用ADMT迁移域

正好要写个AD域合并的方案，手头缺少些环境截图，索性做个ADMT 的迁移测试，后面还会写个Quest migration manager做迁移的，做个比较

一. 虚拟环境

Target Domain

Domain Name： Msft.Local (windows 2003)

IP Address：192.168.0.1

Source Domain

Domain Name： (windows 2003)

IP Address：192.168.0.100

Client PC

Name: Client

IP Address：192.168.0.200

建立帐号和群组，共享资源

二. 迁移流程

ADMT 3.0可以实现三种环境的迁移

1.Windows NT 4.0 Domain Restructure to an Active Directory Forest

2.Interforest Active Directory Domain Restructure

3.Intraforest Active Directory Domain Resturcture

其中在Interforest和Intraforest中还是有一些区别的

主要一点是Interforest里面对象是克隆，而在Intraforest里面对象是移动

Migration Consideration Interforest Restructure Intraforest Restructure

Object preservation Objects are cloned rather than

migrated. The original object

remains in the source location

to maintain user access to

resources. Objects are migrated and no longer exist in the source location.

SID history maintenance Maintaining SID history is

optional.

SID history is required. Password retention Password retention is optional. Passwords are always retained.

Local profile migration You must use tools such as ADMT

to migrate local profiles. For workstations that run the Microsoft Windows®°2000 Server operating system and later, local profiles are migrated automatically because the user’s GUID is preserved. However, you must use tools such as ADMT to migrate local profiles for workstations that run Windows NT 4.0 and earlier.

Closed sets You do not need to migrate

accounts in closed sets. You must migrate accounts in closed sets.

整个迁移的流程图

三. 迁移前期工作

target域需要Windows 2000或者Windows 2003域功能级别

建立source和target之间的域信任关系

关闭SID Filter, 默认在Windows 2000 SP4以上及Windows2003启用了SID Filter, 在迁移过程中，为了让用户可以正常原有资源，我们需要迁移SID Histrory.

在命令行中通过netdom命令关闭SID Filter

将目标域的Domain Admins群组加入到Source administrators群组

以下三个步骤可以在ADMT第一次运行时由ADMT自动创建

1.在source域中创建source_name$$$本地群组

2.在source PDC角色上开启TCP/IP Client Support功能

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\LSA

TcpipClientSupport DWORD 1

3.在target和source域上开启审核

Group Policy-Default Domain Controllers Policy-Computer Configuration-Windows Settings-Security Settings-Local Policies-Audit Policy

Audit accout management Success,Failure

四.安装ADMT

在target domain controller上安装ADMT 3.0 (ADMT 3.1支持Windows 2008)

ADMT3.0需要数据库支持，无论是采用SQL还是WMSDE，默认都会在本地安装WMSDE。

五.启用密码迁移

森林之间迁移使用PES(Password Export Server)服务来迁移密码，PES服务可以安装在source域的任何DC上(支持128位加密，Windows 2003，2000+sp3以上默认支持)。

安装PES服务首先需要一个加密钥匙，这个加密钥匙在target域安装ADMT的机器上创建

admt key /option:create /sourcedomain:<> /keyfile:<>/keypassword:<>

在source域DC上启动PES服务，需要安装ADMT,

执行%systemroot%\windows\ADMT\PES\pwdmig.msi

导入刚才在target域导出的加密钥匙

输入服务帐号，建议使用在target域中验证的帐号，如果使用本地系统帐号，确保在target域中，Pre windows 2000 compatible access group中包含everyone group和Anonymous logon group