Contents How to View This Document Installation ADMT Installation Password Export Server Installation New Feature In ADMT Version 2.0 Microsoft Active Directory Migration Tool... Known
Trang 1Release Notes
This document provides late-breaking or other information that supplements the Microsoft® Active Directory™ Migration Tool online Help documentation Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
© 2002 Microsoft Corporation All rights reserved
Microsoft, Active Directory, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions
The names of actual companies and products mentioned herein may be the trademarks of their respective owners
Contents
How to View This Document Installation
ADMT Installation Password Export Server Installation New Feature In ADMT Version 2.0
Microsoft Active Directory
Migration Tool
Trang 2Known Issues ADMT User Migration Group Migration Service Account Migration Trust Migration
Computer Migration User Profile Migration Password Migration Report Creation Retry Wizard Online Help Active Directory Migration Tool Remote Agent Software Active Directory Migration Tool Migration Database Intraforest Migration
Command line Tool Scripting Component
How to View This Document
To review the latest release notes, the Domain Migration Cookbook, and other
updated information for Active Directory Migration Tool, see the Domain Migration Web site at:
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp
ADMT Installation
This section describes a known issue related to the installation of this version of Active Directory Migration Tool
ADMT Version 1.0 will Install Over Version 2.0
ADMT Version 1.0 will install itself over Version 2.0 without warning the user
ADMT Version 2.0 Installation will preserve the ADMT Version 1.0 Database
When upgrading, ADMT v.2 will upgrade the internal database to a new version
of the Microsoft Access database The installation will copy the old database to a file named protar3x.mdb Should the upgrade fail, ADMT v.1 can be reinstalled
To use the current database again, rename protar3x.mdb to protar.mdb
Trang 3Installing Active Directory Migration Tool in a Terminal Server Session
The Active Directory Migration Tool installation program may not install successfully in a terminal server session Internal error 2755 occurs If you experience this behavior, cancel the installation, copy the ADMT installation files
to the terminal server, and restart the installation
Installation of ADMT on i64-Bit Computers not supported
This version of ADMT is not supported on 64-Bit computers This issue will be addressed in a later version of ADMT
Rights needed to run ADMT
Local administrator rights are required on the local server to run ADMT If ADMT runs on a domain controller, domain admins or administrator rights are required If ADMT runs on a member server, local administrator rights are required
Password Export Server Installation
This section describes the requirements for installing and using a Password Export Server (PES) to perform password migration with ADMT You can find more
detailed information in the Domain Migration Cookbook referenced under How
to View This Document
1 We recommend that the source domain’s Password Export Server be a BDC dedicated for this purpose
2 128-bit encryption must be installed on any PES
3 128-bit encryption must be installed on the machine running ADMT
4 The Password Export Server installation will not complete without supplying
an encryption key created on the ADMT machine The key must be available
on a local drive This can be a floppy drive or a folder on the local hard drive Network mapped drives or shares are not allowed It is recommended that you transport the key via a floppy and either store the floppy in a secure location
or format it after the installation
a On the ADMT machine, run ADMT.exe from the command line specifying “key” as the operation to perform (the syntax for this command is “ADMT.exe key %Source_Domain_NetBIOSName%
Trang 4%folder%: %Optional Password% (i.e “c:\admt.exe key srcdomain a: pswrd”)) Type “ADMT.exe key” at the command line for more usage information
b On the Password Export Server, make sure that the key is available
on a local drive, either by inserting the floppy disk or copying the key to a local hard drive You will be prompted on the Password Export Server for the location of the key during the installation You will have to provide a matching password if one was given when creating the encryption key on the ADMT machine
1 The AllowPasswordExport registry key value (located in HKLM\
SYSTEM\CurrentControlSet\Control\Lsa on the Password Export Server) must be set to “1” to allow ADMT to use that Password Export Server for password migration You can disable a Password Export Server from supporting password migration by setting that same value to “0”
2 “Everyone” must be added to the “Pre-Windows 2000 Compatible Access” group on the target domain in order for password migration to succeed If this
is not done, ADMT will log an “Access Denied” error The command line syntax for this is “NET LOCALGROUP "Pre-Windows 2000 Compatible Access" Everyone /ADD” (The Active Directory Users and Computers snapin will not allow you to add “Everyone” to this group)
3 Verify permissions on the server object The PES requires that the Windows 2000 Compatible Access” group has “Read All Properties” rights
“Pre-on the following object:
CN=Server,CN=System,DC=<domain_name>
4 Verify that anonymous access is allowed to domain controllers in the target domain Open the group policy editor for the domain, and navigate to the following setting:
Default Domain Controllers Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Additional restrictions for anonymous connections
Verify that either 'Rely on default permissions' or 'not defined'
is selected If 'No access without explicit anonymous permissions' is selected, password migration to the target domain will fail with “Access Denied”
5 If you are running ADMT on a NET server, you also have to make sure that the “Let Everyone permissions apply to anonymous users” right has been enable on that machine, or that the Anonymous Logon user has been added to the Pre-Windows 2000 Compatible Access group
Trang 5New Features in ADMT Version 2.0
Scripting and Command line interface
Most ADMT operations can now be performed via a scriptable interface or the new command line (ADMT.exe) tool TemplateScript.vbs is a template script that
is installed with ADMT and explains most of the interface For usage help with the command line tool, type “ADMT.exe” The Undo Wizard is one of the more significant wizards not available through these new interfaces If an operation that can be “undone” if performed through the wizards is performed through scripting or the command line, it can still be “undone” through the Undo Wizard
Migration Log Files
A single log file was used in ADMT v.1 to log migration results and issues In ADMT v.2, a new log file is created for each new migration operation The most current log file is migration.log When a new migration is started, the old migration.log file is renamed to migrationxxxx.log, where xxxx is the next available sequence number The second most current log file is the migrationxxxx.log file, where xxxx is the highest number ADMT v.2 will only save a specific number of log files By default, this number is 20 The number can
be changed through the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADMT\LogHistory: 20
Credentials needed for migration operations
ADMT v.1 has a hard-coded check that verifies that the account running ADMT
is an administrator in both the source and the target domain ADMTv.2 will not perform security checks anymore, but will leave this up to the operating system
Note 1: When users are migrated and SIDHistory migration is selected, then the
underlying API enforces that the user running ADMT is an administrator in the source domain and a domain admin in the target domain Since this check is enforced by the operating system, domain admin rights for SIDHistory migrations are still needed in ADMT v.2
Trang 6Note 2: In Windows NET, SIDHistory migration can be delegated The user who
migrates accounts with SIDHistory needs appropriate rights in the target Organizational Unit (Create Users), plus the delegated extended right
MigrateSIDHistory on the domain object (DC=<domain_name>) When ADMT
v.2 runs against a Windows NET domain controller, domain admin rights for SIDHistory migrations will no longer be required
Note 3: When user passwords are migrated, the user running ADMT must be an
administrator in the source domain
Note 4: For agent-based operations like security translations or computer
migrations, local administrator rights are required on the target computer
SID Mapping Files for Security Translation
ADMT can now perform security translation based on a comma-separated file instead of just previously migrated object The form of the comma-separated file
is “%Source Object%, %Target Object%” followed by a new line Both objects can take one of two forms 1) Domain\Username (but the domain must be accessible) or 2) the decimal representation of a SID (i.e S-1-5-21-1222312332-327112949-1237804090-1056) The Account Reference report has been modified
to include an object SID in decimal form and can be used to help build this mapping file The Windows 2000 version of LDP.exe does not display the full SID in decimal form This has been fixed in the Windows NET version of LDP.exe
Windows 2000 Attribute Exclusion
For inter-forest migrations, a list of attributes can be defined that will be excluded
in a user, group, or computer migration There are three lists of attributes:
• Attributes always excluded by the system
• Attributes in the system exclusion list
• Attributes that can be excluded by the administrator
Attributes always excluded by the system
These attributes will always be excluded by ADMT This is done to protect system owned attributes and cannot be configured The attributes are:
• Object GUID
• Object SID (but can be written to the SIDHistory)
Trang 7• pwdLastSet
• userPassword (can be migrated by ADMT)
• isCriticalSystemObject
• LegacyExchangeDN
System Attribute Exclusion List
ADMT stores a system attribute exclusion list in its database Attributes in this list will be excluded from migration operations even if the attribute is not specified in the attribute exclusion list The list can be changed by the administrator through any scripting language using the ADMT scripting interface This is done to protect attributes that are important for server-based applications to work, like Exchange By default, the following attributes are members of the system attribute exclusion list:
• proxyAddresses The following is an example of a script that can be used to reset the System Attribute Exclusion list to contain the attributes “Mail”, “proxyAddresses” and
“description”:
Set objMigration = CreateObject("ADMT.Migration")objMigration.SystemPropertiesToExclude = "description,mail,proxyAddresses"
Attribute Exclusion List
This is a list of attributes that the administrator defines for every single migration The UI can be used to display and select the attributes The UI keeps state information; in other words if an attribute is added to the exclusion list, the UI will add it to the list at the next migration by default Scripting and command line have no state information The attributes must be defined for every single
migration operation, either through the attribute name or through an option file However, if an attribute exclusion list is used through the command line or scripting interface, the state information used by the UI is updated with the context of that list
Trang 8Skip Membership Restoration
A “Fix Membership” option has been added to the User and Group Migration Wizards so that performance can be vastly improved if group membership reconstruction is not needed
Decommission Source Domains
During security translation, ADMT v.1 has to communicate with the source domain of the account that is referenced on an ACL If the source domain is decommissioned, the security translation fails In ADMT v.2, all necessary information will now be stored in the database Therefore, the source domains can
be decommissioned, and security translations will still work
If ADMT v.2 is installed as an update of ADMT v.1, ADMT v.2 will have to update the database to a new format ADMT v.2 will also have to add information
to the database to make this feature work If an ADMT v.1 database is upgraded, ADMT v.2 will perform the following operations:
• Prompt the user that ADMT v.2 will attempt to contact all source domains from which objects had been migrated using ADMT v.1 The administrator can then configure which domains should be excluded
• Contact the domain and retrieve the necessary information
This process will only happen when ADMT v.2 is run for the first time Should a source domain controller not be online at the time when ADMT v.2 is run for the first time, the information can be added later This is done by migrating an object from the source domain to any target domain once a domain controller is online again This can also be a test migration only If one migration or test run succeeds, the database is updated, and domain controllers from the source domain will no longer be needed for subsequent operations
Trang 9If Install Path is empty, Installation Wizard shuts down
If the user changes the default installation path to an empty path and then clicks
Browse, the installation wizard will present a dialog box with “Error 2343” and
then shutdown This issue will be addressed in a later version of ADMT
List of Characters not allowed as a prefix/suffix
The following table lists the characters not allowed in a prefix or suffix The SAM column indicates characters that are invalid in a SAM account name The DN column indicates characters that need escaping in a distinguished name and/or a canonical name and/or an ADsPath
Trang 10+ X X , X X X / X X : X
\ X X ] X
| X
Clicking Stop on the Migration Progress Page of the User Migration Wizard Does Not Pause the Operation
When you click Stop on the Migration Progress page of the User Migration
Wizard, it does not pause the user migration operation even though the verification message is displayed This will be addressed in a future release
Re-migrating Previously Migrated Users Updates the Group Membership of the Target User Account
When you use the User Migration Wizard with the Replace conflicting accounts
option to migrate a user who has been previously migrated, any new groups that the source account has subsequently been added to will be appended to the original group membership of the user
Example: Bob is a user in the domain HB-ACCT-WC He is a member of the group HB-ACCT-WC \Writers and is migrated along with the Writers and Editors groups to the target domain hay-buv.tld (NetBIOS name HAY-BUV) After the first migration, the following occurs:
1) HB-ACCT-WC\Bob is added to HB-ACCT-WC \Editors 2) HAY-BUV\Bob is added to HAY-BUV\TechEditors Upon remigration, HAY-BUV\Bob will be a member of HAY-BUV\Writers, HAY-BUV\Editors, and HAY-BUV\TechEditors
This behavior is by design If this behavior is not desired and you want to completely reset the target account to only be a member of the source user’s groups, you must delete the target domain user and migrate the source user again
Trang 11Undo Wizard Does Not Reset Properties on Target Users and Groups After a Migration in Replace Mode
When the properties of a migrated user or group are changed in the target domain
and that same user or group is re-migrated with the Replace conflicting accounts
option, the Undo Wizard will not undo the change to the properties of the target user or group This is by design, because ADMT does not store attribute values that are overwritten during a migration in replace mode
User Names Using Double Byte Character Sets Cannot Be Migrated with Password Same as User Name
User names consisting of characters from Double Byte Character Sets (DBCS)
should not be migrated using the Same as the user name password setting
option, because Windows 2000 does not accept DBCS passwords When migrating users with names containing DBCS characters, use the complex password or copy password setting option
Security Permissions on a User Migrated From a Windows
2000 Domain Are Reset to the Default Values During Migration
When migrating a user from one Windows 2000 domain to another, the User Migration Wizard creates a new security descriptor on the user object using settings from the target domain (Default Security Descriptor defined for users in the schema of the target forest and inheritable Access Control Entries on the target Organizational Unit) The security tab is only visible for users if the
View\Advanced Features option has been selected This is by design, because
security settings on the migrated user account should be dictated by the target domain, not the source domain
UPNs in Excess of 255 Characters in Length can cause the ADMT to stop
During an inter-forest migration of user objects with a UPN attribute in excess of
255 characters in length, the migration progress dialogue can hang and state that
"the agent is no longer running." UPNs longer than 255 characters in length can cause this behavior The migration log file stops writing when the first +255 character UPN is read UPNs longer than 255 characters are not supported in this version of ADMT
Trang 12User Account Control is not migrated if Password is not migrated
If “copy password” is not selected during user migration, the user account control
is not migrated correctly This issue will be addressed in a later version of ADMT
Failure to set specific Attributes during User Migration are not flagged as Errors
When the user who migrates user accounts does not have the rights to set specific attributes on user objects, such as disable accounts or source account expiration, the update on the attributes will fail The failure is logged to the migration log file, however, it is not flagged as an error Therefore, the UI does not display this
as an error, and the failures are harder to find in the migration log This issue will
be addressed in a later version of ADMT
All Attributes are copied if Attribute Exclusion List has an Error
If ADMT experiences an error while processing the Attribute Exclusion List, all attributes on user and group objects are migrated This issue will be addressed in a later version of ADMT
No Error Message when non-privileged Account is used for SID History Migration
If the user enters credentials for an invalid account in the Credential Dialog box for SID History migration, no error message is displayed by the UI, but SID History migration fails Invalid accounts include both accounts that are disabled
or accounts for which the "User must change password" option is selected The
“Migrate SID History” option will be disabled until credentials for a valid account are entered This issue will be addressed in a later version of ADMT
Wrong Error Message created during User Group Fix-up after User Account was deleted
If a user is migrated between domains, the account in the target domain is then deleted, and a group is migrated between the same domains that had the user account in the source domain as a group member, ADMT will log the following wrong error message:
<account> has not been migrated to the target domain
This issue will be addressed in a later version of ADMT