This article was previously published under Q260871
This article has been archived. It is offered "as is" and will no longer be updated.
You can use the Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another. This article describes how to set up ADMT to perform a migration from a Microsoft Windows NT 4.0-based domain to a Microsoft Windows 2000-based domain.
You can also use the information in this article to set up ADMT to perform a migration from a Windows 2000-based domain to a Windows 2000-based domain in a separate forest.
This article assumes that the source domain is running either Windows NT 4.0 Service Pack 6a or Windows 2000, and that the target domain is a Windows 2000-based domain in Native mode.
The Active Directory Migration Tool version 2 (ADMTv2) installs and runs correctly on any Windows 2000 Professional-based (or later) client or server computer. However, it is often best to install and run ADMTv2 on the console of a domain controller in the destination domain. The primary considerations when you decide which computer should host ADMTv2 are:
Reliable RPC connectivity between the destination computer and the source domain or domains.
No more than one instance of ADMT should be installed for the same migration project. The migration database (Protar.mdb) is not a replicated data store, so running ADMTv2 migration tasks from multiple nodes during the same project may result in invalid or inconsistent data when post-migration reports are generated.
Certain migration tasks may require additional configuration to succeed.
To download ADMT version 2.0, visit the following Microsoft Web site:
Configure the source domain to trust the target domain.
Configure the target domain to trust the source domain.
Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
Create a new local group in the source domain called Source Domain$$$ (this group should have no members).
Enable auditing for the success and failure of user and group management on the source domain.
Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
On the primary domain controller (PDC) in the source domain, add the TcpipClientSupport:REG_DWORD:0x1 value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA.
You must restart the computer to apply this registry change.
If you are performing a migration from a Windows 2000-based domain, add the registry entry to the domain controller in the source domain that hosts the PDC emulator operations master role. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
234790 How to find servers that hold Flexible Single Master Operations roles
Administrative shares must exist on the domain controller (DC) in the target domain on which you run ADMT, as well as on any computers on which an agent will be dispatched.
You must log on to the computer on which you run ADMT with an account that has the following rights:
Domain Administrator rights in the target domain
Is a member of the Administrators group in the source domain
Administrator rights on each computer you migrate
Administrator rights on each computer on which you translate security
Therefore, logging into the PDC that is the FSMO role holder in the target domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.
For more information about how to use ADMT to migrate from a Windows 2000-based domain to a Microsoft Windows Server 2003-based domain, click the following article number to view the article in the Microsoft Knowledge Base:
326480 How to use Active Directory Migration Tool version 2 to migrate from Windows 2000 to Windows Server 2003