21 C
Monday, March 4, 2024

How to Migrate Users Across forest (Cross Forest) using ADMT 3.2 with sid and Passwords

Once Trust is in place

Open Administrators Group in the Source Forest , Add Administrator of the Target Forest to acquire proper Permissions

Vice Versa

Open Administrators Group in the Target Forest , Add Administrator of the Source Forest to acquire proper Permissions

otherwise you will end up with Access denied errors while Moving Users back and forth


Once permission part is done

We have to configure a Password Export Server in the source domain to allow exporting the passwords to the Target domain

If your Source Domain DC is running a 64 bit Version

Password Export Server version 3.1 (x64)

If your Source Domain DC is running a 32 bit Version

Password Export Server version 3.1 (x86)

Choose Next


Before you choose next , We need to create a password Encryption file from the Target Domain

Reference –

Enabling Migration of Passwords


Open a Command Prompt where ADMT is installed on the Target Domain , Run the Below Command to Create a .pes file

admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath>


Once the File is Created on the Target Domain , Bring the File to the Source domain and Browse for the file



Click Finish

Reboot the Server to complete the installation

Start the “Password Export Serve Service”


Now Open ADMT , Choose User Account Migration Wizard


Choose Source Domain and Target domain


Now Select users from Domain.

If you want to Choose Custom set of users from a CSV file , See below link

How to Prepare a Include File For ADMT 3.2



Choose the Target OU


Choose Migrate Passwords


Choose Target Same as source

Choose Migrate User SIDS to Target Domain


Type User name and Password of the Source domain


Choose Next


Choose Next


Choose Next



Great !!

Now Users with SID and Password have been migrated across forest (Cross forest) Successfully

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles


  1. I get an error the local group “Source”$$$ does not exist on “Source Domain” this group is requires to migrate SIDs. would you like to create it?

    • You get this error while you migrate domain users group ?

      or when you get this error ?

      you able to migrate users ?

  2. I allowed it to create the group and it moved the sid history. I was concerned because it said error but all is well. Thank you for the fast response.

    • If your source Sid and the Sid history in the target domain . Matches.

      Everything is going to be fine .!!

      You can neglect that error.

  3. Hi,
    When I try to migrate a user’s password on the ADMT i receive the following error:

    Unable to establish a session with the password export server. The RPC server is unavailable.

    My source AD (where the PES is configured) is running with firewall disabled… any ideas???

    Thank you a lot


  4. Hi,
    First, Thanks for a great manual, it helped a lot.
    I follow the procedure with no special issues.
    But when I try to log on after the user been migrated the password is not correct and I have to reset it in order to log on, Isn’t the PES suppose to take care of it?

    • It should take care of it. Can you check ..change password is at next logon in checked or not . uncheck and try loggin in with the same password

      • Thanks again,
        I had an issue with my PES server.
        I want to ask a bit more complicated question.
        I’m in the middle of a cross forest migration when my new domain and old domain share the same SMTP name space.
        When I reply to an old mail of a user that I already migrated, I got an error message that I’m not authorize to send message to this user:
        You do not have permission to send to this recipient. For assistance, contact your system administrator.
        After playing with settings I added the source.local as accepted address in my target domain. That solved the relay issue, but messages just sits in queue of the exchange 2010. The X.500 is in place as a proxy address but the exchange 2010 doesn’t seem to know what to do with this messages. Can you tell me what am I doing wrong?
        Thanks again!

  5. excellent article
    Helped me migrate the first forest.

    Just a question.
    I have a third forest I need to migrate into my target forest.
    Do I need to create a new encryption key on the target dc?

    • Figured out you do need to create a new .pes key.
      as sourcedomain: is defined in the key as an option.

      Thanks again for an excellent article

  6. I am having trouble getting the group permissions to work. We have users in the remote desktop group. Those are not transferring. The users are only coming in with “domain users” as the group.


Please enter your comment!
Please enter your name here

× How can I help you?