Migrating Workstations and Member Servers

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Migrate the remaining workstations that you did not migrate during the user account migration process, along with member servers, in small batches of up to 100 computers. Workstation account and member server migration is a straightforward process. Workstations and member servers have their own Security Accounts Manager (SAM) account database. When you migrate a workstation between domains, the SAM database is migrated along with the computer. Accounts in the local SAM database (such as local groups) that are used to enable access to resources always move with the computer. Therefore, they do not have to be migrated.

If a workstation has managed service accounts installed and those accounts have been previously migrated, the Active Directory Migration Tool (ADMT) provides an option to reinstall the migrated managed service account on the migrated computer and update Service Control Manager. So that ADMT can perform this operation, the account performing the computer migration needs permissions to modify the security descriptor of the migrated managed service account.

Because the migration requires that workstations and member servers be restarted, it is important to schedule the migration for a time when the server is not servicing requests.

Note

Restart workstations immediately after you join them to the target domain, by selecting a low number (such as 1) for the RestartDelay parameter. Resources that are not restarted after migration are in an indeterminate state.

You can migrate workstations and member servers by using the Active Directory Migration Tool (ADMT) snap-in, the ADMT command-line option, or a script.

To migrate workstations and member servers by using the ADMT snap-in

  1. On the computer in the target domain on which you installed ADMT, log on by using the ADMT resource migration account.

  2. Use the Computer Account Migration Wizard by performing the steps in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    Computer Selection

    Click Select computers from domain, and then click Next. On the Computer Selection page, click Add to select the computers in the source domain that you want to migrate, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Managed Service Account Information (appears if the computer has a managed service account installed)

    Select any managed service accounts that do not have to be installed on the migrated computer in the target domain, and then click Skip/Include to mark the accounts as Skip.

    Organizational Unit Selection

    Click Browse.

    In the Browse for Container dialog box, locate the target domain Computers container or the appropriate organizational unit (OU), and then click OK.

    Security Translation Options

    Select the Local groups check box.

    Select the User rights check box.

    Translate Objects

    Click Add.

    Computer Options

    In Minutes before computer restart after wizard completion , accept the default value of 5 minutes, or type a different value.

    Object Property Exclusion

    To exclude certain object properties from the migration, select the Exclude specific object properties from migration check box, select the object properties that you want to exclude and move them to Excluded Properties, and then click Next.

    Conflict Management

    Click Do not migrate source object if a conflict is detected in the target domain.

    ADMT Agent Dialog

    Select Run pre-check and agent operation and then click Start.

  3. Review the results that are displayed on the screen for any errors. After the wizard completes, click View Migration Log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log, and it is stored in the Windows\ADMT\Logs\Agents folder.

  4. Open Active Directory Users and Computers, and verify that the workstations exist in the appropriate OU in the target domain.

To migrate workstations and member servers by using the ADMT command-line option

  1. On the computer in the target domain on which ADMT installed, log on by using the ADMT resource migration account.

  2. At the command line, type the ADMT Computer command with the appropriate parameters, and then press ENTER:

    ADMT COMPUTER /N "<computer_name1>" "<computer_name2>" /SD:"<source_domain>" /TD:"<target_domain>" /TO:"<target_OU>" [/M: “<managed service account name 1>” “<managed service account name 2>”] [/UALLMSA:Yes] /RDL:5

    As an alternative, you can include parameters in an option file that is specified at the command line, as follows:

    ADMT COMPUTER /N "<computer_name1>" "<computer_name2>" /O:" <option_file>.txt"

    The following table lists the common parameters that are used for workstation migration, along with the command-line parameter and option file equivalents.

    Parameters Command-line syntax Option file syntax

    <Source domain>

    SD:"source_domain"

    SourceDomain="source_domain"

    <Source OU> location

    /SO:"source_OU"

    SourceOU="source_OU"

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

    Update managed service accounts

    /UALLMSA: YES

    UpdateAllManagedServiceAccounts=Yes

    Update specific managed service accounts

    Note
    The /M parameter takes precedence over the /UALLMSA parameter.

    /Mname 1” “name 2”…

    UPDATEMSANAME=name 1” “name 2”…

    <Target OU> location

    /TO:"target_OU"

    TargetOU="target_OU"

    Restart delay (minutes)

    /RDL:5

    RestartDelay=5

    Security translation option

    /TOT:ADD

    TranslationOption=ADD

    Translate user rights

    /TUR:YES

    TranslateUserRights=YES

    Translate local groups

    /TLG:YES

    TranslateLocalGroups=YES

  3. Review the results that appear on the screen for any errors. The migration log lists computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file for that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log, and it is stored in the Windows\ADMT\Logs\Agents folder.

  4. Open Active Directory Users and Computers, and locate the target OU. Verify that the workstations exist in the target OU.

To migrate workstations and member servers by using a script

  • Prepare a script that incorporates ADMT commands and options for migrating workstations and member servers by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.

    <Job id="MigratingWorkstationsMemberServersBetweenForests" >
<Script language="VBScript"  src="AdmtConstants.vbs" />
<Script language="VBScript" >
   Option Explicit

   Dim objMigration
   Dim objComputerMigration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject("ADMT.Migration" )
   Set objComputerMigration = objMigration.CreateComputerMigration

   '
   'Specify general migration options.
   '

   objMigration.SourceDomain = "source domain" 
   objMigration.SourceOu = "Computers" 
   objMigration.TargetDomain = "target domain" 
   objMigration.TargetOu = "Computers" 

   '
   'Specify computer migration specific options.
   '

   objComputerMigration.RestartDelay = 1
   objComputerMigration.TranslationOption = admtTranslateAdd
   objComputerMigration.TranslateLocalGroups = True
   objComputerMigration.TranslateUserRights = True
   objComputerMigration.UpdateAllManagedServiceAccounts = True


   '
   'Migrate computer objects on specified computer objects.
   '

   objComputerMigration.Migrate admtData, _
  Array("computer name1" ,"computer name2" )

   Set objComputerMigration = Nothing
   Set objMigration = Nothing
</Script>
</Job>