Download ADMT 3.2
2.Install ADMT 3.2 in your old domain and new domain which has SQL Express installed(i.e Old DC03 and New DC02)
85990-1admt-wizard.jpg
86036-2license-agreement.jpg
86091-3customer-experience-improvement-program.jpg
86059-4database-selection.jpg
86082-5database-import.jpg
86083-6done.jpg

You can Open ADMT on your New DC02 now(In my experience we can't open it correctly on our Old DC03 it's for run migration backend)

86075-7migrator.jpg

You will see errors if you run ADMT on your Old DC03

86050-8error1.jpg86101-9error2.jpg



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

Disabling SID Filtering

1.On your Old Domain(i.e Old DC03) run CMD with administrator rights then run the following command





NETDOM TRUST {source-domain} /domain:{target-domain} / UserO:{username} /PasswordO:{password} /Quarantine:NO

i.e NETDOM TRUST OldDomain.com /Domain:NewDomain.com /UserO:Administrator /PasswordO:P@$$W0rd /Quarantine:NO

(I use Administrator and P@$$W0rd) you should type your actual password





Remember the SID warning message in Domain Trust part that's why we should disabling SID filtering
86019-sid.jpg

ADMT: Set up Password Export Server

1.On your New Domain(i.e New DC02) run CMD with administrator rights then run the following command



admt key /option:create /sourcedomain:{source-domain} /keyfile:”C:\PES.pes” /keypassword:{password}

i.e admt key /option:create /sourcedomain:OldDomain.com /keyfile:”C:\PES.pes” /keypassword:PE$W0rd

- source-domain: OldDomain.com
- keyfile: Where you want to save the keyfile.(I name it PES and save it in C:)
- keypassword: We will need it to setup the password export server, so don’t forget it.


You will see PES.pes in your C:\ if everything runs OK

86115-pes.jpg

  1. Copy PES.pes from NewDomain(i.e New DC02) to OldDomain(i.e Old DC03)

  2. Download Password Export Server 3.1

  3. Install Password Export Server 3.1 in OldDomain(i.e Old DC03) (Install it via command line or you will see error messages later although your keypassword is correct )
    We can copy that downloaded file to C:\ then open CMD with administrator rights run msiexec /i C:\pwdmig

86039-pwdmig.jpg
86183-1admt-password-migration.jpg
86153-2license-agreement.jpg
Choose PES.pes you copy from NewDomain(i.e New DC02) to OldDomain(i.e Old DC03) Before
86120-3encryption-file.jpg
Type in password the same as keypassword when you create PES.pes (i.e PE$W0rd my password)(Install via command line in the beginning or you will get error message here although your password is correct)

86164-4password.jpg
86204-password-error.jpg
86191-5ready-to-install.jpg
Choose account NewDomain\admtadmin
86192-6account.jpg
86193-7finish.jpg

Open Services on your OldDomain(i.e DC03) Change Start up Type to Automatic then start it
86110-services.jpg
86196-automatic.jpg
86165-8pess.jpg






sid.jpg (34.1 KiB)
pes.jpg (40.1 KiB)
pwdmig.jpg (42.1 KiB)
4password.jpg (21.3 KiB)
6account.jpg (46.7 KiB)
7finish.jpg (44.6 KiB)
services.jpg (40.1 KiB)
automatic.jpg (52.5 KiB)
8pess.jpg (19.7 KiB)
password-error.jpg (23.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

ADMT-Agent deployment Pre-Setting
For computer and security translations required ADMT Agent installed in computers on Old Domain

Disable local firewall and services setting

1.Create GPO and link to actual OU
87213-1create-gpo.jpg

2.Name GPO (i.e disable local firewall)
87144-2new-gpo.jpg

  1. Edit GPO

87214-3edit-gpo.jpg

  1. Navigate to

Computer Configuration >Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

87184-4firewall.jpg

Computer Configuration > Polices > Windows Settings > Security Settings > System Services
88038-remote-registry.jpg
Make sure ADMT Admin added to security


1create-gpo.jpg (39.8 KiB)
2new-gpo.jpg (23.2 KiB)
3edit-gpo.jpg (24.4 KiB)
4firewall.jpg (233.1 KiB)
5services.jpg (220.1 KiB)
remote-registry.jpg (174.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

ADMT-Migration
Login as ADMT Admin on your NewDomain which installed ADMT(i.e DC03)
Make sure you follow this order for Migration

1. Services Account Migration
2. Groups Migration
3. Users Migration
4. Computer Security Translation
5. Computer Migration

And I suggest you can create actual OU on your NewDomain(i.e Migrated Items)
87753-new-ou.jpg



Services Account Migration

Replaces any service accounts on the Old Domain(OldDomain.com) machines with migrated service accounts from the New Domain(NewDomain.com)

1.Open ADMT on your New Domian(i.e DC02)

87588-1admt.jpg


2.Choose Service Account Migration Wizard

87589-2service-account-migration-wizard.jpg

3.Migration

87668-3welcome.jpg
87686-4domain-selection.jpg
87703-4dc.jpg
87687-5update-information.jpg
87704-6computer-selection-option.jpg
87673-7add-computer.jpg
87688-9pre-check-and-agent.jpg
87669-10serviceaccount.jpg
87549-11done.jpg


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andy-7143 avatar image
0 Votes"
Andy-7143 answered Andy-7143 edited

Services Account Migration(User)
87715-12migrated-services-account.jpg


87716-13welcome.jpg


87698-14domain-selection.jpg
88039-4dc.jpg


87658-15user-selection.jpg


87717-16add-user.jpg


87718-17ou.jpg


87719-18password-options.jpg


87722-19account-transition.jpg87723-20user-account.jpg


87761-21user-option.jpg


87724-22object-property-exclusion.jpg


87762-23conflict-management.jpg


87725-24service-account-information.jpg


87763-25finish.jpg


87675-26done.jpg


87726-27service.jpg


If everything runs OK you can see(The machine on olddomain) the service account has been changed(i.e newdomain\syncservice)



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.