Best Practices for Performing User and Group Account Migrations
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Perform regular backups of domain controllers in both the source and target domains throughout the course of the migrations. If you are migrating computers that contain file shares to perform security translation, we recommend that you also back up those computers throughout migrations.
We recommend that you migrate users in batches. A batch size of 100 users helps to keep the migration process manageable.
Always administer changes to user accounts and group accounts in the source domain during the migration process.
Use the Migrate and merge conflicting objects option on the Conflict Management page of the User Account Migration Wizard and the Group Account Migration Wizard to remigrate users and groups as often as necessary throughout the migration. Administering changes in the source domain and then using the Migrate and merge conflicting objects option during migration ensures that all changes that are made to an object in the source domain are reflected after it has been migrated to the target domain.
To maintain access to resources, ensure that group membership adheres to the following guidelines:
Use global groups to group users.
Use local groups to protect resources.
Place global groups into local groups to grant members of the global groups access to a resource.
Adhere to the guidelines in the following table when you translate user profiles.
Profile type Translation guidelines
Select the Translate roaming profiles option on the User Options page in the User Account Migration Wizard. Then, translate local user profiles for a batch of users immediately after you migrate those users.
Translate local profiles as a separate step from the user account migration process. Select the User profiles option on the Translate Objects page of the Security Translation Wizard. Translate local user profiles for a batch of users immediately after you migrate those users.
Users lose their existing profiles when their user accounts are migrated.
It is important to verify that local profile translation has succeeded before users attempt to log on to the target domain. If users log on to the target domain by using their new target accounts and their profiles have not translated successfully, those users must be migrated again from the source domain to the target domain. For more information about the steps to follow if local profile translation fails, see Troubleshooting Security Translation Issues.