Use Active Directory Migration Tool to migrate user accounts and groups from a source domain to a target domain. While migrating, the users can retain access to resources. Once all of the users, groups, computers, and resources have been migrated, the source domain can be decommissioned. Before performing the migration, you can test the process without actually migrating the accounts by clicking Test the migration settings and migrate later in the wizards.
Because objects must exist in the target domain before their properties are referenced, Active Directory Migration Tool migrates all the account objects to the target domain before it migrates their properties. For example, Peter is the manager of Robert. Before Peter's account object can be referenced by the Manager property of Robert's user account, both Peter's and Robert's account objects must exist. So, when migrating user accounts, first Peter's and Robert's user accounts are migrated to the target domain, then the properties of each account are migrated.
When migrating accounts, you must migrate the security IDs (SIDs) to the target domain. This will update the SID History of the accounts. If you migrate accounts and do not update SID History for those accounts, the new accounts do not have the access that the original accounts had until you translate security and the Exchange directory.
Service accounts are user accounts that are used to run services with a set of credentials other than local system authority. This is usually done because even though the local system authority security context has absolute rights on the computer on which it operates, it has no rights on any other computers on the network. Many applications, for example Microsoft Exchange, use service accounts to run services with the same set of credentials on several networked computers.
Global groups can only have users from their own domain as members. So, when you migrate user accounts from one domain to another, the new accounts created by Active Directory Migration Tool in the target domain cannot be members of the global groups in the source domain. When you migrate global groups, group affiliation will be restored; however, if you migrate users before migrating global groups, it may be possible for the users to log on to the target domain using the migrated accounts, but the migrated user accounts will not have any group affiliation. Therefore, to ensure a smooth migration, you should migrate global groups before migrating users.
Migrating global groups before migrating users accounts creates a corresponding global group in the target domain for each global group that exist in the source domain. The newly created global group in the target domain receives a new primary SID that contains the domain identifier of the target domain as part of the SID. The primary SID of the global group in the source domain is added to the SID History attribute of the newly created group.
Local groups can contain members defined in other domains. Therefore, processing local groups can be a bit more complicated than processing global groups and user accounts. When adding a local group member in the target domain, Active Directory Migration Tool processes the group members in the following order:
Shared local groups are sometimes used on domain controllers to organize access rights. If shared local groups are used, you should migrate all shared local groups to the target domain using the Group Migration Wizard and then upgrade the domain controllers to Windows 2000 and move them to the target domain.
Before migrating groups, you can use the Group Mapping and Merging Wizard to map a group in the source domain to a different group in the target domain. Mapping one group to another essentially moves the membership of a group in the source domain into a new or different group in the target domain. You can also merge the memberships of multiple groups into a new or different group in the target domain. Merging multiple groups into one group combines the memberships of several groups in the source domain into one group in the target domain.
Notes
Active Directory Migration Tool also copies local and global group memberships and user rights for migrated user accounts. If you migrate a local group and its members to another domain, Active Directory Migration Tool copies the local group to the target domain. Membership is maintained through SID History. When migrating users who are members of groups in the source domain that also exist in the target domain, the source domain groups are not actually migrated, but the users are made members of the target domain groups.
Local groups can only contain SIDs from other local groups. Global groups can only contain SIDs from other global groups. Universal groups can only contain SIDs from global groups or other universal groups. If Active Directory Migration Tool finds a SID from the source domain that it cannot resolve, such as a SID for a user account that does not have a matching user account in the target domain, Active Directory Migration Tool leaves the SID unchanged and continues searching.
For more information about security issues related to domain migration, see the Domain Migration and Restructuring Tools page at the Microsoft Web site (http://www.microsoft.com/). Other references available at the Microsoft Web site include Windows 2000 Server Help and the Resource Kit.