Migrate Workstations and Member Servers
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Migrate workstations and member servers from the source domain to the target domain. When you migrate computers, the changes do not take effect until the computer is restarted. Restart the computers that you are migrating as soon as possible to complete the migration process.
Note
Restart member workstations and servers immediately after you join them to the target domain by selecting a low number for the RestartDelay parameter. Resources that are not restarted after migration are in an indeterminate state.
Firewalls, such as Windows Firewall in Windows XP Service Pack 2 (SP 2), can prevent the Active Directory Migration Tool (ADMT) computer account migration from completing. Thoroughly test your computer migration in a lab environment to uncover any potential issues before you perform the migration in the production environment. For more information about configuring Windows Firewall, see Some programs seem to stop working after you install Windows XP Service Pack 2 (https://go.microsoft.com/fwlink/?LinkId=76705) and Service overview and network port requirements for the Windows Server system (https://go.microsoft.com/fwlink/?LinkId=58432).
Computer accounts are treated differently than user and group accounts during a migration between domains in an Active Directory forest. Where user and group accounts in the source domain are deleted during an intraforest migration, computer accounts are left enabled in the source domain, and a new computer account is created in the target domain.
This makes it possible for you to roll back the computer migration, if necessary. After the migration is complete and your testing verifies that the computer is functioning as expected, you can safely delete the computer account in the source domain.
If a workstation has managed service accounts installed and those accounts have been previously migrated, ADMT provides an option to reinstall the migrated managed service account on the migrated computer and update Service Control Manager. So that ADMT can perform this operation, the account performing the computer migration needs permissions to modify the security descriptor of the migrated managed service account.
You can migrate workstations and member servers by using the ADMT snap-in, the ADMT command-line option, or a script.
To migrate workstations and member servers by using the ADMT snap-in
On the computer in the target domain where ADMT is installed, log on by using a user account that is a member of the ADMT resource migration group.
Use the Computer Account Migration Wizard by performing the steps in the following table.
Wizard page Action Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
When you perform an intraforest migration, the domain controller that holds the relative ID (RID) operations master (also known as flexible single master operations or FSMO) role is always used as the source domain controller, regardless of your selection.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Computer Selection
Click Select computers from domain, and then click Next. On the Computer Selection page, click Add to select the computers in the source domain that you want to migrate, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Managed Service Account Information (appears if the computer has a managed service account installed)
Select any managed service accounts that do not have to be installed on the migrated computer in the target domain, and then click Skip/Include to mark the accounts as Skip.
Organizational Unit Selection
Click Browse.
In the Browse for Container dialog box, click the organizational unit (OU) in the target domain to which the computers are migrating, and then click OK.
Translate Objects
Select the Local groups check box.
Select the User rights check box.
Security Translation Options
Click Replace.
When you perform an intraforest migration, ADMT migrates the security identifier (SID) history and deletes the source object. Therefore, when you perform an intraforest migration, ADMT allows security translation only in replace mode.
Computer Options
In the Minutes before computer restart after wizard completion box, accept the default value of 5 minutes or type a different value.
Object Property Exclusion
To exclude certain object properties from the migration, select the Exclude specific object properties from migration check box, select the object properties that you want to exclude and move them to Excluded Properties, and then click Next.
Conflict Management
Click Do not migrate source object if a conflict is detected in the target domain.
ADMT Agent Dialog
Select Run pre-check and agent operation, and then click Start.
Review the results that are displayed on the screen for any errors. After the wizard completes, click View log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log, and it is stored in the Windows\ADMT\Logs\Agents folder.
To migrate workstations and member servers by using the ADMT command-line option
On the computer in the target domain where ADMT is installed, log on by using a user account that is a member of the ADMT resource migration group.
At the command line, type the
ADMT Computer
command with the appropriate parameters, and then press ENTER.ADMT COMPUTER /N "<computer_name1>" "<computer_name2>" /IF:YES /SD:"<source_domain>" /TD:"<target_domain>" /TO:"<target_OU>" [/M: “managed service account name 1” “managed service account name 2”] [/UALLMSA:Yes] /RDL:1
As an alternative, you can include parameters in an option file that is specified at the command line, as follows:
ADMT COMPUTER /N "<computer_name1>" "<computer_name2>" /O:" <option_file>.txt"
The following table lists the parameters that are required for workstation and member server migration, the command-line parameters, and option file equivalents.
Parameters Command-line syntax Option file syntax Intraforest
/IF:YES
IntraForest=YES
<Source domain>
/SD:
"source_domain"SourceDomain=
"source_domain"<Target domain>
/TD:
"target_domain"TargetDomain=
"target_domain"Update specified managed service accounts
Note The /M parameter takes precedence over the /UALLMSA parameter. /M:
“managed service account name”UpdateMSAName=
“managed service account name”Update all managed service accounts
/UALLMSA: YES
UpdateAllManagedServiceAccounts=Yes
Update specific managed service accounts
Note
The /M parameter takes precedence over the /UALLMSA parameter.
<p></p> </div></td> <td><p><code>/M</code> “<em>name 1</em>” “<em>name 2</em>”…</p></td> <td><p><code>UPDATEMSANAME=</code>“<em>name 1</em>” “<em>name 2</em>”…</p></td> </tr> <tr class="odd"> <td><p><Target OU> location</p></td> <td><p><code>/TO:</code>"<em>target_OU</em>"</p></td> <td><p><code>TargetOU=</code>"<em>target_OU</em>"</p></td> </tr> <tr class="even"> <td><p>Restart delay (minutes)</p></td> <td><p><code>/RDL:5</code></p></td> <td><p><code>RestartDelay=5</code></p></td> </tr> <tr class="odd"> <td><p>Conflict management</p></td> <td><p><code>/CO:IGNORE </code>(default)</p></td> <td><p><code>ConflictOptions=IGNORE</code></p></td> </tr> <tr class="even"> <td><p>Security translation options</p></td> <td><p><code>/TOT:ADD</code></p></td> <td><p><code>TranslationOption=YES</code></p></td> </tr> <tr class="odd"> <td><p>Translate user rights</p></td> <td><p><code>/TUR:YES</code></p></td> <td><p><code>TranslateUserRights=YES</code></p></td> </tr> <tr class="even"> <td><p>Translate local groups</p></td> <td><p><code>/TLG:YES</code></p></td> <td><p><code>TranslateLocalGroups=YES</code></p></td> </tr> </tbody> </table>
Review the results that appear on the screen for any errors. The migration log lists computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file for that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log, and it is stored in the Windows\ADMT\Logs\Agents folder.
Open Active Directory Users and Computers, and then locate the target domain OU. Verify that the workstations and member servers exist in the target domain OU.
To migrate workstations and member servers by using a script
Use the following listing to prepare a script that incorporates ADMT commands and options for migrating workstations and member servers within a forest. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id=" MigratingWorkstationsMemberServersWithinForest" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objComputerMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objComputerMigration = objMigration.CreateComputerMigration ' 'Specify general migration options. ' objMigration.IntraForest = True objMigration.SourceDomain = "source domain" objMigration.SourceOu = "Computers" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "Computers" ' 'Specify computer migration specific options. ' objComputerMigration.TranslationOption = admtTranslateAdd objComputerMigration.TranslateLocalGroups = True objComputerMigration.TranslateUserRights = True objComputerMigration.UpdateAllManagedServiceAccounts = True objComputerMigration.RestartDelay = 1 ' 'Migrate computer objects on specified computer objects. ' objComputerMigration.Migrate admtData, _ Array("computer name1" ,"computer name2") Set objComputerMigration = Nothing Set objMigration = Nothing </Script> </Job>