You’re probably already aware of what ADMT is and what it can be used for, and I’d suggest (as always) to read the documentation provided by Microsoft.
The user guide for ADMT can be found here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19188
As part of deploying the Active Directory® directory service or Active Directory Domain Services (AD DS), you might choose to restructure your environment . Restructuring involves the migration of resources between Active Directory domains in either the same forest or in different forests. You can use the Active Directory Migration Tool (ADMT) to perform this task.
In this article we assume that we have one target domain server 2008 and one source domain server 2003. The goal is to migrate from 2003 to 2008 domain.
Migration Preparation using ADMT
1. Administrative access is required on source domain, or we can create user on source domain for migration purpose only giving Domain Admin and Enterprise Admin rights to that user.
2. Communication between source and target domain should be established fully. We can achieve this by DNS and Domain Trust.
We can Setup Forwards (DNS) on both domains. For this we can Open the DNS MMC console, expand the server tree and select Conditional Forwarders. Right click and select new conditional Forwarder. Enter the other DNS domain name and enter the IP address of on the DNS servers. After successful forwards setup you must be able to ping both domains.
To setup Domain Trust, Open the Active Directory Domains and Trusts on target domain, right click on the domain and click properties. Enter the DNS domain name, choose what sort of trust you require (External or Forest trust), Select Two way communication and Domain wide authentication level.
3. Now that we have forwards in place in both domains, Client for either domain should be able to resolve FQDNs. However we need to create a dedicated Global Group in the OU on the Target domain, which would contain the members of those who would be involved in the migration process of Users/Groups/Workstations/Servers (e.g. Site_Admins).
4. Create separate user for migration and assign administrative rights on both source and target domains. It is recommended that you make the user account in the target domain and make it a member of the domain administrators group.
Installing SQL and ADMT Tool
We should install ADMT and SQL on to target domain forest. SQL server is important as ADMT requires a preconfigured instance of SQL server to store data.
Download SQL Server and ADMT using following links
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=25052
http://www.microsoft.com/en-us/download/details.aspx?id=8377
1. Install new stand alone SQL installation, Select Database Engine Service, Setup account for SQL service, we may can use same account which we have created for ADMT, assign admin rights to user account and particularly local admin rights in source domain.
2. Run ADMT setup on target domain and choose same instance which we created earlier for SQL service. Add Domain Admin in to administrative group on both target and source domains.
3. Make sure that on both Domains “Default Domain Controller Policy” -> Computer Configuration -> Windows Setting -> Security Settings -> Local Policies -> Audit Policy -> “Audit Account Management” is set to Audit both Success & Failure.
Installing Password Export Server
We can use password export server to export passwords from source domain to target domain user accounts. Download the following tool. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10370
Before installing this tool on source domain we need to create an encryption key from target domain which is running ADMT. We can use following command to do that.
admt key /option:create /sourcedomain:source.local /keyfile:"c:PES KeyPES.pes" /keypassword:*
Now we can install PES tool on source domain when prompted choose the encryption key which we just created on target domain. Run the PES service as an authenticated user in the target domain. we may need to run PES service manually.
ADMT in action
We can use ADMT to migrate objects in Active Directory forests. This tool includes wizards that automate migration tasks, such as migrating users, groups, service accounts, computers, and trusts and performing security translation.
We can perform ADMT tasks by using the ADMT console, a command line, or a script. When We run ADMT at the command line, it is often more efficient to use an option file to specify command-line options. When We run ADMT at the command line, We do not have to include an option in Wer command if We want to accept the default value. Examples of command-line syntax are provided for each task that We must perform to restructure the domains within the forest.
ADMT COMPUTER /N "computer_name1" "computer_name2" /O:"option_file.txt"
When We migrate a large number of users, groups, or computers, it is more efficient to use an include file. An include file is a text file in which We list the user, group, and computer objects that We want to migrate, with each object on a separate line. We must use an include file if We want to rename objects during the migration.
ADMT COMPUTER /F “includefile_nam” /IF:YES /SD:
"
source_domain” /TD:”target_domain” /TO:”target_OU”.