windows-nt/Source/XPSP1/NT/admin/admt/documents/help-ms/admtintraforestresmig.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
                      "http://www.w3.org/TR/REC-html40/strict.dtd">
<HTML DIR="LTR">					  
<HEAD>
<TITLE>Perform an intraforest resource domain migration</TITLE>
<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">
<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">  
<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>
<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>
<META NAME="MS.LOCALE" CONTENT="EN-US">
<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">
<META NAME="MS-HAID" CONTENT="a_ADMTIntraforestResMig"> 
</HEAD>
<BODY>


<P CLASS="procLabel">To perform an intraforest resource domain migration</P>
<OL>
<LI>Identify service accounts not running under local system authority using the Service Account Migration Wizard. </LI>
	<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
	<DIV CLASS="expand">
	<UL>

	<LI>Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, the Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the <B>Password never expires</B> unless you have used the Service Account Migration Wizard first.</LI>

	<LI>Many applications, including Exchange Server 5.5, use service account mappings that Active Directory Migration Tool cannot change. These service accounts usually require configuration through registry settings or from within the application itself. You must manually update these accounts after the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=DomainMigration">domain migration</A> is complete.</LI>

	<LI>When asked for user account credentials, use credentials with Administrator rights on the specific computer that is using the service accounts.</LI>

	
	</UL></DIV>

<LI>Migrate workstations and member servers using the Computer Migration Wizard.</LI>
	<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
	<DIV CLASS="expand">
	<UL>
	<LI>The Computer Migration Wizard dispatches an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=Agent">agent</A> to each computer being migrated. The agent restarts each computer after the computer joins the target domain. Verify that the default startup menu option on the migrated computers is the migrated Windows&nbsp;2000 installation.</LI>
	<LI>On the <B>Translate Objects</B> wizard page, ensure that no options are selected. Security translation during computer migration works only for accounts from the migrated computer's domain. If the access control lists (ACLs) contain security IDs (SIDs) from another domain, they will need to be translated later with the Security Translation Wizard.</LI>
	</UL></DIV>

<LI>Migrate service accounts using the User Migration Wizard.</LI>
	<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
	<DIV CLASS="expand">	
	<UL>
	
	<LI>Service accounts are user accounts used to run services on servers with a set of credentials other than local system authority. These accounts may exist both in a master <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain">account domain</A> and in the same <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domain</A> as the server. If the service account is in an account domain, this procedure would be completed by selecting the account domain as the source domain.</LI>
	<LI>Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, the Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the <B>Password never expires</B> unless you have used the Service Account Migration Wizard first.</LI>

	</UL></DIV>

<LI>Migrate domain local groups using the Group Migration Wizard.</LI>
	<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
	<DIV CLASS="expand">	
	<UL>

	<LI>On the <B>Group Options</B> wizard page, ensure that <B>Do not rename accounts</B> is the only option selected.</LI>

	</UL></DIV>

<LI>Do one of the following: 

<UL><LI>If you plan to migrate account domains as part of the same migration process, see <A HREF="admtintraforestacctmig.htm">Perform an intraforest account domain migration</A>.</LI>

<LI>Manually migrate a domain controller from the resource domain and decommission the domain.</LI>.
</UL>
</LI>
	<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
	<DIV CLASS="expand">	
	<UL>
	<LI>Use the Active Directory Installation Wizard to demote the domain controllers in the resource domain. For more information about the Active Directory Installation Wizard, see Windows&nbsp;2000 Server Help.</LI>

	<LI>When demoting the last domain controller in the source domain, select the <B>This server is the last domain controller in the domain</B> check box on the <B>Remove Active Directory</B> wizard page of the Active Directory Installation Wizard.</LI>

	<LI>Once a domain controller has been demoted, it can join the target domain or be promoted to domain controller in the target domain.</LI>

	</UL></DIV>
</OL>

<P class="important">Important</P>
	<UL>
<LI> When performing an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=IntraforestMigration"> intraforest migration</A>, first migrate <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domains</A>, and then migrate <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain">account domains</A>.</LI>
<LI>Run the wizards in the order listed for best results.</LI> 
</UL>
<P CLASS="note">Notes</P>
<UL>
<LI>When running the Service Account Wizard or Computer Migration Wizard, you must be logged on to the <I>source domain</I> as an administrator or member of the Administrators group.</LI>

<LI>When running the User Migration Wizard, Group Migration Wizard, or Security Migration Wizard, you must be logged on to the <I>target domain</I> as an administrator or member of the Administrators group.</LI>

<LI>When migrating a user, group, or computer account that exists in both the source and <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=TargetDomain"> target domains</A>, if the account in the target domain already has a value for a particular property and the account in the source domain does not have a value for that property, the value of the property in the target domain will be preserved. It will not be overwritten by the null-value of the property in the source domain.</LI>

<LI>When migrating user accounts between Windows&nbsp;2000 domains, if the user has previously logged on to a particular computer, it is not necessary to migrate the user profile that is associated with the user account on that computer. Because each user account has a GUID that is unique within the forest, when the migrated account logs on to the computer in the new domain, Windows&nbsp;2000 notices that there is no profile associated with this user account. Using the GUID, it locates the original profile and automatically associates the original profile with the migrated user account. </LI>

<LI>When migrating users and groups between domains in the same forest, Active Directory Migration Tool must communicate with the Relative ID (RID) pool master in the target domain. To improve performance when migrating a large number of users or groups, you should install Active Directory Migration Tool on the RID pool master in the target domain. By default, this is the first domain controller installed in the domain. Use Active Directory Users and Computers or Ntdsutil.exe to locate the domain controller that holds the RID pool master role.</LI>

<LI>During the migration process, this tool truncates service account names that are more than 20 characters long.</LI>
</UL>

<P><A ID="relTopics" HREF="CHM=DomainMig.chm  META=a_admtchkbeforeusing; a_ADMTBestPractices; a_ADMTRunWizard; a_ADMTIntraforestResMig; a_admtbeforeintramig; a_admtunderstandtrust; a_TasksRetry; a_TasksUndoLast; a_ADMTOverview; a_ADMTUnderstandMigration; a_ADMTIntraforestMig; a_ConceptDomMigSecurityIssues; a_ConceptSecurityTranslationIssues; a_conceptmigratingusersgroup; a_ConceptMigratingComputers; a_ADMTUnderstandTrust; a_ADMTSystemReq; a_ADMTBeforeIntraMig">Related Topics</A></P>

</BODY>
</HTML>
Add source files 2020-09-26 03:20:57 -05:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"`
			`"http://www.w3.org/TR/REC-html40/strict.dtd">`
			`<HTML DIR="LTR">`
			`<HEAD>`
			`<TITLE>Perform an intraforest resource domain migration</TITLE>`
			`<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">`
			`<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">`
			`<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>`
			`<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">`
			`<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>`
			`<META NAME="MS.LOCALE" CONTENT="EN-US">`
			`<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">`
			`<META NAME="MS-HAID" CONTENT="a_ADMTIntraforestResMig">`
			`</HEAD>`
			`<BODY>`



			`<P CLASS="procLabel">To perform an intraforest resource domain migration</P>`
			`<OL>`
			`<LI>Identify service accounts not running under local system authority using the Service Account Migration Wizard. </LI>`
			`<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>`
			`<DIV CLASS="expand">`
			`<UL>`

			<LI>Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, the Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the <B>Password never expires</B> unless you have used the Service Account Migration Wizard first.</LI>

			`<LI>Many applications, including Exchange Server 5.5, use service account mappings that Active Directory Migration Tool cannot change. These service accounts usually require configuration through registry settings or from within the application itself. You must manually update these accounts after the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=DomainMigration">domain migration</A> is complete.</LI>`

			`<LI>When asked for user account credentials, use credentials with Administrator rights on the specific computer that is using the service accounts.</LI>`



			`</UL></DIV>`

			`<LI>Migrate workstations and member servers using the Computer Migration Wizard.</LI>`
			`<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>`
			`<DIV CLASS="expand">`
			`<UL>`
			`<LI>The Computer Migration Wizard dispatches an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=Agent">agent</A> to each computer being migrated. The agent restarts each computer after the computer joins the target domain. Verify that the default startup menu option on the migrated computers is the migrated Windows 2000 installation.</LI>`
			`<LI>On the <B>Translate Objects</B> wizard page, ensure that no options are selected. Security translation during computer migration works only for accounts from the migrated computer's domain. If the access control lists (ACLs) contain security IDs (SIDs) from another domain, they will need to be translated later with the Security Translation Wizard.</LI>`
			`</UL></DIV>`

			`<LI>Migrate service accounts using the User Migration Wizard.</LI>`
			`<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>`
			`<DIV CLASS="expand">`
			`<UL>`

			<LI>Service accounts are user accounts used to run services on servers with a set of credentials other than local system authority. These accounts may exist both in a master <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain">account domain</A> and in the same <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domain</A> as the server. If the service account is in an account domain, this procedure would be completed by selecting the account domain as the source domain.</LI>
			<LI>Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, the Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the <B>Password never expires</B> unless you have used the Service Account Migration Wizard first.</LI>

			`</UL></DIV>`

			`<LI>Migrate domain local groups using the Group Migration Wizard.</LI>`
			`<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>`
			`<DIV CLASS="expand">`
			`<UL>`

			`<LI>On the <B>Group Options</B> wizard page, ensure that <B>Do not rename accounts</B> is the only option selected.</LI>`

			`</UL></DIV>`

			`<LI>Do one of the following:`

			`<UL><LI>If you plan to migrate account domains as part of the same migration process, see <A HREF="admtintraforestacctmig.htm">Perform an intraforest account domain migration</A>.</LI>`

			`<LI>Manually migrate a domain controller from the resource domain and decommission the domain.</LI>.`
			`</UL>`
			`</LI>`
			`<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>`
			`<DIV CLASS="expand">`
			`<UL>`
			`<LI>Use the Active Directory Installation Wizard to demote the domain controllers in the resource domain. For more information about the Active Directory Installation Wizard, see Windows 2000 Server Help.</LI>`

			`<LI>When demoting the last domain controller in the source domain, select the <B>This server is the last domain controller in the domain</B> check box on the <B>Remove Active Directory</B> wizard page of the Active Directory Installation Wizard.</LI>`

			`<LI>Once a domain controller has been demoted, it can join the target domain or be promoted to domain controller in the target domain.</LI>`

			`</UL></DIV>`
			`</OL>`

			`<P class="important">Important</P>`
			`<UL>`
			`<LI> When performing an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=IntraforestMigration"> intraforest migration</A>, first migrate <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domains</A>, and then migrate <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain">account domains</A>.</LI>`
			`<LI>Run the wizards in the order listed for best results.</LI>`
			`</UL>`
			`<P CLASS="note">Notes</P>`
			`<UL>`
			`<LI>When running the Service Account Wizard or Computer Migration Wizard, you must be logged on to the <I>source domain</I> as an administrator or member of the Administrators group.</LI>`

			`<LI>When running the User Migration Wizard, Group Migration Wizard, or Security Migration Wizard, you must be logged on to the <I>target domain</I> as an administrator or member of the Administrators group.</LI>`

			`<LI>When migrating a user, group, or computer account that exists in both the source and <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=TargetDomain"> target domains</A>, if the account in the target domain already has a value for a particular property and the account in the source domain does not have a value for that property, the value of the property in the target domain will be preserved. It will not be overwritten by the null-value of the property in the source domain.</LI>`

			<LI>When migrating user accounts between Windows 2000 domains, if the user has previously logged on to a particular computer, it is not necessary to migrate the user profile that is associated with the user account on that computer. Because each user account has a GUID that is unique within the forest, when the migrated account logs on to the computer in the new domain, Windows 2000 notices that there is no profile associated with this user account. Using the GUID, it locates the original profile and automatically associates the original profile with the migrated user account. </LI>

			<LI>When migrating users and groups between domains in the same forest, Active Directory Migration Tool must communicate with the Relative ID (RID) pool master in the target domain. To improve performance when migrating a large number of users or groups, you should install Active Directory Migration Tool on the RID pool master in the target domain. By default, this is the first domain controller installed in the domain. Use Active Directory Users and Computers or Ntdsutil.exe to locate the domain controller that holds the RID pool master role.</LI>

			`<LI>During the migration process, this tool truncates service account names that are more than 20 characters long.</LI>`
			`</UL>`

			`<P><A ID="relTopics" HREF="CHM=DomainMig.chm META=a_admtchkbeforeusing; a_ADMTBestPractices; a_ADMTRunWizard; a_ADMTIntraforestResMig; a_admtbeforeintramig; a_admtunderstandtrust; a_TasksRetry; a_TasksUndoLast; a_ADMTOverview; a_ADMTUnderstandMigration; a_ADMTIntraforestMig; a_ConceptDomMigSecurityIssues; a_ConceptSecurityTranslationIssues; a_conceptmigratingusersgroup; a_ConceptMigratingComputers; a_ADMTUnderstandTrust; a_ADMTSystemReq; a_ADMTBeforeIntraMig">Related Topics</A></P>`

			`</BODY>`
			`</HTML>`