RE: migrating users and other from win2k to win2003
From: Carsyn Gu [MSFT] (kshengu_at_online.microsoft.com)
Date: 11/10/04
- Next message: Carsyn Gu [MSFT]: "RE: NT 4 to 2003"
- Previous message: Carsyn Gu [MSFT]: "RE: mirroring option now avaiable"
- In reply to: Arijit Upadhyay: "migrating users and other from win2k to win2003"
- Next in thread: Arijit Upadhyay: "Re: migrating users and other from win2k to win2003"
- Reply: Arijit Upadhyay: "Re: migrating users and other from win2k to win2003"
- Reply: Arijit Upadhyay: "Re: migrating users and other from win2k to win2003"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Nov 2004 09:13:20 GMT
Hi Arijit,
Thanks for your posting.
You may migrate the users, NTFS permissions, IIS and DNS to the new Windows
Server 2003 system by using the Active Directory Migration Tool.
WARNING : If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.
You can use ADMT to migrate users, groups, and computers from one domain to
another, and analyze the migration affect before and after the actual
migration process.
NOTE : This article assumes that the source domain is a Windows 2000-based
domain, and that the target domain is a Windows Server 2003-based domain in
Windows 2000 Native mode or later.
How to Set Up ADMT for a Windows 2000 to Windows Server 2003 Migration
You can install the Active Directory Migration Tool version 2 (ADMTv2) on
any computer that is running Windows 2000 or later, including:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Professional
Microsoft Windows Server 2003
The computer on which you install ADMTv2 must be a member of either the
source or the target domain.
Intraforest Migration
Intraforest migration does not require any special domain configuration.
The account you use to run ADMT must have enough permissions to perform the
actions that are requested by ADMT. For example, the account must have the
right to delete accounts in the source domain, and to create accounts in
the target domain.
Intraforest migration is a move operation instead of a copy operation.
These migrations are said to be destructive because after the move, the
migrated objects no longer exist in the source domain. Because the object
is moved instead of copied, some actions that are optional in interforest
migrations occur automatically. Specifically, the sIDHistory and password
are automatically migrated during all intraforest migrations.
Interforest Migration
ADMT requires the following permissions to run properly:
Administrator rights in the source domain.
Administrator rights on each computer that you migrate.
Administrator rights on each computer on which you translate security.
Before you migrate a Windows 2000-based domain to a Windows Server
2003-based domain, you must make some domain and security configurations.
Computer migration and security translation do not require any special
domain configuration. However, each computer you want to migrate must have
the administrative shares, C$ and ADMIN$.
The account you use to run ADMT must have enough permissions to complete
the required tasks. The account must have permission to create computer
accounts in the target domain and organizational unit, and must be a member
of the local Administrators group on each computer to be migrated.
User and Group Migration
You must configure the source domain to trust the target domain.
Optionally, the target may be configured to trust the source domain. While
this may ease configuration, it is not required to finish the ADMT
migration.
Requirements for Optional Migration Tasks
You can complete the following tasks automatically by running the User
Migration Wizard in Test mode and selecting the migrate sIDHistory option.
The user account you use to run ADMT must be an Administrator in both the
source and the target domains for the automatic configuration to succeed.
Create a new local group in the source domain that is named
%sourcedomain%$$$. There must be no members in this group.
Turn on auditing for the success and failure of Audit account management on
both domains in the Default Domain Controllers policy.
Configure the source domain to allow RPC access to the SAM by configuring
the following registry entry on the PDC Emulator in the source domain with
a DWORD value of 1 :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport
You must restart the PDC Emulator after you make this change.
NOTE : For Windows 2000 domains, the account you use to run ADMTv2 must
have domain administrator permissions in both the source and target
domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory'
may be delegated. For more information, see Windows Server 2003 Help &
Support.
You can turn on interforest password migration by installing a DLL that
runs in the context of LSA. By running in this protected context, passwords
are shielded from being viewed in cleartext, even by the operating system.
The installation of the DLL is protected by a secret key that is created by
ADMTv2, and must be installed by an administrator.
To install the password migration DLL:
Log on as an administrator or equivalent to the computer on which ADMTv2 is
installed.
At a command prompt, run the ADMT KEY sourcedomain path [* | password]
command to create the password export key file (.pes). In this example,
sourcedomain is the NetBIOS name of the source domain and path is the file
path where the key will be created. The path must be local, but can point
to removable media such as a floppy disk drive, ZIP drive, or writable CD
media. If you type the optional password at the end of the command, ADMT
protects the .pes file with the password. If you type the asterisk (*),
ADMT prompts for a password, and the system will not echo it as it is
typed.
Move the .pes file you created in step 2 to the designated Password Export
Server in the source domain. This can be any domain controller, but make
sure it has a fast, reliable link to the computer that is running ADMT.
Install the Password Migration DLL on the Password Export Server by running
the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the
Windows Server 2003 installation media, or the folder to which you
downloaded ADMTv2 from the Internet.
When you are prompted to do so, specify the path to the .pes file that you
created in step 2. This must be a local file path.
After the installation completes, you must restart the server.
If you are ready to migrate passwords, modify the following registry key to
have a DWORD value of 1 . For maximum security, do not complete this step
until you are ready to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport
To download ADMT, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp
For more information about how to use ADMT to perform a migration, see ADMT
Help. Start the Active Directory Migration Tool, click Help Topics on the
Help menu, click the Contents tab, and then click Active Directory
Migration Tool .
For more information about ADMT, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adm
t.asp
Hope the information provided helps. Please feel free to let me know if you
have anything unclear about the issue.
Sincerely,
Carsyn Gu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Arijit Upadhyay" <arijit@ganashakti.co.in>
| Subject: migrating users and other from win2k to win2003
| Date: Wed, 10 Nov 2004 10:58:43 +0530
| Lines: 16
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.181
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
| Message-ID: <eEtSkYuxEHA.2788@TK2MSFTNGP15.phx.gbl>
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: 61.3.121.33
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15152
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| I have a dedicated webserver with my ISP which is windows 2000 standard
| server, standalone, no active directory in a workgroup mode. It has a
number
| of windows-users mainly for using MS-FTP.
|
| I have taken a new server windows 2003 standard server . Could you please
| advise how to -
|
| 1) Migrate the users
| 2) Migrate NTFS permissions
| 3) Migrate IIS websites
| 4) Migrate DND server
|
| Regards
| Arijit
|
|
|
- Next message: Carsyn Gu [MSFT]: "RE: NT 4 to 2003"
- Previous message: Carsyn Gu [MSFT]: "RE: mirroring option now avaiable"
- In reply to: Arijit Upadhyay: "migrating users and other from win2k to win2003"
- Next in thread: Arijit Upadhyay: "Re: migrating users and other from win2k to win2003"
- Reply: Arijit Upadhyay: "Re: migrating users and other from win2k to win2003"
- Reply: Arijit Upadhyay: "Re: migrating users and other from win2k to win2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
