To perform an intraforest resource domain migration
- Identify service accounts not running under local system authority using the Service Account Migration Wizard.
More information
- Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, the Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the Password never expires unless you have used the Service Account Migration Wizard first.
- Many applications, including Exchange Server 5.5, use service account mappings that Active Directory Migration Tool cannot change. These service accounts usually require configuration through registry settings or from within the application itself. You must manually update these accounts after the is complete.
- When asked for user account credentials, use credentials with Administrator rights on the specific computer that is using the service accounts.
- Migrate workstations and member servers using the Computer Migration Wizard.
More information
- The Computer Migration Wizard dispatches an to each computer being migrated. The agent restarts each computer after the computer joins the target domain. Verify that the default startup menu option on the migrated computers is the migrated Windows 2000 installation.
- On the Translate Objects wizard page, ensure that no options are selected. Security translation during computer migration works only for accounts from the migrated computer's domain. If the access control lists (ACLs) contain security IDs (SIDs) from another domain, they will need to be translated later with the Security Translation Wizard.
- Migrate service accounts using the User Migration Wizard.
More information
- Service accounts are user accounts used to run services on servers with a set of credentials other than local system authority. These accounts may exist both in a master and in the same as the server. If the service account is in an account domain, this procedure would be completed by selecting the account domain as the source domain.
- Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, the Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the Password never expires unless you have used the Service Account Migration Wizard first.
- Migrate domain local groups using the Group Migration Wizard.
More information
- On the Group Options wizard page, ensure that Do not rename accounts is the only option selected.
- Do one of the following:
More information
- Use the Active Directory Installation Wizard to demote the domain controllers in the resource domain. For more information about the Active Directory Installation Wizard, see Windows 2000 Server Help.
- When demoting the last domain controller in the source domain, select the This server is the last domain controller in the domain check box on the Remove Active Directory wizard page of the Active Directory Installation Wizard.
- Once a domain controller has been demoted, it can join the target domain or be promoted to domain controller in the target domain.
Important
- When performing an , first migrate , and then migrate .
- Run the wizards in the order listed for best results.
Notes
- When running the Service Account Wizard or Computer Migration Wizard, you must be logged on to the source domain as an administrator or member of the Administrators group.
- When running the User Migration Wizard, Group Migration Wizard, or Security Migration Wizard, you must be logged on to the target domain as an administrator or member of the Administrators group.
- When migrating a user, group, or computer account that exists in both the source and , if the account in the target domain already has a value for a particular property and the account in the source domain does not have a value for that property, the value of the property in the target domain will be preserved. It will not be overwritten by the null-value of the property in the source domain.
- When migrating user accounts between Windows 2000 domains, if the user has previously logged on to a particular computer, it is not necessary to migrate the user profile that is associated with the user account on that computer. Because each user account has a GUID that is unique within the forest, when the migrated account logs on to the computer in the new domain, Windows 2000 notices that there is no profile associated with this user account. Using the GUID, it locates the original profile and automatically associates the original profile with the migrated user account.
- When migrating users and groups between domains in the same forest, Active Directory Migration Tool must communicate with the Relative ID (RID) pool master in the target domain. To improve performance when migrating a large number of users or groups, you should install Active Directory Migration Tool on the RID pool master in the target domain. By default, this is the first domain controller installed in the domain. Use Active Directory Users and Computers or Ntdsutil.exe to locate the domain controller that holds the RID pool master role.
- During the migration process, this tool truncates service account names that are more than 20 characters long.
Related Topics