This topic lists the domain and security configurations necessary before you can use Active Directory Migration Tool to migrate users, groups, and computers between a Windows NT domain and a Windows 2000 domain or between two Windows 2000 domains in different .
Source and target domain
Verify that your source and target domains are configured as described in the following list:
- The target domain is running Windows 2000 and is operating in . This is required because the SID History attribute is only available in domains operating in native mode.
- The source domain is running either Windows NT 4.0 or Windows 2000. If running Windows NT 4.0, the primary domain controller must have Service Pack 4 or later installed.
- If the source domain is a Windows 2000 domain, it may operate in either mixed or native mode.
- The source domain must be in a different forest than the target domain or it must be a Windows NT 4.0 domain.
- A new local group, SourceDomainName$$$ must be created on the source domain. For example, if your source domain is DomainA, you create the local group DomainA$$$. There must be no members in this group. If this group is not present, Active Directory Migration Tool creates this group when needed. If a global group or other kind of group already exists with this name, the tool cannot create the new local group.
- Any mapped network drives and similar connections between the source domain controller and the target domain controller on which Active Directory Migration Tool is running must be disconnected before running the tool. If they are not disconnected, the migration operation might fail with "credentials conflict" error.
- The primary domain controller (PDC), or PDC emulator, in the source domain must have the registry value TcpipClientSupport:REG_DWORD:0X1 set for the registry entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. If this entry is not present, Active Directory Migration Tool creates this entry when needed. For details, see To create the TcpipClientSupport registry entry.
Security Requirements
You must meet the following security configuration requirements before running Active Directory Migration Tool.
The user account you log on with when you run Active Directory Migration Tool must have the following permissions:
- Member of the Administrators group in the source domain
- Administrator rights on each computer you migrate
- Administrator rights on each computer on which you translate security
- Domain Admin rights in the target domain if accounts are migrated with SID Histories.
Gaining administrative access to the objects you intend to migrate can be accomplished in one of two ways:
- Create a temporary two-way trust between the target domain and the source domain. By creating a two-way trust, you can run the tool while logged on as the administrator of the source domain, an account that already has administrative rights to the objects you migrate from the source domain.
- Add an account to the local administrators group of every workstation and member server you intend to migrate; use that account to log on while you run the tool. You can automate this process by scripting and by using Active Directory Service Interfaces (ADSI).
- Auditing for account management (success and failure events) must be enabled in the source and target domains. In Windows NT, account management is referred to as user and group management. For details, see To enable auditing in a Windows NT domain and To enable auditing in a Windows 2000 domain.
- Administrative shares must exist on the computer where Active Directory Migration Tool is running and any computer to which an agent must be dispatched.
- The source domain must trust the target domain to provide the security context necessary for Active Directory Migration Tool.
- Trusts from existing resource domains to the target support resource access for migrated users.
