1 Release Notes This document provides late-breaking or other information that supplements the Microsoft ® Active Directory™ Migration Tool online Help documentation. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2002 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contents How to View This Document Installation ADMT Installation Password Export Server Installation New Feature In ADMT Version 2.0 Microsoft Active Director y Migration Tool 2 Microsoft Windows 2000 Professional, Server, and Advanced Server Known Issues ADMT User Migration Group Migration Service Account Migration Trust Migration Computer Migration User Profile Migration Password Migration Report Creation Retry Wizard Online Help Active Directory Migration Tool Remote Agent Software Active Directory Migration Tool Migration Database Intraforest Migration Command line Tool Scripting Component How to View This Document To review the latest release notes, the Domain Migration Cookbook, and other updated information for Active Directory Migration Tool, see the Domain Migration Web site at: http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp ADMT Installation This section describes a known issue related to the installation of this version of Active Directory Migration Tool. ADMT Version 1.0 will Install Over Version 2.0 ADMT Version 1.0 will install itself over Version 2.0 without warning the user. ADMT Version 2.0 Installation will preserve the ADMT Version 1.0 Database. When upgrading, ADMT v.2 will upgrade the internal database to a new version of the Microsoft Access database. The installation will copy the old database to a file named protar3x.mdb. Should the upgrade fail, ADMT v.1 can be reinstalled. To use the current database again, rename protar3x.mdb to protar.mdb. Microsoft Windows 2000 Release Notes 3 Installing Active Directory Migration Tool in a Terminal Server Session The Active Directory Migration Tool installation program may not install successfully in a terminal server session. Internal error 2755 occurs. If you experience this behavior, cancel the installation, copy the ADMT installation files to the terminal server, and restart the installation. Installation of ADMT on i64-Bit Computers not supported This version of ADMT is not supported on 64-Bit computers. This issue will be addressed in a later version of ADMT. Rights needed to run ADMT Local administrator rights are required on the local server to run ADMT. If ADMT runs on a domain controller, domain admins or administrator rights are required. If ADMT runs on a member server, local administrator rights are required. Password Export Server Installation This section describes the requirements for installing and using a Password Export Server (PES) to perform password migration with ADMT. You can find more detailed information in the Domain Migration Cookbook referenced under How to View This Document. 1. We recommend that the source domain’s Password Export Server be a BDC dedicated for this purpose. 2. 128-bit encryption must be installed on any PES. 3. 128-bit encryption must be installed on the machine running ADMT. 4. The Password Export Server installation will not complete without supplying an encryption key created on the ADMT machine. The key must be available on a local drive. This can be a floppy drive or a folder on the local hard drive. Network mapped drives or shares are not allowed. It is recommended that you transport the key via a floppy and either store the floppy in a secure location or format it after the installation. a. On the ADMT machine, run ADMT.exe from the command line specifying “key” as the operation to perform (the syntax for this command is “ADMT.exe key %Source_Domain_NetBIOSName% 4 Microsoft Windows 2000 Professional, Server, and Advanced Server %folder%: %Optional Password% (i.e. “c:\admt.exe key srcdomain a: pswrd”)). Type “ADMT.exe key” at the command line for more usage information. b. On the Password Export Server, make sure that the key is available on a local drive, either by inserting the floppy disk or copying the key to a local hard drive. You will be prompted on the Password Export Server for the location of the key during the installation. You will have to provide a matching password if one was given when creating the encryption key on the ADMT machine. 1. The AllowPasswordExport registry key value (located in HKLM\ SYSTEM\CurrentControlSet\Control\Lsa on the Password Export Server) must be set to “1” to allow ADMT to use that Password Export Server for password migration. You can disable a Password Export Server from supporting password migration by setting that same value to “0”. 2. “Everyone” must be added to the “Pre-Windows 2000 Compatible Access” group on the target domain in order for password migration to succeed. If this is not done, ADMT will log an “Access Denied” error. The command line syntax for this is “NET LOCALGROUP "Pre-Windows 2000 Compatible Access" Everyone /ADD” (The Active Directory Users and Computers snapin will not allow you to add “Everyone” to this group). 3. Verify permissions on the server object. The PES requires that the “Pre- Windows 2000 Compatible Access” group has “Read All Properties” rights on the following object: CN=Server,CN=System,DC=<domain_name> 4. Verify that anonymous access is allowed to domain controllers in the target domain. Open the group policy editor for the domain, and navigate to the following setting: Default Domain Controllers Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Additional restrictions for anonymous connections Verify that either 'Rely on default permissions' or 'not defined' is selected. If ' No access without explicit anonymous permissions ' is selected, password migration to the target domain will fail with “ Access Denied”. 5. If you are running ADMT on a .NET server, you also have to make sure that the “Let Everyone permissions apply to anonymous users” right has been enable on that machine, or that the Anonymous Logon user has been added to the Pre-Windows 2000 Compatible Access group. Microsoft Windows 2000 Release Notes 5 New Features in ADMT Version 2.0 Scripting and Command line interface Most ADMT operations can now be performed via a scriptable interface or the new command line (ADMT.exe) tool. TemplateScript.vbs is a template script that is installed with ADMT and explains most of the interface. For usage help with the command line tool, type “ADMT.exe”. The Undo Wizard is one of the more significant wizards not available through these new interfaces. If an operation that can be “undone” if performed through the wizards is performed through scripting or the command line, it can still be “undone” through the Undo Wizard. Password Migration Passwords can now be migrated for inter-forest user migrations. ADMT uses a Password Export Server (PES) in the source domain to perform that migration. See the Password Export Server Installation section for more specifics and requirements. Migration Log Files A single log file was used in ADMT v.1 to log migration results and issues. In ADMT v.2, a new log file is created for each new migration operation. The most current log file is migration.log. When a new migration is started, the old migration.log file is renamed to migrationxxxx.log, where xxxx is the next available sequence number. The second most current log file is the migrationxxxx.log file, where xxxx is the highest number. ADMT v.2 will only save a specific number of log files. By default, this number is 20. The number can be changed through the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADMT\LogHistory: 20 Credentials needed for migration operations ADMT v.1 has a hard-coded check that verifies that the account running ADMT is an administrator in both the source and the target domain. ADMTv.2 will not perform security checks anymore, but will leave this up to the operating system. Note 1: When users are migrated and SIDHistory migration is selected, then the underlying API enforces that the user running ADMT is an administrator in the source domain and a domain admin in the target domain. Since this check is enforced by the operating system, domain admin rights for SIDHistory migrations are still needed in ADMT v.2. 6 Microsoft Windows 2000 Professional, Server, and Advanced Server Note 2: In Windows .NET, SIDHistory migration can be delegated. The user who migrates accounts with SIDHistory needs appropriate rights in the target Organizational Unit (Create Users), plus the delegated extended right MigrateSIDHistory on the domain object (DC=<domain_name>). When ADMT v.2 runs against a Windows .NET domain controller, domain admin rights for SIDHistory migrations will no longer be required. Note 3: When user passwords are migrated, the user running ADMT must be an administrator in the source domain. Note 4: For agent-based operations like security translations or computer migrations, local administrator rights are required on the target computer. SID Mapping Files for Security Translation ADMT can now perform security translation based on a comma-separated file instead of just previously migrated object. The form of the comma-separated file is “%Source Object%, %Target Object%” followed by a new line. Both objects can take one of two forms 1) Domain\Username (but the domain must be accessible) or 2) the decimal representation of a SID (i.e. S-1-5-21-1222312332- 327112949-1237804090-1056). The Account Reference report has been modified to include an object SID in decimal form and can be used to help build this mapping file. The Windows 2000 version of LDP.exe does not display the full SID in decimal form. This has been fixed in the Windows .NET version of LDP.exe. Windows 2000 Attribute Exclusion For inter-forest migrations, a list of attributes can be defined that will be excluded in a user, group, or computer migration. There are three lists of attributes: • Attributes always excluded by the system • Attributes in the system exclusion list • Attributes that can be excluded by the administrator Attributes always excluded by the system These attributes will always be excluded by ADMT. This is done to protect system owned attributes and cannot be configured. The attributes are: • Object GUID • Object SID (but can be written to the SIDHistory) Microsoft Windows 2000 Release Notes 7 • pwdLastSet • userPassword (can be migrated by ADMT) • isCriticalSystemObject • LegacyExchangeDN System Attribute Exclusion List ADMT stores a system attribute exclusion list in its database. Attributes in this list will be excluded from migration operations even if the attribute is not specified in the attribute exclusion list. The list can be changed by the administrator through any scripting language using the ADMT scripting interface. This is done to protect attributes that are important for server-based applications to work, like Exchange. By default, the following attributes are members of the system attribute exclusion list: • Mail • proxyAddresses The following is an example of a script that can be used to reset the System Attribute Exclusion list to contain the attributes “Mail”, “proxyAddresses” and “description”: Set objMigration = CreateObject("ADMT.Migration") objMigration.SystemPropertiesToExclude = "description,mail,proxyAddresses" Attribute Exclusion List This is a list of attributes that the administrator defines for every single migration. The UI can be used to display and select the attributes. The UI keeps state information; in other words if an attribute is added to the exclusion list, the UI will add it to the list at the next migration by default. Scripting and command line have no state information. The attributes must be defined for every single migration operation, either through the attribute name or through an option file. However, if an attribute exclusion list is used through the command line or scripting interface, the state information used by the UI is updated with the context of that list. 8 Microsoft Windows 2000 Professional, Server, and Advanced Server Agent Credentials Agent dispatch credentials are no longer required. Previously, ADMT prompted the user for credentials used by the agent to report its results back to ADMT. Due to a change in the architecture of the agents, the computer running ADMT will now retrieve results from the agents. Therefore, credentials are no longer required. Skip Membership Restoration A “Fix Membership” option has been added to the User and Group Migration Wizards so that performance can be vastly improved if group membership reconstruction is not needed. Decommission Source Domains During security translation, ADMT v.1 has to communicate with the source domain of the account that is referenced on an ACL. If the source domain is decommissioned, the security translation fails. In ADMT v.2, all necessary information will now be stored in the database. Therefore, the source domains can be decommissioned, and security translations will still work. If ADMT v.2 is installed as an update of ADMT v.1, ADMT v.2 will have to update the database to a new format. ADMT v.2 will also have to add information to the database to make this feature work. If an ADMT v.1 database is upgraded, ADMT v.2 will perform the following operations: • Prompt the user that ADMT v.2 will attempt to contact all source domains from which objects had been migrated using ADMT v.1. The administrator can then configure which domains should be excluded. • Contact the domain and retrieve the necessary information. This process will only happen when ADMT v.2 is run for the first time. Should a source domain controller not be online at the time when ADMT v.2 is run for the first time, the information can be added later. This is done by migrating an object from the source domain to any target domain once a domain controller is online again. This can also be a test migration only. If one migration or test run succeeds, the database is updated, and domain controllers from the source domain will no longer be needed for subsequent operations. Microsoft Windows 2000 Release Notes 9 Known Issues ADMT Operating ADMT in a NetBIOS-less environment is not supported ADMT requires NetBIOS name resolution for all migration operations. This issue will be addressed in a later version of ADMT. If Install Path is empty, Installation Wizard shuts down If the user changes the default installation path to an empty path and then clicks Browse, the installation wizard will present a dialog box with “Error 2343” and then shutdown. This issue will be addressed in a later version of ADMT. User Migration This section describes known issues related to migrating users with this version of Active Directory Migration Tool. Replaces Special Characters when Migrating Account Names ADMT replaces the following characters with an underscore character ‘_’ in the pre-Windows 2000 name (SAM Account Name) and User Principal Name: \"*+,/:;<=>?[\\]| The period character (‘.’) is replaced with an underscore character (‘_’) if it is the last character of the name. List of Characters not allowed as a prefix/suffix The following table lists the characters not allowed in a prefix or suffix. The SAM column indicates characters that are invalid in a SAM account name. The DN column indicates characters that need escaping in a distinguished name and/or a canonical name and/or an ADsPath. Character SAM DN " X X # X $ X * X 10 Microsoft Windows 2000 Professional, Server, and Advanced Server + X X , X X . X / X X : X ; X X < X X = X X > X X ? X [ X \ X X ] X | X Clicking Stop on the Migration Progress Page of the User Migration Wizard Does Not Pause the Operation When you click Stop on the Migration Progress page of the User Migration Wizard, it does not pause the user migration operation even though the verification message is displayed. This will be addressed in a future release. Re-migrating Previously Migrated Users Updates the Group Membership of the Target User Account When you use the User Migration Wizard with the Replace conflicting accounts option to migrate a user who has been previously migrated, any new groups that the source account has subsequently been added to will be appended to the original group membership of the user. Example: Bob is a user in the domain HB-ACCT-WC. He is a member of the group HB-ACCT-WC \Writers and is migrated along with the Writers and Editors groups to the target domain hay-buv.tld (NetBIOS name HAY-BUV). After the first migration, the following occurs: 1) HB-ACCT-WC\Bob is added to HB-ACCT-WC \Editors 2) HAY-BUV\Bob is added to HAY-BUV\TechEditors Upon remigration, HAY-BUV\Bob will be a member of HAY-BUV\Writers, HAY-BUV\Editors, and HAY-BUV\TechEditors. This behavior is by design. If this behavior is not desired and you want to completely reset the target account to only be a member of the source user’s groups, you must delete the target domain user and migrate the source user again. [...]... ADMT Microsoft Windows 2000 Release Notes 21 Active Directory Migration Tool Migration Database This section describes a known issue related to the Active Directory Migration Tool migration database Single Use State information that is critical to the proper operation of Active Directory Migration Tool is stored in a Microsoft Access database named Protar.mdb This database is installed in the same directory. .. Profile Migration This section describes a known issue related to migrating user profiles with this version of Active Directory Migration Tool Active Directory Migration Tool Remote Agent Service Reports That the User Profile Is Locked During Profile Migration When User Is Logged Off If you deploy the Active Directory Migration Tool remote agent service on a remote computer as part of a user profile migration, ... version of Active Directory Migration Tool Help Window always stays on top In any ADMT wizard, when the “Help” button is pressed and the help window appears, if the user activates the wizard window again, the help window will stay in the foreground This issue will be addressed in a later version of ADMT 20 Microsoft Windows 2000 Professional, Server, and Advanced Server Active Directory Migration Tool Remote... Server Active Directory Migration Tool Remote Agent Service This section describes a known issue related to the Active Directory Migration Tool remote agent shipped with this version of Active Directory Migration Tool The Agent does NOT Quit upon the Early Termination of the Command line Tool or VBScript If you CTRL+C or terminate the program early, the agent process will not stop The process must... prevented from successfully joining the target domain Intermittent Failure of the Active Directory Migration Tool Remote Agent Service There have been reported instances of the Active Directory Migration Tool remote agent service failing to stop or uninstall itself when the service is deployed on a remote computer as part of computer migration, security translation, or service account identification and a failure... ADMT Computer Migration This section describes known issues related to migrating computers with this version of Active Directory Migration Tool Intra-forest Computer Migration Does Not Disable the Computer Account in the Source Domain After an intra-forest computer migration, the migrated computer source domain account is not disabled or deleted As a workaround, you can write a simple 16 Microsoft Windows... it is recommended that you migrate the objects affected using the Group Migration Wizard Service Account Migration This section describes known issues related to migrating service accounts with this version of Active Directory Migration Tool Service Account Migration Wizard has Hidden “Service Account” Column The Service Account Migration Wizard displays a list of service accounts The “Service” column... Trust Migration This section describes known issues related to migrating trusts with this version of Active Directory Migration Tool Trust Migration Wizard Does Not Verify Existing Trusts If a domain is listed as a trusted domain on the source and the target domains, the Trust Migration Wizard will not allow the creation of that trust, even if the trust is broken in any way Only use the Trust Migration. .. Active Directory Migration Tool operations to another computer If, after performing some migration operations, it is decided to run the tool on another computer, Protar.mdb and Scmdata.txt should be copied from the original computer to that new computer 2) Reinstalling Active Directory Migration Tool Before reinstalling or upgrading over an existing installation from which some migration operations have... saved database over the new version 3) Do not run multiple instances of Active Directory Migration Tool at any one time Currently, the tool is not designed to support simultaneous operations, so you should not run multiple instances of the tool at the same time It is possible to have two installations of the tool carrying out migrations, but it requires disciplined practices to keep the databases manually . Help Active Directory Migration Tool Remote Agent Software Active Directory Migration Tool Migration Database Intraforest Migration Command line Tool. Microsoft Windows 2000 Release Notes 3 Installing Active Directory Migration Tool in a Terminal Server Session The Active Directory Migration Tool