Wednesday , August 21 2019

How to Migrate Users Across forest (Cross Forest) using ADMT 3.2 with sid and Passwords

Once Trust is in place

Open Administrators Group in the Source Forest , Add Administrator of the Target Forest to acquire proper Permissions

Vice Versa

Open Administrators Group in the Target Forest , Add Administrator of the Source Forest to acquire proper Permissions

otherwise you will end up with Access denied errors while Moving Users back and forth

image

Once permission part is done

We have to configure a Password Export Server in the source domain to allow exporting the passwords to the Target domain

If your Source Domain DC is running a 64 bit Version

Password Export Server version 3.1 (x64)

If your Source Domain DC is running a 32 bit Version

Password Export Server version 3.1 (x86)

Choose Next

image

Before you choose next , We need to create a password Encryption file from the Target Domain

Reference –

Enabling Migration of Passwords

http://technet.microsoft.com/en-us/library/cc974435(v=ws.10).aspx

Open a Command Prompt where ADMT is installed on the Target Domain , Run the Below Command to Create a .pes file

admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath>

image

Once the File is Created on the Target Domain , Bring the File to the Source domain and Browse for the file

image

image

Click Finish

Reboot the Server to complete the installation

Start the “Password Export Serve Service”

image

Now Open ADMT , Choose User Account Migration Wizard

image

Choose Source Domain and Target domain

image

Now Select users from Domain.

If you want to Choose Custom set of users from a CSV file , See below link

How to Prepare a Include File For ADMT 3.2

image

image

Choose the Target OU

image

Choose Migrate Passwords

image

Choose Target Same as source

Choose Migrate User SIDS to Target Domain

image

Type User name and Password of the Source domain

image

Choose Next

image

Choose Next

image

Choose Next

image

image

Great !!

Now Users with SID and Password have been migrated across forest (Cross forest) Successfully

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Save Public IPs using F5 LTM Policies

F5 has different modules and one of them is LTM – Local Traffic Manager . ...

16 comments

  1. This helps me alot …..Thanks alot

  2. I get an error the local group “Source”$$$ does not exist on “Source Domain” this group is requires to migrate SIDs. would you like to create it?

    • Satheshwaran Manoharan

      You get this error while you migrate domain users group ?

      or when you get this error ?

      you able to migrate users ?

  3. I allowed it to create the group and it moved the sid history. I was concerned because it said error but all is well. Thank you for the fast response.

    • Satheshwaran Manoharan

      If your source Sid and the Sid history in the target domain . Matches.

      Everything is going to be fine .!!


      You can neglect that error.

  4. Gabriel Montiel

    Hi,
    When I try to migrate a user’s password on the ADMT i receive the following error:

    Unable to establish a session with the password export server. The RPC server is unavailable.

    My source AD (where the PES is configured) is running with firewall disabled… any ideas???

    Thank you a lot


    GMS

  5. Hi,
    First, Thanks for a great manual, it helped a lot.
    I follow the procedure with no special issues.
    But when I try to log on after the user been migrated the password is not correct and I have to reset it in order to log on, Isn’t the PES suppose to take care of it?

    • Satheshwaran Manoharan

      It should take care of it. Can you check ..change password is at next logon in checked or not . uncheck and try loggin in with the same password

      • Thanks again,
        I had an issue with my PES server.
        I want to ask a bit more complicated question.
        I’m in the middle of a cross forest migration when my new domain and old domain share the same SMTP name space.
        When I reply to an old mail of a user that I already migrated, I got an error message that I’m not authorize to send message to this user:
        You do not have permission to send to this recipient. For assistance, contact your system administrator.
        .
        After playing with settings I added the source.local as accepted address in my target domain. That solved the relay issue, but messages just sits in queue of the exchange 2010. The X.500 is in place as a proxy address but the exchange 2010 doesn’t seem to know what to do with this messages. Can you tell me what am I doing wrong?
        Thanks again!

  6. excellent article
    Helped me migrate the first forest.

    Just a question.
    I have a third forest I need to migrate into my target forest.
    Do I need to create a new encryption key on the target dc?

    • Figured out you do need to create a new .pes key.
      as sourcedomain: is defined in the key as an option.

      Thanks again for an excellent article

  7. I am having trouble getting the group permissions to work. We have users in the remote desktop group. Those are not transferring. The users are only coming in with “domain users” as the group.

  8. I Can’t download Password Export Server (PES) tool, link from the topic was die
    Pls Update!

Leave a Reply

Your email address will not be published.