Perform an interforest account domain migration

To perform an interforest account domain migration

1. Create the Active Directory target domain.

More information

• For instructions on how to set up an Active Directory domain or forest, see your Windows server operating system's Help.
• The target domain must be operating in native mode.
2. Establish needed trusts between the domains.

More information

• Although the Trust Migration Wizard can be used to create trusts between the resource domains and the target domain, you need to use Active Directory Domains and Trusts to manually create trusts between the source and target domain. Migrate the trusts before you migrate user accounts, service accounts, or local groups.
• For details about creating trusts between domains, see the Help and Support Center for the Windows server operating system you are using.
3. Migrate global groups by using the Group Migration Wizard.

More information

• If you have mapped a group to a different group in the target domain, and then you migrate that group from the source domain to the target domain, the mapping information is replaced. The group is then mapped to the migrated group in the target domain.
• If you are migrating a distribution group (these only exist in Active Directory domains) from the source domain to the target domain and the group exists in the target domain as a security group, then the target group remains a security group even if the Replace option is selected.
• If there is a large number of users in the domain, then enumerating the users might take a significant amount of time and might impact your network bandwidth. To migrate many thousands of users, you can instead migrate global groups and select to migrate their members with them. You can also migrate organizational units or domains as a whole to avoid enumerating individual users.
4. Identify and migrate user accounts by using the User Migration Wizard.

More information

• You can migrate user accounts incrementally. Begin with a small number of users as a pilot project to verify whether the new domain environment and all resource access works correctly. Then, migrate the remaining users in one or more groups.
• If there is a password complexity defined in the target domain and ADMT migrates passwords, then the complexity rules of the migrated password cannot be enforced. Therefore, ADMT in any case configures the migrated user account so that the user has to change his or her password after the first time the user logs on.
• When the tool migrates user accounts, users are prompted to change their passwords the first time they log on to the network. The tool overrides the Password never expires option, unless the account has been marked as a service account by using the Service Account Migration Wizard.
• If the User cannot change password check box is selected for a user account, then that migrated user account is locked until the Administrator resets the password, because the user is not able to reset the password.
• Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, then you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard. If the Password never expires property is set for a user account, the User Migration Wizard clears the Password never expires check box, unless you use the Service Account Migration Wizard first.
• If there is a large number of user accounts in the domain, then when the User Migration Wizard builds the list of user accounts in a domain, retrieving this information can take a significant amount of time and can cause a significant impact on your network traffic.
• Active Directory Migration Tool only migrates user rights in additive mode. This means that the user rights of any existing users and groups in the target domain will not be removed during a migration operation.
• The user principal name suffix attribute of migrated user accounts is left empty by default, but an implicit user principal name suffix of the current domain exists by default for each domain. For example, if the target domain is microsoft.com, then the implicit user principal name for users migrated to that domain is UserName@microsoft.com.
5. Do one of the following:
   • If you plan to migrate resource domains as part of the same migration process, see To perform an interforest resource domain migration.
   • Decommission the source account domain.

More information

• If you plan to migrate resource domains as part of the same migration process, then you should delay decommissioning the source account domain until the resource domain migration is complete. This ensures that the source account domain controller is available for service account migration, migration of shared local groups, and local workstation profile migration that might depend on a domain controller from the source account domain.
• After all of the user accounts in an account domain have been migrated, you can migrate its domain controllers into the target domain just as you would in a resource domain migration.

Important

• When performing an interforest migration, first migrate account domains, and then migrate resource domains.
• For best results, run the wizards in the order listed.

Notes

• If SID History is migrated, then the user running ADMT needs to be a member of the Domain Admins group in the target domain.
• The target domain must trust all domains that are trusted by the source domain, and must be trusted by all domains that trust the source domain. You can use the Trust Migration Wizard to compare and create the source and target domain trusts.
• When migrating a user, group, or computer account that exists in both the source and target domains, if the account in the target domain already has a value for a particular property and the account in the source domain does not have a value for that property, then the value of the property in the target domain is preserved. It is not overwritten by the null value of the property in the source domain.
• You should migrate the security IDs (SIDs) to the target domain when migrating users and groups. This updates the SID History of the accounts. If you migrate accounts and do not update SID History for those accounts, the new accounts do not have the access the original accounts had until you translate security and the Exchange directory.
• During the migration process, this tool truncates user account names that are more than 20 characters long.
• Password complexity functions might limit the passwords that the tool can assign to a user account. The tool can generate complex passwords that meet the minimum password length requirement and contain at least three lowercase letters, three uppercase letters, three numerical digits, and three symbols. If the generated password does not comply with the password complexity rules in the target domain, then the tool disables the migrated user account.

Related Topics