Transitioning Service Accounts in Your Migration

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Begin the process of migrating objects by migrating service accounts that run as domain user accounts. For information about identifying service accounts for migration, see Transitioning Service Accounts in Your Migration. This topic does not apply to standalone managed service accounts. Standalone managed service accounts can be migrated using the Managed Service Account Migration Wizard and the Computer Migration Wizard. Group managed service accounts cannot be migrated.

To transition service accounts, use the Active Directory Migration Tool (ADMT) to complete the following tasks:

  • Migrate the service accounts from the source domain to the target domain.

  • Modify the services on each server in the source domain so that the services use the service account in the target domain instead of in the source domain.

You can transition service accounts by using the ADMT snap-in, the ADMT command-line option, or a script.

To transition service accounts by using the ADMT snap-in

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. In the ADMT snap-in, click Action, and then click User Account Migration Wizard.

  3. Complete the User Account Migration Wizard by using the information in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    User Selection

    Click Select users from domain, and then click Next. On the User Selection page, click Add to select the accounts in the source domain that you want to migrate, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Organizational Unit Selection

    Click Browse.

    In Browse for Container, locate the source domain, select the container for the service accounts, and then click OK.

    Password Options

    Click Generate complex passwords.

    Note
    When you transition service accounts by using the User Account Migration Wizard, a complex password is generated automatically, regardless of the option that is selected on this wizard page. Even if Do not update passwords for existing users is selected, a complex password is generated.

    Account Transition Options

    Click Enable target accounts.

    Select the Migrate user SIDs to target domains check box.

    User Account

    Type the user name, password, and domain of a user account that has administrative credentials.

    User Options

    Select the Update user rights check box.

    Ensure that no other settings are selected, including Migrate associated user groups.

    Conflict Management

    Click Do not migrate source object if a conflict is detected in the target domain.

    Service Account Information

    Click Migrate all service accounts and update SCM for items marked include. If you are also migrating other user accounts that are not service accounts, this wizard page tells you that you have selected some accounts that are marked as service accounts in the ADMT database. By default, the accounts are marked as Include. To change the status of the account, select the account, and then click Skip/Include.

    Click Next to migrate the accounts.

  4. When the wizard has finished running, click View Log, and review the migration log for any errors.

  5. Start Active Directory Users and Computers, navigate to the organizational unit (OU) that you created for service accounts, and then verify that the service accounts exist in the target domain OU.

  6. Confirm that each application for which the service account was relocated continues to function correctly.

To transition service accounts by using the ADMT command-line option

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. At the command line, type the following command, and then press ENTER:

    ADMT USER /N "<server_name1>" "<server_name2>" /SD:" <source_domain>" /TD:" <target_domain>" /TO:" <target_OU>" /MSS:YES

    Where Server_name1 and Server_name2 are the names of servers in the source domain that run service accounts. As an alternative, you can include parameters in an option file that is specified at the command line, as follows:

    ADMT USER /N "<server_name1>" "<server_name2>" /O: "<option_file>.txt"

    The following table lists the common parameters that are used for transitioning service accounts, along with the command-line parameter and option file equivalents.

    Parameters Command-line syntax Option file syntax

    <Source domain>

    /SD:"source_domain"

    SourceDomain="source_domain"

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

    <Target OU> location

    /TO:"target_OU"

    TargetOU="target_OU"

    Disable accounts

    /DOT:ENABLETARGET (default)

    DisableOption=ENABLETARGET (default)

    Migrate password

    /PO:COMPLEX (default)

    PasswordOption=COMPLEX

    Migrate user SIDs = YES

    /MSS:YES

    MigrateSIDs=YES

    Update user rights=YES

    /UUR:YES

    UpdateUserRights=YES

    Conflict management

    /CO:IGNORE (default)

    ConflictOptions=IGNORE (default)

  3. Review the results that appear on the screen for any errors.

  4. Open Active Directory Users and Computers and locate the target service account OU. Verify that the service accounts exist in the target domain OU.

To transition service accounts by using a script

  • Prepare a script that incorporates ADMT commands and options for transitioning service accounts by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.

    <Job id=" TransitioningServiceAccountsBetweenForests" >
<Script language=" VBScript"  src="AdmtConstants.vbs" />
<Script language="VBScript" >
   Option Explicit

   Dim objMigration
   Dim objUserMigration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject("ADMT.Migration" )
   Set objUserMigration = objMigration.CreateUserMigration

   '
   'Specify general migration options.
   '

   objMigration.SourceDomain = "source domain" 
   objMigration.SourceOu = "source container" 
   objMigration.TargetDomain = "target domain" 
   objMigration.TargetOu = "target container" 
   objMigration.ConflictOptions = admtIgnoreConflicting

   '
   'Specify user migration specific options.
   '

   objUserMigration.MigrateSIDs = True
   objUserMigration.UpdateUserRights = True
   objUserMigration.MigrateServiceAccounts = True

   '
   'Migrate specified service accounts.
   '

   objUserMigration.Migrate admtData, _
  Array("service account name1", "service account name2")

   Set objUserMigration = Nothing
   Set objMigration = Nothing
</Script>
</Job>