Active Directory Migration Tool

ADMT is a free tool from Microsoft used for migrating Active Directory objects to a new domain. ADMT will allow you to move users, computers, groups, and service accounts to a new domain created in a new forest (inter-forest) or the existing forest (intra-forest).


ADMT will behave a bit differently depending on the environment. An inter-forest migration will essentially copy all objects allowing both domains to run simultaneously. This method allows for a bit more flexibility in the migration process as the existing environment is left as it to provide a fallback should an issue occur. An intra-forest migration will actually move the objects, which requires a bit more thorough planning and execution. Regardless of which method is used, SID History should be enabled on the trust during the co-existence period of both source and destination domains.

System Requirements

ADMT version 3.2 is the latest version offered by Microsoft which can only be installed on Windows Server 2008 R2 and supports migrating domains at the 2003, 2008, or 2008 R2 functional levels. ADMT uses an agent for computer migrations and supports the following operating systems: Windows XP, Vista, 7, Server 2003, Server 2008, and Server 2008 R2. Migrating users can include their passwords if the accompanying Password Export Server (PES) utility is installed on a domain controller in the source domain.

ADMT also requires a SQL instance to maintain all migration data and can support local installs of SQL Express 2005 SP3 (or later) or 2008 SP1 (or later). If you want to connect to a remote database or allow multiple consoles to connect to the same database you can install ADMT to a full version of SQL Server 2005 or 2008.

ADMT Installation

Installation is pretty straightforward. ADMT will be installed on a Windows Server 2008 R2 server in the destination domain. Depending on the SQL edition used, a database may need to be created ahead of time. The biggest issue I’ve seen is trying to install ADMT on a domain controller. This is possible but requires some adjustments that can be found here.

Password Export Server Installation

In order to migrate user passwords, the install is slightly more complicated. First, you’ll need to create an encryption file which is generated on the ADMT server. From a command prompt type “admt key /option:create /sourcedomain:/keyfile: /keypassword: ”. Once the file has been created, it should be copied to the server where PES will be installed, as the installer will ask for the location of the file. If the installer and associated PES file are in the same location it should automatically find it. The PES installer will also ask for a service account to run the Password Export Server service so be sure to select one with permissions in both domains. After rebooting the server to compete the install, the service will be stopped and set for manual. Be sure to start the service prior to migrating any users.

Be sure to prepare your domains for a migration. The installation of ADMT is fairly simple, but preparing the domains for a successful migration requires a bit more preparation.

Pin It on Pinterest

Share This