Contrary to popular belief, it’s possible to migrate Active Directory User Accounts and their passwords. Trust me.
The good news is that I’ll lead you step by step until you successfully migrate your accounts and passwords, but before we get started, there are a couple pre-requisites that may need to be addressed.
This blog also assumes you have two Active Directory Domains that currently communicate with one another.
Before You Begin:
First, you will need to assign Conditional Forwarders for each domain. On Domain 1, you will need to assign Conditional Forwarders for Domain 2. On Domain 2, you will need to assign Conditional Forwarders for Domain 1. For more detail on this, please reference this Microsoft Technet.
Second, now that you have the Conditional Forwarders in place, you must setup a Two-Way Active Directory Trust in order to authenticate between the two domains. For more detail on this, please reference this Microsoft Technet.
Ok, now that the two domains can communicate, Conditional Forwarders are in place and a Two-Way Active Directory Trust is created and validated, we can begin the user and password migration.
Getting Started with Migrating User Accounts & Passwords
The first thing you need to do is download the Active Directory Migration Tool (ADMT) and the Password Export Server Service installer.
Please note: You must have a Microsoft Connect account to download the above files.
- On the server in which you downloaded the above files, please run the en-US admtsetup32.exe.
- This will open the Active Directory Migration Tool Installation Wizard, as shown below. Please note that the setup must create a SQL database. A SQL instance is needed to continue. Click Next.
- On the License Agreement window, select I Agree. Click Next.
- On the Customer Experience Improvement Program window, select an option. Click Next.
- On the Database Selection window, enter the name of your SQL instance. Click Next.
- This will create the SQL database and complete the installation. Click Finish.
At this time, you will be able to use ADMT to migrate user accounts, but not yet passwords. In order to properly migrate passwords, you need in install the Password Export Server service.
- The first step is to create an Encryption File to be used during the password migration process. To do this:
- Run the following command using either Command Line or PowerShell.
admt key /option:create /sourcedomain:DOMAIN.local /keyfile:C:\ADMTKey /keypassword:Password123!
This will create the encryption key at the location you choose. Please be sure to also update Domain.local and Password123! with appropriate information.
- On the server in which you downloaded the files, run the en-US pwdmig.msi.
- This will open the ADMT Password Migration DLL Setup. Click Next.
- On the End-User License Agreement window, accept the terms, click Next.
- On the Encryption File window, browse to the location of your encryption key that was created in step 1. Click Next.
- This will prompt you for a password. This must match the password in the encryption file. Click OK.
- Click Next to begin the installation.
- At the below window, you can choose whether to run the service with the Local System Account or a specific account. This portion is up to you, but for this example, we are using the Local System Account. Click OK.
- Click Finish to complete the installation.
Now it’s time to actually migrate user accounts AND their passwords. During this process, the Windows Service we just installed needs to be started. It is recommended that this service only be started while performing password migrations. To start the service:
- Open up Start > Run. Type msc. Click OK.
- Locate the Password Export Server Service. Right-click the service and select Start.
Let’s migrate some user account and passwords, shall we?
- Open the Active Directory Migration Tool. Browse to Start > Active Directory Migration Tool (this method may differ depending on what OS you are running).
- Right-click the top level container titled Active Directory Migration Tool. Select User Account Migration Wizard.
- From the Welcome to the User Account Migration Wizard welcome screen, click Next.
- From the Domain Selection screen, type in your Source Domain first. Then, select one of the Domain Controllers in the drop-down list. Repeat this for the Target Domain. Click Next.
- On the User Selection Option screen, choose Select users from domain. Click Next.
- Alternatively, you can use an include file for more granular options. Please refer to the ADMT Migration Guide for details.
- From the User Selection screen, choose Add… to add which user accounts need to be migrated. This will open the standard Select Users window we are all used to. In this example, we are using four test accounts, all in the same OU.
- Add all the users that need to be migrated. Click Next.
- From the Organizational Unit Selection screen, enter the Full Qualified name of the target OU. Click Next.
- From the Password Options screen, you can choose the options that fit your needs. In this example, we will choose Migrate Passwords. Please also make sure that the correct source DC is listed. Click Next.
- From the Account Transition Options screen, similar to step 9, you can choose the options that fits your needs. For this example, we will only choose Target same as source. Click Next.
- From the User Options screen, just like steps 9 and 10, choose what fits your needs. Because this is simply a test, we will only choose to Fix users’ group memberships. Click Next.
- From the Object Property Exclusion screen, we are choosing NOT to exclude any properties. Click Next.
- On the Conflict Management screen, choose what options you require. Click Next.
- Click Finish. This will start the migration process.
You’re now greeted with a Migration Progress window showing the number of users copied and any errors. Once complete, you can then view the log to examine why an account failed.
And that’s it. For our testing, we logged into the target domain with the known password on the source domain. All four account were successful.
Thanks for reading and feel free to comment with any questions.