You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73 lines
5.7 KiB
73 lines
5.7 KiB
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
|
|
"http://www.w3.org/TR/REC-html40/strict.dtd">
|
|
<HTML DIR="LTR">
|
|
<HEAD>
|
|
<TITLE>Before performing an interforest migration</TITLE>
|
|
|
|
<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">
|
|
<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">
|
|
|
|
<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>
|
|
|
|
<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
|
|
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "[email protected] <mailto:[email protected]>" r (n 0 s 0 v 0 l 0))'>
|
|
|
|
<META NAME="MS.LOCALE" CONTENT="EN-US">
|
|
<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">
|
|
<META NAME="MS-HAID" CONTENT="a_ADMTBeforeInterMig">
|
|
</HEAD>
|
|
<BODY>
|
|
|
|
|
|
|
|
<H1>Before performing an interforest migration</H1>
|
|
|
|
<P>This topic lists the domain and security configurations necessary before you can use Active Directory Migration Tool to migrate users, groups, and computers between a Windows NT domain and a Windows 2000 domain or two Windows 2000 domains in different <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=Forest">forests</A>.</P>
|
|
|
|
<H2>Source and target domain</H2>
|
|
<P>Verify that your source and target domains are configured as described in the following list:</P>
|
|
<UL>
|
|
|
|
<LI>The <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=TargetDomain">target domain</A> is running Windows 2000 and is operating in <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=NativeMode"> native mode</A>. This is required because the SID History attribute is only available in domains operating in native mode.</LI>
|
|
|
|
<LI>The <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SourceDomain">source domain</A> is running either Windows NT 4.0 or Windows 2000. If running Windows NT 4.0, the primary domain controller must have Service Pack 4 or later installed.</LI>
|
|
|
|
<LI>If the source domain is a Windows 2000 domain, it may operate in either mixed or native mode.</LI>
|
|
|
|
<LI>The source domain must be in a different forest than the target domain or it must be a Windows NT 4.0 domain.</LI>
|
|
|
|
<LI>A new local group, <I>SourceDomainName</I><B>$$$</B> must be created on the source domain. For example, if your source domain was named DomainA, you should create the local group DomainA$$$. There must be no members in this group. If this group is not present, Active Directory Migration Tool will create this group when needed. If a global group or other kind of group already exists with this name, the tool will not be able to create the new local group.</LI>
|
|
|
|
<LI>Any mapped network drives and similar connections between the source domain controller and the target domain controller on which Active Directory Migration Tool is running must be disconnected before running the tool. Failure to do so may result in the failure of a migration operation due to a "credentials conflict" error.</LI>
|
|
|
|
<LI>The primary domain controller (PDC), or PDC emulator, in the source domain must have the following registry value <B>TcpipClientSupport:REG_DWORD:0X1</B> set for the <NOBR><B>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa</B></NOBR> registry entry. If this entry is not present, Active Directory Migration Tool will create this entry when needed. For details, see <A HREF="admttaskcreateregentry.htm">To create the TcpipClientSupport registry entry</A>.</LI>
|
|
</UL>
|
|
|
|
<H2>Security Requirements</H2>
|
|
<P>You must meet the following security configuration requirements before running Active Directory Migration Tool.</P>
|
|
<UL>
|
|
<LI><P>The user account you log on with when you run Active Directory Migration Tool must have the following permissions:</P>
|
|
<UL>
|
|
<LI>Domain Admin rights in the target domain</LI>
|
|
<LI>Member of the Administrators group in the source domain</LI>
|
|
<LI>Administrator rights on each computer you migrate</LI>
|
|
<LI>Administrator rights on each computer on which you translate security</LI>
|
|
</UL>
|
|
<P>Gaining administrative access to the objects you intend to migrate can be accomplished in one of two ways:</P>
|
|
<OL>
|
|
<LI>Create a temporary two-way trust between the target domain and the source domain. Creating a two-way trust allows you to run the tool while logged on as the administrator of the source domain, an account that already has administrative rights to the objects you will migrate from the source domain.</LI>
|
|
|
|
<LI>Add an account to the local administrators group of every workstation and member server you intend to migrate and use that account to log on while you run the tool. This process can be automated through scripting and the use of Active Directory Service Interfaces (ADSI).</LI>
|
|
</OL></LI>
|
|
|
|
<LI>Auditing for account management (success and failure events) must be enabled in the source and target domains. In Windows NT, account management is referred to as user and group management. For details, see <A HREF="admtsetntauditing.htm">To enable auditing in a Windows NT domain</A> and <A HREF="admtsetw2kauditing.htm">To enable auditing in a Windows 2000 domain</A>.</LI>
|
|
|
|
<LI>Administrative shares must exist on the computer where Active Directory Migration Tool is running and any computer to which an agent must be dispatched.</LI>
|
|
|
|
<LI>The source domain must trust the target domain to provide the security context necessary for Active Directory Migration Tool.</LI>
|
|
|
|
<LI>Trusts from existing <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domains</A> to the target <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain">account domain</A> to support resource access for migrated users.</LI>
|
|
</UL>
|
|
|
|
</BODY>
|
|
</HTML>
|