To perform an interforest account domain migration

1. Create the Windows 2000 target domain.

More information

• For instructions on how to set up a Windows 2000 domain or forest, see Windows 2000 Server Help.
• The target domain must be operating in native mode.
2. Establish trusts between the domains using the Trust Migration Wizard.

More information

• You may also need to use Active Directory Domains and Trusts to manually create trusts between the source and target domain. Migrate the trusts before you migrate user accounts, service accounts, or local groups.
• For details about creating trusts between domains, see Windows 2000 Server Help and the Windows NT product documentation.
3. Migrate global groups using the Group Migration Wizard.

More information

• If you have mapped a group to a different group in the target domain, and then you migrate that group from the source domain to the target domain, the mapping information is replaced. The group is then mapped to the migrated group in the target domain.
• If you are migrating a distribution group (these only exist in Windows 2000) from the source domain to the target domain and group exists in the target domain as a security group, the target group will remain a security group even if the Replace option is selected.
• If there is a large number of users in the domain, enumerating the users may take a significant amount of time and may impact your network bandwidth. To migrate many thousands of users you might want to migrate global groups and select to migrate their members with them.
4. Identify and migrate user accounts using the User Migration Wizard.

More information

• You can migrate user accounts incrementally. Begin with a small number of users as a pilot project to verify whether the new domain environment and all resource access works correctly. Then, migrate the remaining users in one or more groups.
• When the tool migrates user accounts, users are prompted to change their passwords the first time they log on to the network. The tool will override the Password never expires option unless the account has been marked as a service account using the Service Account Migration Wizard.
• If the User cannot change password check box is selected for a user account, that migrated user account will be locked until the Administrator resets the password because the user will not be able to reset the password.
• Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the Password never expires unless you have used the Service Account Migration Wizard first.
• If there is a large number of user accounts in the domain, when the User Migration Wizard builds the list of user accounts in a domain, retrieving this information can take a significant amount of time and can cause a significant impact on your network traffic.
• Active Directory Migration Tool only migrates user rights in additive mode. This means that the user rights of any existing users and groups in the target domain will not be removed during a migration operation.
• The user principal name suffix attribute of migrated user accounts is left empty by default but an implicit user principal name suffix of the current domain exists by default for each domain. For example, if the target domain is microsoft.com, the implicit user principal name for users migrated to that domain is UserName@microsoft.com.
5. Do one of the following:
   • If you plan to migrate resource domains as part of the same migration process, see To perform a interforest resource domain migration.
   • Decommission the source account domain
   .

More information

• If you plan to migrate resource domains as part of the same migration process, you should delay decommissioning the source account domain until the resource domain migration is complete. This will ensure that the source account domain controller will be available for service account migration, migration of shared local groups, and local workstation profile migration that may depend on a domain controller from the source account domain.
• After all of the user accounts in an account domain have been migrated, you can migrate its domain controllers into the target domain just as you would in a resource domain migration.

Important

• When performing an interforest migration, first migrate account domains, and then migrate resource domains.
• Run the wizards in the order listed for best results.

Notes

• When running the User Migration Wizard, Group Migration Wizard, or Security Migration Wizard, you must be logged on to the target domain as an administrator or member of the Administrators group.
• The target domain must trust all domains that are trusted by the source domain and must be trusted by all domains that trust the source domain. The Trust Migration Wizard allows you to compare and create the source and target domain trusts.
• When migrating a user, group, or computer account that exists in both the source and target domains, if the account in the target domain already has a value for a particular property and the account in the source domain does not have a value for that property, the value of the property in the target domain will be preserved. It will not be overwritten by the null-value of the property in the source domain.
• You should migrate the security IDs (SIDs) to the target domain when migrating users and groups. This will update the SID History of the accounts. If you migrate accounts and do not update SID History for those accounts, the new accounts do not have the access the original accounts had until you translate security and the Exchange directory.
• During the migration process, this tool truncates user account names that are more than 20 characters long.
• Password complexity functions may limit the passwords the tool can assign to a user account. The tool can generate complex passwords that meet the minimum password length requirement and contain at least 3 lowercase letters, 3 uppercase letters, 3 numerical digits, and 3 symbols. If the generated password does not comply with the password complexity rules in the target domain, the tool disables the migrated user account.

Related Topics