Link to home
Create AccountLog in
Avatar of orphanc
orphancFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Active Directory 2000 mixed mode Forest to 2003 pure Forest migration

Hi, I am planning a migration between two active directory forests.

Current domain is set up in 2000 mixed mode but have two DC's both 2003, so functional level could be upgraded.

New Domain: x2 Dcs been built 2003, domain/ forest functional level = 2003

The reason for this migration, is a root domain name change, as name was based on geographical location, which is no longer valid, and also to implement Exchange 2007. Currently on Exchange 2003 on old domain.

I know I could have renamed this domain and it may/may not have been successful, but decided this was the best way for a swift transition, to migrate users slowly with least disruption

My questions are:

1) Should I upgrade the functional level of the old domain to 2003 to set up forest trust between both, or is domain level trust between these domains sufficient for ADMT?

2) ADMT 2.0 or ADMT 3.0? Any differences, recommendations - haven't needed to use this tool yet.

3) I want to maintain SID history, passwords, group membership, and local profiles (user's do not have roaming profiles here just local)- I believe some of these settings are optional interforest, but will they work or is there anything I must do in additon to having admin permissions in source/ target for ADMT account, making sure admin$ and c$ exists on computer migrating- I read something about installing s DLL for pasword migration ???and setting up RPC access to SAM on source domain?? Any first hand experience advise???

4)Exchange 2003 to Exchange 2007 transition old forest to new forest. How does this work in relation to ADMT migration?? This is my main concern, as I want user's to continue to work while the new forest is being built and for user's to be gradually migrated over. As you can only have one Exchange server per forest, this won't work, will it? Think this is best to leave last- any advise?

5) Re local profiles, removal of old/ joining of new domain, is this something that can be scripted on user pcs/ laptops- i want this to be as smooth as possible.

Thanks in advance for the help!

Avatar of Daryl Ponting
Daryl Ponting
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
*typo:  all SID history = allow SID history (disable SID history filtering)
Avatar of orphanc


Great! That all sounds useful stuff.

I read somwhere that ADMT v3 can merge similar accounts and ADMT v2 doesn't, which is why I wasn't sure which one to use. Also ADMT v2 can be installed on a workstation- doesn't need to be a server, so that also made me wonder.

Will the SID history command work from 2000 mixed mode to wondows 2003 functional mode? The reason I ask is I thought SID history is a windows 2000 native mode and 2003 feature, and not supported in mixed mode, which is why I wasn't sure whether to upgarde functional level or not. if this is fine, should this be run before user accounts are migrated?

The local profile migration sounds good :) Will I still have to manually remove users from the old domain and add them to the new or can this be scripted to be done in bulk?

Thanks for the great advise.
Not sure about the functional level required for SID history.  I believe the 2003 domain needs to be in one of the native modes (2000 native or 2003).  It doesn't matter about the source domain, it's the accounts in the 2003 domain that will have the SID history.
You need to run the netdom command after you've created the trust relationship but before you migrate any accounts.

ADMT can be used to migrate users, groups, workstations, pretty much everything.

You'll migrate the user groups first (I selected batches of about 100 at a time).  Then you migrate the user accounts (again, up to 100 at a time).  One of the options in the wizard is to fix the group membership.  This means that whatever groups the users were in in the old domain, they'll be in the same groups in the new domain.  This is why you migrate the groups first.

One thing that ADMT won't migrate is the "builtin" groups, domain admins etc.  So you'll need to repopulate these groups manually after you've migrated the users.

Avatar of orphanc


Great that helps loads- just one more question- do you need to install ADMT v3 on a DC in the source and target domain, or on a member 2003 server in either source/ target domain??

Different guides say different things- Some say DC on target, some say member on source.....

what's the real answer?

You only install ADMT in the target domain (on a domain controller).  The password export service needs to be installed on a domain controller (probably the PDC emulator) in the source domain.

The ADMT migration guide will tell you for sure.  There's a link at the bottom of this page:
Avatar of orphanc


Star!! Thank you. Great advise.
Avatar of orphanc


Thanks for your time and the excellent response :)
Avatar of MasterCheef

Hi I trying to do the exact same thing after reading the information. I have a question:

How do  the users computers go on to the new domain, what I mean is when you logon to the computer the "log on to box" says the name of the domain, what happenns to that do I need to rejoin each and every computer to the domain manually.