Migrate Universal Groups

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Migrate universal groups, without migrating users who are members of these groups at the same time, from the source domain to the target domain. Migrating universal groups without the users helps to protect against the problem of open sets. The security identifier (SID) history allows group members to continue to have access to resources based on universal group membership. When you migrate universal groups to the target domain, they cease to exist in the source domain.

Note

If you are migrating a small number of universal groups, you can migrate universal groups at the same time that you migrate global groups.

You can migrate universal groups by using the Active Directory Migration Tool (ADMT) snap-in, the ADMT command-line option, or a script.

To migrate universal groups by using the ADMT snap-in

  • On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  • Use the Group Account Migration Wizard by performing the steps in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    When you perform an intraforest migration, the domain controller that holds the relative ID (RID) operations master (also known as flexible single master operations or FSMO) role is always used as the source domain controller, regardless of your selection.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    Group Selection Option

    Click Select groups from domain, and then click Next. On the Group Selection page, click Add to select the groups in the source domain that you want to migrate, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Organizational Unit Selection

    Type the name of the organizational unit (OU), or click Browse.

    In the Browse for Container dialog box, find the container in the target domain that you want to move the universal groups into, and then click OK.

    Group Options

    The Migrate Group SIDs to target domain and Fix Group Membership check boxes are selected and appear dimmed.

    Ensure that no other options are selected.

    Conflict Management

    Select Do not migrate source object if a conflict is detected in the target domain.

To migrate universal groups by using the ADMT command-line option

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

Note

When you start a group migration with sIDHistory migration from the command line, the command must be run on a domain controller in the target domain.

  1. At a command line, type the ADMT Group command with the appropriate parameters, and then press ENTER:

    ADMT GROUP /N "<group_name1>" "<group_name2>" /IF:YES /SD:" <source_domain>" /TD:" <target_domain>" /TO:" <target_OU>"

    As an alternative, you can include parameters in an option file that is specified at the command line as follows:

    ADMT GROUP /N "<group_name1>" "<group_name2>" /O: "<option_file>.txt"

    The following table lists the parameters that are required for migrating universal groups, the command-line parameters, and option file equivalents. For a complete list of all available parameters, see ADMT v3.1 Help.

    Parameters Command-line syntax Option file syntax

    Intra-forest

    /IF:YES

    IntraForest=YES

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

    <Target OU> location

    /TO:"target_OU"

    TargetOU="target_OU"

    Conflict management

    /CO:IGNORE (default)

    ConflictOptions=IGNORE

  2. Review the results that are displayed on the screen for any errors.

  3. Open Active Directory Users and Computers, and then locate the target domain OU. Verify that the universal groups exist in the target domain OU.

To migrate universal groups by using a script

  • Use the following sample to prepare a script that incorporates ADMT commands and options for migrating groups within a forest. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.

Note

When you start a group migration with sIDHistory migration from a script, you must run the script on a domain controller in the target domain. 

    <Job id="MigratingGroupsWithinForest" >
    <Script language="VBScript"  src="AdmtConstants.vbs" />
    <Script language="VBScript" >
       Option Explicit
    
       Dim objMigration
       Dim objGroupMigration
    
       '
       'Create instance of ADMT migration objects.
       '
    
       Set objMigration = CreateObject("ADMT.Migration" )
       Set objGroupMigration = objMigration.CreateGroupMigration
    
       '
       'Specify general migration options.
       '
    
       objMigration.IntraForest = True
       objMigration.SourceDomain = "source domain" 
       objMigration.SourceOu = "source container" 
       objMigration.TargetDomain = "target domain" 
       objMigration.TargetOu = "target container" 
    
       '
       'Migrate specified group objects.
       '
    
       objGroupMigration.Migrate admtData, Array("group name1" ,"group name2" )
    
       Set objGroupMigration = Nothing
       Set objMigration = Nothing
    </Script>
    </Job>