ADMT is installed in the destination/target domain. a password migration dll is installed on a DC in the source domain.

DNS – create a conditional forwarder or stub zone for the other domain’s zone
trust settings:
forest trust, two-way, both domains, forest-wide authentication

also the current release of ADMT will definitely not install on anything newer than sql express 2008 (trust me i tried).

path to ADMT install: c:\windows\admt
creation of encryption key in target domain: admt key /option:create /sourcedomain:mysource.local /keyfile:c:\fmp\filemigpass.pes /keypassword:Password1
^create c:\fmp path first

it’s recommended to create an ADMT user for migration purposes. the user will need to have admin rights in both domains.

the password export server service on the source DC must be ran with an account that has admin privileges in the target/destination domain. also the PES service needs to be started manually.
make sure to run the PES installer as admin (https://support.microsoft.com/en-us/kb/2004090)

accounts to migrate can be individually selected, selected by OU, or loaded from a CSV
maintaining SID history is optional for interforest migrations

test runs:
#1 – 225 accounts migrated in 10 minutes, given that…approx. 1350 could be done in an hour
#2 – 100 or so accounts in 5 minutes. speed of migration seems to be consistent despite excluding several attributes. passwords migrated. this is the 2nd time i’ve noticed “user must change password at next logon” being enabled despite not being enabled on the source user
#3 – tested out password updating via the migrate & merge option. it worked
#4 – tested a mass migration with merging only password changes. speed of migration remained similar to test run #1. also want to make note that UPN suffixes of migrated users seem to always be changed to a suffix of the target domain.

there appears to be a better way to migrate only password changes using the password migration wizard. my initial testing reveals that this is a much faster process than the method i was mentioning above.

most important source:
http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx

other sources:
http://blogs.interfacett.com/how-to-configure-forest-level-trust-in-windows-server
https://anderseideblog.wordpress.com/2014/02/12/lab-migrate-office-365-synced-users-from-one-on-prem-forest-to-another-forest/ (great info here regarding forest chance and dirsync)
https://technet.microsoft.com/en-us/library/cc974335(v=ws.10).aspx
http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html

Comments are closed.