1
00:00:01,140 --> 00:00:04,170
All right, so it looks like two users were examined.

2
00:00:04,170 --> 00:00:06,090
One group was examined.

3
00:00:06,090 --> 00:00:10,320
It looks like there were two user‑related errors, one group‑related error.

4
00:00:10,320 --> 00:00:11,210
Well, that's not good.

5
00:00:11,210 --> 00:00:12,450
What does the log say here?

6
00:00:12,450 --> 00:00:14,540
Let's take a look.

7
00:00:14,540 --> 00:00:18,640
Okay, well if we see down at the bottom here, Access is denied.

8
00:00:18,640 --> 00:00:23,300
I just realized something I forgot to do, and that is to make sure

9
00:00:23,300 --> 00:00:26,890
that administrators in the source domain have privilege as

10
00:00:26,890 --> 00:00:29,330
administrators in the destination domain,

11
00:00:29,330 --> 00:00:33,740
whoops. Rookie little mistake there.

12
00:00:33,740 --> 00:00:36,830
So through the magic of video editing, now you see that two

13
00:00:36,830 --> 00:00:40,780
users were copied successfully with no errors, and we can

14
00:00:40,780 --> 00:00:43,520
verify that here in the log file.

15
00:00:43,520 --> 00:00:46,710
What did I do specifically in case you were curious?

16
00:00:46,710 --> 00:00:49,800
I just wanted to make sure, and I did this on both

17
00:00:49,800 --> 00:00:53,000
domains, company.com and timw.info.

18
00:00:53,000 --> 00:00:58,290
I've gone into the Administrators group, Members, and I added in

19
00:00:58,290 --> 00:01:02,010
the domain admins for the other forest domain.

20
00:01:02,010 --> 00:01:05,530
And we can just do that by going to Add, Locations.

21
00:01:05,530 --> 00:01:07,590
And because I have that forest trust,

22
00:01:07,590 --> 00:01:11,900
I'm able to reach across the trust, and I'm able to enumerate those groups.

23
00:01:11,900 --> 00:01:14,550
So that made all the difference in the world.

24
00:01:14,550 --> 00:01:20,430
Let's do a couple more migrations before we go over to timw.info and verify.

25
00:01:20,430 --> 00:01:22,990
So we've looked basically at users and groups.

26
00:01:22,990 --> 00:01:26,040
Now let's take a look at computer migration.

27
00:01:26,040 --> 00:01:29,900
So we'll go here. Again, we verify it kept our previous choices,

28
00:01:29,900 --> 00:01:32,800
which is convenient for domain selections.

29
00:01:32,800 --> 00:01:36,290
They're analogous to the user wizard, as you can see. Here,

30
00:01:36,290 --> 00:01:37,850
we're browsing for computers.

31
00:01:37,850 --> 00:01:41,150
It's called CLIENT1. I'll bring that in here.

32
00:01:41,150 --> 00:01:42,280
Let's click Next.

33
00:01:42,280 --> 00:01:44,750
Which Target OU do we want here?

34
00:01:44,750 --> 00:01:46,660
Well, do we want to do Staff?

35
00:01:46,660 --> 00:01:50,140
And I'm going to actually put it in the Computers container.

36
00:01:50,140 --> 00:01:51,740
So let's click Next.

37
00:01:51,740 --> 00:01:54,110
Please specify what you want to translate.

38
00:01:54,110 --> 00:01:59,810
Okay, well you want the Local groups on that machine, Files and folders.

39
00:01:59,810 --> 00:02:01,660
What is it that you want to translate? And what the

40
00:02:01,660 --> 00:02:05,140
translation here is it says up at the top is the process

41
00:02:05,140 --> 00:02:07,300
of reapplying access control lists.

42
00:02:07,300 --> 00:02:12,550
I'll actually deselect that. We'll handle redoing the ACLs when we get

43
00:02:12,550 --> 00:02:15,660
to the other side when we get to the target domain.

44
00:02:15,660 --> 00:02:17,740
So let me click Next here.

45
00:02:17,740 --> 00:02:20,050
Minutes before computers are restarting.

46
00:02:20,050 --> 00:02:22,480
Yeah, of course, when you join a new domain,

47
00:02:22,480 --> 00:02:25,960
you have to restart the machine. Here, we have our property

48
00:02:25,960 --> 00:02:32,140
exclusion, Next, conflict, Finish, and we're off and running.

49
00:02:32,140 --> 00:02:34,000
I'll click the View Log again.

50
00:02:34,000 --> 00:02:34,980
Okay,

51
00:02:34,980 --> 00:02:38,770
this one bombed out it looks like because there's already a

52
00:02:38,770 --> 00:02:42,620
computer in that target domain with the same name.

53
00:02:42,620 --> 00:02:49,100
So what I'm going to need to do is rename or remove the conflicting name

54
00:02:49,100 --> 00:02:55,620
in the timw domain and then retry the process again here. And through the

55
00:02:55,620 --> 00:03:00,260
magic, blah, blah, blah, I've made that change in the target, and it

56
00:03:00,260 --> 00:03:02,080
looks like the operation completed.

57
00:03:02,080 --> 00:03:05,440
So you see the rinse and repeat aspect here.

58
00:03:05,440 --> 00:03:09,910
Now there is a command‑line interface for ADMT, so it's

59
00:03:09,910 --> 00:03:12,290
possible to script this stuff out.

60
00:03:12,290 --> 00:03:12,870
For instance,

61
00:03:12,870 --> 00:03:21,640
if I open up an elevated PowerShell console here, and if I do an admt /?,

62
00:03:21,640 --> 00:03:24,640
it gives you some gradual disclosure here,

63
00:03:24,640 --> 00:03:26,840
USER, GROUP, COMPUTER, and so on.

64
00:03:26,840 --> 00:03:31,220
So it's not like you have to click through the wizard interface multiple times.

65
00:03:31,220 --> 00:03:35,110
It's possible to do some larger scale operations with it.

66
00:03:35,110 --> 00:03:37,120
So let's see, what else do we have here?

67
00:03:37,120 --> 00:03:42,640
Security translation, service accounts, managed service accounts.

68
00:03:42,640 --> 00:03:45,940
As far as the Group Policy migration goes, that's just going to

69
00:03:45,940 --> 00:03:48,800
be a question of doing export and imports,

70
00:03:48,800 --> 00:03:55,810
which you can do from the Group Policy Management Console MMC, or you

71
00:03:55,810 --> 00:04:01,100
could do export GPO import GPO commands using PowerShell. So we don't

72
00:04:01,100 --> 00:04:04,730
do Group Policy migration with the ADMT,

73
00:04:04,730 --> 00:04:08,600
but it's mentioned on the AZ‑801 objective, so I wanted

74
00:04:08,600 --> 00:04:10,940
to make sure to cover it in passing.

75
00:04:10,940 --> 00:04:15,190
Let's now cut over to my timw.info environment.

76
00:04:15,190 --> 00:04:18,440
Let me open up dsa.msc.

77
00:04:18,440 --> 00:04:23,140
That's the Active Directory Users and Computers MMC console.

78
00:04:23,140 --> 00:04:26,320
And we can already see that the migration has taken form

79
00:04:26,320 --> 00:04:29,300
here because we have Felipe, Camila,

80
00:04:29,300 --> 00:04:31,690
we have company staff that came from the other

81
00:04:31,690 --> 00:04:41,000
domain. And if we go to Computers, we have CLIENT1. So there you have it, ADMT in a nutshell.