Once Trust is in place
Open Administrators Group in the Source Forest , Add Administrator of the Target Forest to acquire proper Permissions
Open Administrators Group in the Target Forest , Add Administrator of the Source Forest to acquire proper Permissions
otherwise you will end up with Access denied errors while Moving Users back and forth
Once permission part is done
We have to configure a Password Export Server in the source domain to allow exporting the passwords to the Target domain
If your Source Domain DC is running a 64 bit Version
Password Export Server version 3.1 (x64)
If your Source Domain DC is running a 32 bit Version
Password Export Server version 3.1 (x86)
Before you choose next , We need to create a password Encryption file from the Target Domain
Enabling Migration of Passwords
Open a Command Prompt where ADMT is installed on the Target Domain , Run the Below Command to Create a .pes file
admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath>
Once the File is Created on the Target Domain , Bring the File to the Source domain and Browse for the file
Reboot the Server to complete the installation
Start the “Password Export Serve Service”
Now Open ADMT , Choose User Account Migration Wizard
Choose Source Domain and Target domain
Now Select users from Domain.
If you want to Choose Custom set of users from a CSV file , See below link
How to Prepare a Include File For ADMT 3.2
Choose the Target OU
Choose Migrate Passwords
Choose Target Same as source
Choose Migrate User SIDS to Target Domain
Type User name and Password of the Source domain
Now Users with SID and Password have been migrated across forest (Cross forest) Successfully
This helps me alot …..Thanks alot
Thank you for you comments
I get an error the local group “Source”$$$ does not exist on “Source Domain” this group is requires to migrate SIDs. would you like to create it?
You get this error while you migrate domain users group ?
or when you get this error ?
you able to migrate users ?
I allowed it to create the group and it moved the sid history. I was concerned because it said error but all is well. Thank you for the fast response.
If your source Sid and the Sid history in the target domain . Matches.
Everything is going to be fine .!!
You can neglect that error.
When I try to migrate a user’s password on the ADMT i receive the following error:
Unable to establish a session with the password export server. The RPC server is unavailable.
My source AD (where the PES is configured) is running with firewall disabled… any ideas???
Thank you a lot
First, Thanks for a great manual, it helped a lot.
I follow the procedure with no special issues.
But when I try to log on after the user been migrated the password is not correct and I have to reset it in order to log on, Isn’t the PES suppose to take care of it?
It should take care of it. Can you check ..change password is at next logon in checked or not . uncheck and try loggin in with the same password
I had an issue with my PES server.
I want to ask a bit more complicated question.
I’m in the middle of a cross forest migration when my new domain and old domain share the same SMTP name space.
When I reply to an old mail of a user that I already migrated, I got an error message that I’m not authorize to send message to this user:
You do not have permission to send to this recipient. For assistance, contact your system administrator.
After playing with settings I added the source.local as accepted address in my target domain. That solved the relay issue, but messages just sits in queue of the exchange 2010. The X.500 is in place as a proxy address but the exchange 2010 doesn’t seem to know what to do with this messages. Can you tell me what am I doing wrong?
Figured his one out.
When sharing a namespace things doesn’t go as smooth…
Helped me migrate the first forest.
Just a question.
I have a third forest I need to migrate into my target forest.
Do I need to create a new encryption key on the target dc?
Figured out you do need to create a new .pes key.
as sourcedomain: is defined in the key as an option.
Thanks again for an excellent article
I am having trouble getting the group permissions to work. We have users in the remote desktop group. Those are not transferring. The users are only coming in with “domain users” as the group.
I Can’t download Password Export Server (PES) tool, link from the topic was die
Link seems valid. verified