Service account Migration from Source domain to Target Domain

Posted on 2011-04-21
Last Modified: 2012-05-11
Hi! Please help me on this.

Enclosed attachment is the forest topology of my company. We are now trying to migrate "service account" from the source domain to target domain.

AD infrastructure Design
Our company is a food product manufacturing company and have offices across globe. Each domain has 10000 user objects and 500 servers

I'm now stuck with how to plan this activity and what are the points of concern during migration of service accounts.
1) Where do I install ADMT tool; On source DC or Target DC.
2) Using service account migration wizard will it keep the same GUID / SID or will it change.
3) If GUID/SID changes will the account permission and group membership remain intact after migration? Any changes to be done before migration/after migration?Any task to be carried out after migration? Kindly suggest.
4) After moving the service accounts will the it's password expires?
5) After moving the computer object do I have to restart all the server/computer? and can login happen in the target domain?
6) Any DNS planning / preparation is required? Before/After Migration.
7) What test need to be carried out to check whether migration is successful?
8) Lastly, planning source domain demise.

Thanks a lot!
Question by:narsimanshivaiyer
    LVL 7

    Accepted Solution

    1).I'll suggest you install it on the DC of target domain. The account using which you run the ADMT should have FULL rights on both the domains, this is important for successful migration.
    2).After migration accounts are assigned new SID, and old SID is added to attribute SIDhistory so the account still has access on whatever object it had rights on while in old domain.
    3).Account permissions and group membership (if groups are also migrated) remain same. If the groups are not migrated the account looses membership after the migration is complete and trust between domain is broken.
    4).You can migrate the password, but due to security reasons the option "User is required to change password at next logon" gets checked and thus when user logs in to the new domain with their old password they get the prompt to change the password. Incase of service accounts you can just uncheck the option.
    5).After computer account migration the computer is restarted automatically as it's domain changes. User can login to the old  or new doamin till the trust between the source and target domain exist.
    6).Before migration, even before you create trust you have to create secondary zones of the other domain and allow zone transfer in DNS, this is to make sure that the name resolution works throughout on both source and target domain.
    7).The ADMT tool generates logs and also displays the status of migration, so incase any failure occurs you will see it on the screen.
    8).Make sure you have migrated every object you require. I'll suggest to keep the source domain for a few weeks, you can break the trust in the mean time. So, incase if you find that you have missed migrating some objects you can do it later by floowing the steps of ADMT.

    You can also refer to the ADMT documentation:
    Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains
    LVL 7

    Expert Comment

    Also while migration the computer accounts make sure the account that you run ADMT with, is added to the local administrators group of all computers on the source domain.

    Assisted Solution

    HI! Ashutoshsapre,

    The child domain belongs to same tree, so by default the trust relationship would be there.. Right? Then why are we concerned about trust here? Please give me a better understanding.

    Shiva Iyer
    LVL 7

    Expert Comment

    That is just to generalize so in case of inter-forest migration the step to make sure the DNS work is crucial in case of inter forest migration the trust and DNS configuration already exists... So, you can skip that step. :)

    Author Closing Comment

    Was very informative.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now