A while back we did a short series on ADMT. Today, TLA reader Dan Dill, goes further into ADMT with this article on setting up a password migration server for ADMT.
The password migration server is a component that will help you to migrate passwords when performing active directory migrations. Once you have your new domain and ADMT setup the procedure is as follows: Note: the ADMT and domain migration requirements (such as creating a trust between source and client domains, etc is assumed to be already setup) To begin, run the following command on your destination DC to create the password export key file. In this example the source domain's NETBIOS name is domain1 and the place to put the key file is c:\ admt key /opt:create /sd:domain1 /kf:c:\key Additionally you can add the /pwd:password switch to the command to add a password to the file. This will need to be entered later to access the key. /pwd:* will prompt for input of a password at the command line. This will create the .pes file that you'll need. Next you'll want to move that file to your password export server on the source domain. Next, create a new domain local group named sourcedomain$$$. Do not add any members to this domain. In this example it will be called DOMAIN1$$$
Next enable auditing for success and failures for account management in your default domain controllers policy.
Open the registry and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Create a new DWORD value called TcpipClientSupport and configure it with a value of 1. This won't take effect until we reboot later. Also for security reasons you should delete this regkey (and reboot again for it to take effect) as soon as you're done migrating passwords. Next, install the ADMT password migration DLL on the server from I386\ADMT\Pwdmig folder on the Windows Server 2003 CD-ROM or from C:\Windows\ADMT\PES if you already have the ADMT installed in the default location.
Point the installer at your password export key file that we created earlier. If you specified a password when creating the password export key you'll be prompted to input that here. Once the DLL is installed the server will need to be rebooted. Once your source DC has been rebooted you'll be ready to migrate passwords. You can either choose to migrate the passwords when you migrate the users or you can migrate the users first, and then subsequently migrate their passwords. If you choose to migrate the passwords at the same time as your users you'll want to make sure you choose the appropriate option and point it at your password migration server
If youve already migrated your users afterward you can run the password migration wizard.
Click next on the welcome screen and select your source and target domains.
Choose select users from domain, and add your users that you wish to migrate the passwords of and then click Next. Verify your password migration server is listed in the box and click next through the process. Once complete review the logs for errors or information when the action is complete. If you're getting the following error then something isn't setup correctly for migration. Test that the two-way trust is setup between your domains, that the sourcedomain$$$ group exists, and that the account you're using has administrator permissions in both the source and target domains, and that both domain controllers have name resolution to each other.
