1
00:00:00,940 --> 00:00:01,980
In this demonstration,

2
00:00:01,980 --> 00:00:05,050
I'll show you how to use the Active Directory Migration Tool,

3
00:00:05,050 --> 00:00:06,730
or ADMT for short.

4
00:00:06,730 --> 00:00:09,260
We're looking at, as you can see in the upper right,

5
00:00:09,260 --> 00:00:11,460
I've got some BGInfo output here.

6
00:00:11,460 --> 00:00:14,320
I'm on a domain controller in another forest.

7
00:00:14,320 --> 00:00:20,060
In fact, let me bring up my Admin Console here; it's srv1.company.com.

8
00:00:20,060 --> 00:00:24,840
And let's pretend that this is our acquisition, all right.

9
00:00:24,840 --> 00:00:28,030
And we're going to export users, groups,

10
00:00:28,030 --> 00:00:28,590
computers,

11
00:00:28,590 --> 00:00:33,010
out of this forest and domain into the one that we've been

12
00:00:33,010 --> 00:00:38,940
using for this entire learning track, the timw.info forest and domain.

13
00:00:38,940 --> 00:00:41,130
So what I want to draw your attention to here is in

14
00:00:41,130 --> 00:00:43,220
Active Directory Users and Computers.

15
00:00:43,220 --> 00:00:47,360
I've got one organizational unit called Office Staff that has a

16
00:00:47,360 --> 00:00:50,440
couple global groups and some user accounts.

17
00:00:50,440 --> 00:00:51,950
I also have another OU,

18
00:00:51,950 --> 00:00:56,890
and I have one domain‑joined Windows 10 workstation called CLIENT1.

19
00:00:56,890 --> 00:00:58,920
So it's just a simple lab environment.

20
00:00:58,920 --> 00:01:02,690
In order to facilitate things, let me bring up my

21
00:01:02,690 --> 00:01:06,740
network properties here, ncpa.cpl.

22
00:01:06,740 --> 00:01:09,700
I've made sure that I can do DNS resolution,

23
00:01:09,700 --> 00:01:13,160
so if I look at the Advanced properties of this

24
00:01:13,160 --> 00:01:17,930
machine's network interface card, this machine is at 241,

25
00:01:17,930 --> 00:01:23,350
but I've also included the timw.info DNS server.

26
00:01:23,350 --> 00:01:25,660
I know that I could do forwarding and DNS,

27
00:01:25,660 --> 00:01:29,330
but I'm actually distributing the IP address of the

28
00:01:29,330 --> 00:01:32,630
destination domain's DNS server.

29
00:01:32,630 --> 00:01:33,940
All right, also, again,

30
00:01:33,940 --> 00:01:39,280
to facilitate this movement in the Active Directory Domains and Trusts console,

31
00:01:39,280 --> 00:01:42,440
if I look at the Properties here and go to Trusts,

32
00:01:42,440 --> 00:01:47,290
I've set up bidirectional transitive forest trusts

33
00:01:47,290 --> 00:01:51,340
between company.com and timw.info.

34
00:01:51,340 --> 00:01:56,040
All of this is to facilitate that transfer.

35
00:01:56,040 --> 00:02:01,750
Lastly, I installed the ADMT, the latest version, which I believe is 3.2.

36
00:02:01,750 --> 00:02:03,350
In order to install this,

37
00:02:03,350 --> 00:02:06,730
you have to have an old version of SQL Server installed.

38
00:02:06,730 --> 00:02:12,540
If you look down in my Start menu, I installed the SQL Server 2008 R2,

39
00:02:12,540 --> 00:02:14,510
the Express, or free edition.

40
00:02:14,510 --> 00:02:17,980
It's running as a named instance called SQL Express.

41
00:02:17,980 --> 00:02:21,240
I had no problem installing the tools as long as I

42
00:02:21,240 --> 00:02:24,040
had that old SQL Server running.

43
00:02:24,040 --> 00:02:25,740
All right, anything else?

44
00:02:25,740 --> 00:02:26,910
Yeah, one more thing actually.

45
00:02:26,910 --> 00:02:29,620
Let me go to the Downloads folder.

46
00:02:29,620 --> 00:02:32,320
If you're looking at password export,

47
00:02:32,320 --> 00:02:35,230
you'll want to install the Password Export Server,

48
00:02:35,230 --> 00:02:37,540
and that's what this little msi is.

49
00:02:37,540 --> 00:02:43,120
If you just do a search on Google for ADMT Password Export, you'll get this.

50
00:02:43,120 --> 00:02:48,340
And what you do is you'll run an ADMT command‑line command to

51
00:02:48,340 --> 00:02:53,500
generate a key that the ADMT tools will use to encrypt the user

52
00:02:53,500 --> 00:02:57,240
passwords as they go over that trust channel.

53
00:02:57,240 --> 00:03:01,620
So that's what I got going on. Now, as far as actually performing the migration,

54
00:03:01,620 --> 00:03:02,610
let's take a look.

55
00:03:02,610 --> 00:03:05,670
It's not very intuitive at all because as you can see,

56
00:03:05,670 --> 00:03:10,370
it's pretty much an empty MMC console that has just an empty

57
00:03:10,370 --> 00:03:13,360
Reports node with some descriptive text,

58
00:03:13,360 --> 00:03:16,650
but it's nonintuitive as far as how to use the tool.

59
00:03:16,650 --> 00:03:18,160
You actually right‑click,

60
00:03:18,160 --> 00:03:22,520
and you can invoke any of these wizards from the top part.

61
00:03:22,520 --> 00:03:25,840
So let's start by grabbing some user accounts here.

62
00:03:25,840 --> 00:03:28,440
So let's do User Account Migration Wizard.

63
00:03:28,440 --> 00:03:33,140
All of these are using the traditional Win32 wizard interface.

64
00:03:33,140 --> 00:03:36,050
Our first step here is to use either typing or these

65
00:03:36,050 --> 00:03:39,530
drop‑down controls to specify the source and destination

66
00:03:39,530 --> 00:03:41,840
domains and domain controllers.

67
00:03:41,840 --> 00:03:45,190
So I'm going from company.com to timw.info.

68
00:03:45,190 --> 00:03:50,970
And you can either choose a specific DC or you can choose any domain controller.

69
00:03:50,970 --> 00:03:53,240
I'm being very intentional here in my work.

70
00:03:53,240 --> 00:03:55,240
Let's click Next.

71
00:03:55,240 --> 00:03:57,050
How are the users to be selected?

72
00:03:57,050 --> 00:03:58,850
I'm not going to do an include file.

73
00:03:58,850 --> 00:04:01,140
I'm going to do a direct selection.

74
00:04:01,140 --> 00:04:02,730
So let's click Add here.

75
00:04:02,730 --> 00:04:04,110
And now we can enumerate.

76
00:04:04,110 --> 00:04:08,910
I forgot what their names are, so let me just bring up my office staff again.

77
00:04:08,910 --> 00:04:12,510
I've got, let's say, Camila and Felipe will be our first ones.

78
00:04:12,510 --> 00:04:16,900
So I'll bring in Felipe, and now I'll bring in Camila.

79
00:04:16,900 --> 00:04:18,300
Click Next.

80
00:04:18,300 --> 00:04:21,430
What is the distinguished name of the target OU?

81
00:04:21,430 --> 00:04:23,220
If we click Browse,

82
00:04:23,220 --> 00:04:27,480
this fortunately has a graphical overlay to where you don't

83
00:04:27,480 --> 00:04:30,810
have to type out distinguished name syntax.

84
00:04:30,810 --> 00:04:34,360
I'm going to put these new users in the Staff OU in the

85
00:04:34,360 --> 00:04:38,840
timw.info destination forest and domain.

86
00:04:38,840 --> 00:04:40,510
Click OK and Next.

87
00:04:40,510 --> 00:04:43,500
What type of passwords do you want to use, you see?

88
00:04:43,500 --> 00:04:46,890
So if we're not using the Password Export Server,

89
00:04:46,890 --> 00:04:51,930
we have to really just either do not update or generate complex passwords.

90
00:04:51,930 --> 00:04:56,620
And if we generate passwords, those will be captured in a separate file.

91
00:04:56,620 --> 00:05:00,200
Well, I have the Password Export Server installed,

92
00:05:00,200 --> 00:05:03,810
so I'm just going to specify that my Password migration

93
00:05:03,810 --> 00:05:08,170
source is in fact srv1.company.com.

94
00:05:08,170 --> 00:05:10,140
We'll click Next.

95
00:05:10,140 --> 00:05:11,440
Now you'll want to make sure,

96
00:05:11,440 --> 00:05:14,420
as I'm showing you here in the service control manager,

97
00:05:14,420 --> 00:05:17,910
that you have the Password Export Server service running.

98
00:05:17,910 --> 00:05:23,670
Mine was set to Manual Startup stopped, so I made sure to start the service here.

99
00:05:23,670 --> 00:05:27,940
And so now we can, again, click Next to continue.

100
00:05:27,940 --> 00:05:30,120
How do we want to handle migrating accounts?

101
00:05:30,120 --> 00:05:31,040
By default,

102
00:05:31,040 --> 00:05:33,340
it's just going to assume that if the account is

103
00:05:33,340 --> 00:05:39,940
not disabled on the source side, it will be not disabled on the destination side.

104
00:05:39,940 --> 00:05:41,910
So I'm just going to leave all that at the default.

105
00:05:41,910 --> 00:05:42,710
Now look here.

106
00:05:42,710 --> 00:05:45,270
Migrate user SIDs to the target domain.

107
00:05:45,270 --> 00:05:47,640
This would override SID filtering.

108
00:05:47,640 --> 00:05:51,310
I'm going to select that just because we can investigate it later.

109
00:05:51,310 --> 00:05:52,800
I'm going to click Next.

110
00:05:52,800 --> 00:05:56,140
It says here that Auditing is currently not enabled on the source.

111
00:05:56,140 --> 00:05:58,240
Would you like to enable it?

112
00:05:58,240 --> 00:06:00,740
If not, SID migration will be disabled.

113
00:06:00,740 --> 00:06:03,460
Yeah, come to think of it, let me go back and make sure.

114
00:06:03,460 --> 00:06:04,780
No, I'm not going to mess with that.

115
00:06:04,780 --> 00:06:06,760
I'll leave SID quarantining on,

116
00:06:06,760 --> 00:06:10,840
which will give these users a brand‑new SID in the target forest.

117
00:06:10,840 --> 00:06:12,240
That's fine.

118
00:06:12,240 --> 00:06:13,220
But we'll go Next.

119
00:06:13,220 --> 00:06:14,790
What else do we want to do?

120
00:06:14,790 --> 00:06:16,690
Do we want to update user rights?

121
00:06:16,690 --> 00:06:19,420
Do we want to migrate associated user groups?

122
00:06:19,420 --> 00:06:23,110
And if it's been previously migrated, the group update it?

123
00:06:23,110 --> 00:06:25,310
Do I want to translate roaming profiles?

124
00:06:25,310 --> 00:06:26,550
That could be a heavy lift.

125
00:06:26,550 --> 00:06:30,240
I'm going to just select Migrate associated user groups.

126
00:06:30,240 --> 00:06:33,340
If you have an extended schema in the source,

127
00:06:33,340 --> 00:06:36,000
you can exclude properties from migration.

128
00:06:36,000 --> 00:06:37,200
I'm not going to do that.

129
00:06:37,200 --> 00:06:39,970
I'll leave everything stock and default here.

130
00:06:39,970 --> 00:06:41,460
What if there's a conflict?

131
00:06:41,460 --> 00:06:43,850
The default is to not migrate.

132
00:06:43,850 --> 00:06:48,000
And that's really it. Click Finish.