Windows 2000 Active Directory Migration Tool

Imelda used Ask the Experts™
Do you guys ever using
Windows 2000 Active Directory Migration Tool
when executing migration project from Windows NT to Windows 2000 domain ?
Recently I got the migration project for company that currently still in
Windows NT domain. I read that this migration tool can migrate
users/computer accounts to new domain (W2K domain) standing paralel with the
old domain (NT domain).

What I want to know is what happen to resources that I had been already
assigned permission on in old domain with the new accounts on new domain ?
How the user can still access files on the old domain ?
What about the computer accounts on old domain ? should I rejoin the
computer into new domain or I just merely shutdown the old domain ?

Thank you for the help.

Best Regards,


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Hello Halomoan,
-I havent used that tool and would recommend performing this 2000 domain upgrade in a more seemless way.
-Why not retain the same accounts, sids, resources, netbios domain name & make it all invisable to the users.. No running around to all the Pc's to change tcp-ip settings and domain name. No "fire fighting" to deal with if migrated data, shares, perms, are not performed perfectly..

-Start with a new, good, perminant server that will become the first DC in 2000.
1. Load Nt4 and join it as a BDC to the NT4 domain.
2. Make sure all DC's in NT4 have directory replication service running on automatic & sync the domain. Copy any login scripts etc to the New bdc. Do not install or migrate any other network resources to the new server. Switch its role to Pdc.
3. Upgrade the new PDC to 2000. You now have a 2000 domain in mixed mode..
-When you complete upgrading the other servers you can change to native mode. At that point no other Nt4 Dc's can exist in the domain..
To answer your question, Active Directory accounts have an attribute called SIDHistory. When you use the ADMT to migrate accounts from an NT 4 domain, the SIDHistory attribute is polulated with the SID from the NT 4 domain. When the migrated user attempts to access resources on the old NT 4 domain, the SID from SIDHistory is passed and the NT 4 DC thinks that the old account is being used and access is granted. The ADMT can also be used to migrate computer accounts from NT 4 to AD. The ADMT automates this process. Basically, you tell the ADMT what computers you want to migrate, it installs an agent on those computers which joins those computers to AD and reassigns local permissions, then reboots the PC. The users' profiles are even transferred so that when they log on with their new AD account, they get the same profile thay had with their NT 4 account.

There are many reasons why you might want to install AD from scratch and do a migration instead of an in-place upgrade of your current NT 4 domain. Her are the reasons Microsoft gives:

1) Consolidate multiple Windows NT 4.0 account domains into a single Windows 2000 domain.

2) Reflect desired Windows 2000 domain structure rather than inheriting the existing Windows NT 4.0 structure.

3) Create minimal impact and risk to existing Windows NT 4.0 production environment.

4) Allow fallback to Windows NT 4.0 account domains without consequence.

5) Migrate a subset of users to a Windows 2000 forest as a "pilot."

6) Move users in small sets, for example, 100 users at a time.

7) Transition a Windows 2000 forest to production.


I'm more agree with jjmck.

But jjmck, had you ever tried the tool ? As I known that ADMT is used to migrate all accounts from one domain to another. Then my question is how about the client that is still on old domain. Should I have to move them also to new domain or not. Can they select the new domain to logon and then access the resources on old domain ?

From you, I known that they can still access the resources using SIDHistory, but how about the logon ?

Thank you
Yes, I used this tool to do a global migration for my company to go from NT 4 to AD. I consolidated 5 NT 4 domains into a single AD forest. You need to setup a two-way trust between AD and your NT domains, so yes, you can log onto a PC which is still a member of the NT domain with an AD account. When you are ready to move the computer accounts to the AD domain the ADMT can do this for you also. There is no need to physically touch your PCs, the ADMT does it all remotely.


I've added your previous answer as the solution.

thank you.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial