Before performing an interforest migration

This topic lists the domain and security configurations necessary before you can use Active Directory Migration Tool to migrate users, groups, and computers between a Windows NT domain and a Windows 2000 domain or two Windows 2000 domains in different forests.

Source and target domain

Verify that your source and target domains are configured as described in the following list:

• The target domain is running Windows 2000 and is operating in native mode. This is required because the SID History attribute is only available in domains operating in native mode.
• The source domain is running either Windows NT 4.0 or Windows 2000. If running Windows NT 4.0, the primary domain controller must have Service Pack 4 or later installed.
• If the source domain is a Windows 2000 domain, it may operate in either mixed or native mode.
• The source domain must be in a different forest than the target domain or it must be a Windows NT 4.0 domain.
• A new local group, SourceDomainName$$$ must be created on the source domain. For example, if your source domain was named DomainA, you should create the local group DomainA$$$. There must be no members in this group. If this group is not present, Active Directory Migration Tool will create this group when needed. If a global group or other kind of group already exists with this name, the tool will not be able to create the new local group.
• Any mapped network drives and similar connections between the source domain controller and the target domain controller on which Active Directory Migration Tool is running must be disconnected before running the tool. Failure to do so may result in the failure of a migration operation due to a "credentials conflict" error.
• The primary domain controller (PDC), or PDC emulator, in the source domain must have the following registry value TcpipClientSupport:REG_DWORD:0X1 set for the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry entry. If this entry is not present, Active Directory Migration Tool will create this entry when needed. For details, see To create the TcpipClientSupport registry entry.

Security Requirements

You must meet the following security configuration requirements before running Active Directory Migration Tool.

• The user account you log on with when you run Active Directory Migration Tool must have the following permissions:

  • Domain Admin rights in the target domain
  • Member of the Administrators group in the source domain
  • Administrator rights on each computer you migrate
  • Administrator rights on each computer on which you translate security

  Gaining administrative access to the objects you intend to migrate can be accomplished in one of two ways:

  1. Create a temporary two-way trust between the target domain and the source domain. Creating a two-way trust allows you to run the tool while logged on as the administrator of the source domain, an account that already has administrative rights to the objects you will migrate from the source domain.
  2. Add an account to the local administrators group of every workstation and member server you intend to migrate and use that account to log on while you run the tool. This process can be automated through scripting and the use of Active Directory Service Interfaces (ADSI).
• Auditing for account management (success and failure events) must be enabled in the source and target domains. In Windows NT, account management is referred to as user and group management. For details, see To enable auditing in a Windows NT domain and To enable auditing in a Windows 2000 domain.
• Administrative shares must exist on the computer where Active Directory Migration Tool is running and any computer to which an agent must be dispatched.
• The source domain must trust the target domain to provide the security context necessary for Active Directory Migration Tool.
• Trusts from existing resource domains to the target account domain to support resource access for migrated users.