ADMT and PWDMIG – Migrate user accounts from NT4 or W2K to W2K3

Print Friendly, PDF & Email

This procedure explains how to migrate user accounts from any Windows to Windows 2003. It is detailed to do it from MS Windows NT 4 Server SP6a, User accounts will be migrated & groups to the Active Directory of MS Windows 2003.

The first thing is to install on Windows 2003 The ADMT Utility (Active Directory Migration Tool), can be downloaded from HERE, We execute and Next.

We accept the license > Next.

Select the path, Default is fine, Following,

Following,

We wait for you to install the utility…

Ok, Finalized.

From Windows itself 2003 we have to generate a certificate that allows us to extract the passwords of NT users, for this. we open an MSDOS window and type: “admt key DOMAINORIGIN C:path”. When DOMINIORIGIN is the domain that runs in NT, and the Path is the folder where the certificate will be saved. Important, The folder must exist for that command to work well. We save the certificate for example on a diskette, then it will have to be taken to Windows NT4.

GOOD, now we go to Windows NT4 (to the PDC) and install the password migration tool, called PWDMIG (downloadable HERE). We install it, Following…

We must indicate the certificate that we have previously generated in MS Windows 2003, after Next,

Following,

And it ended correctly, NT4 must be restarted MANDATORILY.

Yes.

Once the NT4 is restarted, we modify the next entry in the NT4 registry itself:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
And if there is no entrance AllowPasswordExport We created it, and if it exists, we modify it and put a 1 of value.

Required to restart. Once the entire user export process is finished, it would have to be left as it was in this situation.

We go to the Windows server 2003, We open the “Active Directory Users and Teams”. We search the folder “Builtin” a group called “Backward compatible access of Windows 2000”, Once found, Right Button > Properties. We are located in the “Limbs” and we added to the group “Todos”. Once the entire user export process is finished, it would have to be left as it was in this situation.

We now enter the console of “Domain Controller Security Policy” (in MS Windows Administrative Tools 2003). We're going to “Security Settings” > “Local Directives” > “Security Options” > “Network Access: Let Everyone permissions apply to anonymous users”, Double click > and we enable it. Once the entire user export process is finished, it would have to be left as it was in this situation.

To apply the changes above, in a Windows MSDOS window 2003, Write: gpupdate /force, for policies to be applied immediately.

We follow, we close the MSDOS screen, Let's go to Home > Run and write “mmc” > Accept. (from Windows 2003).

“File” > “Add or remove add-in…”

Button “Add…”

Select “Active Directory Migration Tool” and “Add” & “Close”.

Envelope “Active Directory Migration Tool” > Right Button > “User Account Migration Wizard”.

Following,

Migrate Now… although you can always do tests if you want.

If the two domains are networked and see, we select them from lists or write them. It is important that they are on the same LAN and with the same IP range, otherwise, We don't do anything. Following.

On this screen we must select the user accounts that we want to migrate, for this > botón de “Add…”

“Advanced…”

We give “Search Now” and all the users of the PDC come out, with Windows NT4, we select all the ones we want to bring to the Windows-based domain 2003.

Following,

It tells us which organizational unit we will put them in, we can do it on the fly and have it saved in the Users, but it is cleaner to create an OU in the Active Directory and put them there. Browse…

Mine is called “Sample OU for NT users”, Accept.

Ok, Following,

This step is important. It tells us what passwords it will set users when I create them in the Windows DA 2003, I am interested in migrating the same passwords that they have in NT4 (It is essential to do the steps of Ariba, About PWDMIG), if we indicate “Complex passwords” it will create random ones and save them in a text file. The middle choice is logical. We select that you migrate them.

What to do with the original accounts? disable them? with those of destiny? Well, this is each one as they want, important to tell it to migrate each user's SID.

Yes

Yes

Yes

Yes

Yes, NT4 resets us, obligatory

This screen would appear on Windows NT4, with the mandatory reset.

We wait until you restart the NT4, this screen is from Windows 2003. Once the NT has been restarted, we press on “Accept”.

Vale, Enter username and password with NT domain administrator privileges, and Next,

We select the options that we are interested in migrating from users…

In the event of a conflict… ¿what? Well, let him make a name for them with NT_loquesea. Following,

Finish to start migrating users from a domain to Active Directory,

Wait a while for users to copy… and once finished “Close” .

Check in the Active Directory of the Windows 2003 and effectively user accounts and groups related to them..


Recommended Posts

SmartCard logins to Active Directory
Read
Implementing FSSOs to integrate Fortigate with Active Directory
Read
Implementing Windows LAPS
Read
VPN with Citrix NetScaler III - Authentication with certificates
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

2X ThinClient Server

19 de October de 2008

Migrate Microsoft Windows Active Directory 2003 to Microsoft Windows 2008

19 de October de 2008