Thông tin tài liệu
1
Release Notes
This document provides late-breaking or other information that supplements the
Microsoft
® Active Directory™ Migration Tool online Help documentation.
Information in this document, including URL and other Internet Web site
references, is subject to change without notice. Unless otherwise noted, the
example companies, organizations, products, people, and events depicted herein
are fictitious and no association with any real company, organization, product,
person, or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced
into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without
the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents,
trademarks, copyrights, or other intellectual property.
© 2002 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries/regions.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Contents
How to View This Document
Installation
ADMT Installation
Password Export Server Installation
New Feature In ADMT Version 2.0
Microsoft Active Director
y
Migration Tool
2 Microsoft Windows 2000 Professional, Server, and Advanced Server
Known Issues
ADMT
User Migration
Group Migration
Service Account Migration
Trust Migration
Computer Migration
User Profile Migration
Password Migration
Report Creation
Retry Wizard
Online Help
Active Directory Migration Tool Remote Agent Software
Active Directory Migration Tool Migration Database
Intraforest Migration
Command line Tool
Scripting Component
How to View This Document
To review the latest release notes, the Domain Migration Cookbook, and other
updated information for Active Directory Migration Tool, see the Domain
Migration Web site at:
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp
ADMT Installation
This section describes a known issue related to the installation of this version of
Active Directory Migration Tool.
ADMT Version 1.0 will Install Over Version 2.0
ADMT Version 1.0 will install itself over Version 2.0 without warning the user.
ADMT Version 2.0 Installation will preserve the ADMT
Version 1.0 Database.
When upgrading, ADMT v.2 will upgrade the internal database to a new version
of the Microsoft Access database. The installation will copy the old database to a
file named protar3x.mdb. Should the upgrade fail, ADMT v.1 can be reinstalled.
To use the current database again, rename protar3x.mdb to protar.mdb.
Microsoft Windows 2000 Release Notes 3
Installing Active Directory Migration Tool in a Terminal
Server Session
The Active Directory Migration Tool installation program may not install
successfully in a terminal server session. Internal error 2755 occurs. If you
experience this behavior, cancel the installation, copy the ADMT installation files
to the terminal server, and restart the installation.
Installation of ADMT on i64-Bit Computers not supported
This version of ADMT is not supported on 64-Bit computers. This issue will be
addressed in a later version of ADMT.
Rights needed to run ADMT
Local administrator rights are required on the local server to run ADMT. If
ADMT runs on a domain controller, domain admins or administrator rights are
required. If ADMT runs on a member server, local administrator rights are
required.
Password Export Server Installation
This section describes the requirements for installing and using a Password Export
Server (PES) to perform password migration with ADMT. You can find more
detailed information in the Domain Migration Cookbook referenced under How
to View This Document.
1. We recommend that the source domain’s Password Export Server be a BDC
dedicated for this purpose.
2. 128-bit encryption must be installed on any PES.
3. 128-bit encryption must be installed on the machine running ADMT.
4. The Password Export Server installation will not complete without supplying
an encryption key created on the ADMT machine. The key must be available
on a local drive. This can be a floppy drive or a folder on the local hard drive.
Network mapped drives or shares are not allowed. It is recommended that you
transport the key via a floppy and either store the floppy in a secure location
or format it after the installation.
a. On the ADMT machine, run ADMT.exe from the command line
specifying “key” as the operation to perform (the syntax for this
command is “ADMT.exe key %Source_Domain_NetBIOSName%
4 Microsoft Windows 2000 Professional, Server, and Advanced Server
%folder%: %Optional Password% (i.e. “c:\admt.exe key srcdomain
a: pswrd”)). Type “ADMT.exe key” at the command line for more
usage information.
b. On the Password Export Server, make sure that the key is available
on a local drive, either by inserting the floppy disk or copying the
key to a local hard drive. You will be prompted on the Password
Export Server for the location of the key during the installation. You
will have to provide a matching password if one was given when
creating the encryption key on the ADMT machine.
1. The AllowPasswordExport registry key value (located in HKLM\
SYSTEM\CurrentControlSet\Control\Lsa on the Password Export Server)
must be set to “1” to allow ADMT to use that Password Export Server for
password migration. You can disable a Password Export Server from
supporting password migration by setting that same value to “0”.
2. “Everyone” must be added to the “Pre-Windows 2000 Compatible Access”
group on the target domain in order for password migration to succeed. If this
is not done, ADMT will log an “Access Denied” error. The command line
syntax for this is “NET LOCALGROUP "Pre-Windows 2000 Compatible
Access" Everyone /ADD” (The Active Directory Users and Computers snapin
will not allow you to add “Everyone” to this group).
3. Verify permissions on the server object. The PES requires that the “Pre-
Windows 2000 Compatible Access” group has “Read All Properties” rights
on the following object:
CN=Server,CN=System,DC=<domain_name>
4. Verify that anonymous access is allowed to domain controllers in the target
domain. Open the group policy editor for the domain, and navigate to the
following setting:
Default Domain Controllers Policy/Computer
Configuration/Windows Settings/Security Settings/Local
Policies/Security Options/Additional restrictions for
anonymous connections
Verify that either 'Rely on default permissions' or 'not defined'
is selected. If '
No access without explicit anonymous
permissions
' is selected, password migration to the target domain will fail
with “
Access Denied”.
5. If you are running ADMT on a .NET server, you also have to make sure that
the “Let Everyone permissions apply to anonymous users” right has been
enable on that machine, or that the Anonymous Logon user has been added to
the Pre-Windows 2000 Compatible Access group.
Microsoft Windows 2000 Release Notes 5
New Features in ADMT Version 2.0
Scripting and Command line interface
Most ADMT operations can now be performed via a scriptable interface or the
new command line (ADMT.exe) tool. TemplateScript.vbs is a template script that
is installed with ADMT and explains most of the interface. For usage help with
the command line tool, type “ADMT.exe”. The Undo Wizard is one of the more
significant wizards not available through these new interfaces. If an operation
that can be “undone” if performed through the wizards is performed through
scripting or the command line, it can still be “undone” through the Undo Wizard.
Password Migration
Passwords can now be migrated for inter-forest user migrations. ADMT uses a
Password Export Server (PES) in the source domain to perform that migration.
See the Password Export Server Installation section for more specifics and
requirements.
Migration Log Files
A single log file was used in ADMT v.1 to log migration results and issues. In
ADMT v.2, a new log file is created for each new migration operation. The most
current log file is migration.log. When a new migration is started, the old
migration.log file is renamed to migrationxxxx.log, where xxxx is the next
available sequence number. The second most current log file is the
migrationxxxx.log file, where xxxx is the highest number. ADMT v.2 will only
save a specific number of log files. By default, this number is 20. The number can
be changed through the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADMT\LogHistory: 20
Credentials needed for migration operations
ADMT v.1 has a hard-coded check that verifies that the account running ADMT
is an administrator in both the source and the target domain. ADMTv.2 will not
perform security checks anymore, but will leave this up to the operating system.
Note 1: When users are migrated and SIDHistory migration is selected, then the
underlying API enforces that the user running ADMT is an administrator in the
source domain and a domain admin in the target domain. Since this check is
enforced by the operating system, domain admin rights for SIDHistory migrations
are still needed in ADMT v.2.
6 Microsoft Windows 2000 Professional, Server, and Advanced Server
Note 2: In Windows .NET, SIDHistory migration can be delegated. The user who
migrates accounts with SIDHistory needs appropriate rights in the target
Organizational Unit (Create Users), plus the delegated extended right
MigrateSIDHistory on the domain object (DC=<domain_name>). When ADMT
v.2 runs against a Windows .NET domain controller, domain admin rights for
SIDHistory migrations will no longer be required.
Note 3: When user passwords are migrated, the user running ADMT must be an
administrator in the source domain.
Note 4: For agent-based operations like security translations or computer
migrations, local administrator rights are required on the target computer.
SID Mapping Files for Security Translation
ADMT can now perform security translation based on a comma-separated file
instead of just previously migrated object. The form of the comma-separated file
is “%Source Object%, %Target Object%” followed by a new line. Both objects
can take one of two forms 1) Domain\Username (but the domain must be
accessible) or 2) the decimal representation of a SID (i.e. S-1-5-21-1222312332-
327112949-1237804090-1056). The Account Reference report has been modified
to include an object SID in decimal form and can be used to help build this
mapping file. The Windows 2000 version of LDP.exe does not display the full
SID in decimal form. This has been fixed in the Windows .NET version of
LDP.exe.
Windows 2000 Attribute Exclusion
For inter-forest migrations, a list of attributes can be defined that will be excluded
in a user, group, or computer migration. There are three lists of attributes:
• Attributes always excluded by the system
• Attributes in the system exclusion list
• Attributes that can be excluded by the administrator
Attributes always excluded by the system
These attributes will always be excluded by ADMT. This is done to protect
system owned attributes and cannot be configured. The attributes are:
• Object GUID
• Object SID (but can be written to the SIDHistory)
Microsoft Windows 2000 Release Notes 7
• pwdLastSet
• userPassword (can be migrated by ADMT)
• isCriticalSystemObject
• LegacyExchangeDN
System Attribute Exclusion List
ADMT stores a system attribute exclusion list in its database. Attributes in this list
will be excluded from migration operations even if the attribute is not specified in
the attribute exclusion list. The list can be changed by the administrator through
any scripting language using the ADMT scripting interface. This is done to
protect attributes that are important for server-based applications to work, like
Exchange. By default, the following attributes are members of the system attribute
exclusion list:
• Mail
• proxyAddresses
The following is an example of a script that can be used to reset the System
Attribute Exclusion list to contain the attributes “Mail”, “proxyAddresses” and
“description”:
Set objMigration = CreateObject("ADMT.Migration")
objMigration.SystemPropertiesToExclude = "description,mail,proxyAddresses"
Attribute Exclusion List
This is a list of attributes that the administrator defines for every single migration.
The UI can be used to display and select the attributes. The UI keeps state
information; in other words if an attribute is added to the exclusion list, the UI
will add it to the list at the next migration by default. Scripting and command line
have no state information. The attributes must be defined for every single
migration operation, either through the attribute name or through an option file.
However, if an attribute exclusion list is used through the command line or
scripting interface, the state information used by the UI is updated with the
context of that list.
8 Microsoft Windows 2000 Professional, Server, and Advanced Server
Agent Credentials
Agent dispatch credentials are no longer required. Previously, ADMT prompted
the user for credentials used by the agent to report its results back to ADMT. Due
to a change in the architecture of the agents, the computer running ADMT will
now retrieve results from the agents. Therefore, credentials are no longer required.
Skip Membership Restoration
A “Fix Membership” option has been added to the User and Group Migration
Wizards so that performance can be vastly improved if group membership
reconstruction is not needed.
Decommission Source Domains
During security translation, ADMT v.1 has to communicate with the source
domain of the account that is referenced on an ACL. If the source domain is
decommissioned, the security translation fails. In ADMT v.2, all necessary
information will now be stored in the database. Therefore, the source domains can
be decommissioned, and security translations will still work.
If ADMT v.2 is installed as an update of ADMT v.1, ADMT v.2 will have to
update the database to a new format. ADMT v.2 will also have to add information
to the database to make this feature work. If an ADMT v.1 database is upgraded,
ADMT v.2 will perform the following operations:
• Prompt the user that ADMT v.2 will attempt to contact all source
domains from which objects had been migrated using ADMT v.1. The
administrator can then configure which domains should be excluded.
• Contact the domain and retrieve the necessary information.
This process will only happen when ADMT v.2 is run for the first time. Should a
source domain controller not be online at the time when ADMT v.2 is run for the
first time, the information can be added later. This is done by migrating an object
from the source domain to any target domain once a domain controller is online
again. This can also be a test migration only. If one migration or test run succeeds,
the database is updated, and domain controllers from the source domain will no
longer be needed for subsequent operations.
Microsoft Windows 2000 Release Notes 9
Known Issues
ADMT
Operating ADMT in a NetBIOS-less environment is not
supported
ADMT requires NetBIOS name resolution for all migration operations. This issue
will be addressed in a later version of ADMT.
If Install Path is empty, Installation Wizard shuts down
If the user changes the default installation path to an empty path and then clicks
Browse, the installation wizard will present a dialog box with “Error 2343” and
then shutdown. This issue will be addressed in a later version of ADMT.
User Migration
This section describes known issues related to migrating users with this version of
Active Directory Migration Tool.
Replaces Special Characters when Migrating Account
Names
ADMT replaces the following characters with an underscore character ‘_’ in the
pre-Windows 2000 name (SAM Account Name) and User Principal Name:
\"*+,/:;<=>?[\\]|
The period character (‘.’) is replaced with an underscore character (‘_’) if it is the
last character of the name.
List of Characters not allowed as a prefix/suffix
The following table lists the characters not allowed in a prefix or suffix. The SAM
column indicates characters that are invalid in a SAM account name. The DN column
indicates characters that need escaping in a distinguished name and/or a canonical
name and/or an ADsPath.
Character SAM DN
" X X
# X
$ X
* X
10 Microsoft Windows 2000 Professional, Server, and Advanced Server
+ X X
, X X
. X
/ X X
: X
; X X
< X X
= X X
> X X
? X
[ X
\ X X
] X
| X
Clicking Stop on the Migration Progress Page of the User
Migration Wizard Does Not Pause the Operation
When you click Stop on the Migration Progress page of the User Migration
Wizard, it does not pause the user migration operation even though the
verification message is displayed. This will be addressed in a future release.
Re-migrating Previously Migrated Users Updates the Group
Membership of the Target User Account
When you use the User Migration Wizard with the Replace conflicting accounts
option to migrate a user who has been previously migrated, any new groups that
the source account has subsequently been added to will be appended to the
original group membership of the user.
Example: Bob is a user in the domain HB-ACCT-WC. He is a member of the
group HB-ACCT-WC \Writers and is migrated along with the Writers and Editors
groups to the target domain hay-buv.tld (NetBIOS name HAY-BUV). After the
first migration, the following occurs:
1) HB-ACCT-WC\Bob is added to HB-ACCT-WC \Editors
2) HAY-BUV\Bob is added to HAY-BUV\TechEditors
Upon remigration, HAY-BUV\Bob will be a member of HAY-BUV\Writers,
HAY-BUV\Editors, and HAY-BUV\TechEditors.
This behavior is by design. If this behavior is not desired and you want to
completely reset the target account to only be a member of the source user’s
groups, you must delete the target domain user and migrate the source user again.
[...]... ADMT Microsoft Windows 2000 Release Notes 21 Active Directory Migration Tool Migration Database This section describes a known issue related to the Active Directory Migration Tool migration database Single Use State information that is critical to the proper operation of Active Directory Migration Tool is stored in a Microsoft Access database named Protar.mdb This database is installed in the same directory. .. Profile Migration This section describes a known issue related to migrating user profiles with this version of Active Directory Migration Tool Active Directory Migration Tool Remote Agent Service Reports That the User Profile Is Locked During Profile Migration When User Is Logged Off If you deploy the Active Directory Migration Tool remote agent service on a remote computer as part of a user profile migration, ... version of Active Directory Migration Tool Help Window always stays on top In any ADMT wizard, when the “Help” button is pressed and the help window appears, if the user activates the wizard window again, the help window will stay in the foreground This issue will be addressed in a later version of ADMT 20 Microsoft Windows 2000 Professional, Server, and Advanced Server Active Directory Migration Tool Remote... Server Active Directory Migration Tool Remote Agent Service This section describes a known issue related to the Active Directory Migration Tool remote agent shipped with this version of Active Directory Migration Tool The Agent does NOT Quit upon the Early Termination of the Command line Tool or VBScript If you CTRL+C or terminate the program early, the agent process will not stop The process must... prevented from successfully joining the target domain Intermittent Failure of the Active Directory Migration Tool Remote Agent Service There have been reported instances of the Active Directory Migration Tool remote agent service failing to stop or uninstall itself when the service is deployed on a remote computer as part of computer migration, security translation, or service account identification and a failure... ADMT Computer Migration This section describes known issues related to migrating computers with this version of Active Directory Migration Tool Intra-forest Computer Migration Does Not Disable the Computer Account in the Source Domain After an intra-forest computer migration, the migrated computer source domain account is not disabled or deleted As a workaround, you can write a simple 16 Microsoft Windows... it is recommended that you migrate the objects affected using the Group Migration Wizard Service Account Migration This section describes known issues related to migrating service accounts with this version of Active Directory Migration Tool Service Account Migration Wizard has Hidden “Service Account” Column The Service Account Migration Wizard displays a list of service accounts The “Service” column... Trust Migration This section describes known issues related to migrating trusts with this version of Active Directory Migration Tool Trust Migration Wizard Does Not Verify Existing Trusts If a domain is listed as a trusted domain on the source and the target domains, the Trust Migration Wizard will not allow the creation of that trust, even if the trust is broken in any way Only use the Trust Migration. .. Active Directory Migration Tool operations to another computer If, after performing some migration operations, it is decided to run the tool on another computer, Protar.mdb and Scmdata.txt should be copied from the original computer to that new computer 2) Reinstalling Active Directory Migration Tool Before reinstalling or upgrading over an existing installation from which some migration operations have... saved database over the new version 3) Do not run multiple instances of Active Directory Migration Tool at any one time Currently, the tool is not designed to support simultaneous operations, so you should not run multiple instances of the tool at the same time It is possible to have two installations of the tool carrying out migrations, but it requires disciplined practices to keep the databases manually . Help
Active Directory Migration Tool Remote Agent Software
Active Directory Migration Tool Migration Database
Intraforest Migration
Command line Tool.
Microsoft Windows 2000 Release Notes 3
Installing Active Directory Migration Tool in a Terminal
Server Session
The Active Directory Migration Tool
Ngày đăng: 24/01/2014, 19:20
Xem thêm: Tài liệu Microsoft Active Directory Migration Tool pptx