This article describes how to use a security identifier (SID) mapping file to perform a resource domain migration to Microsoft Windows Server 2003. Specifically, it describes how to generate a SID mapping file for security translations when the following conditions are true:
- You have completed an account domain migration from a migration workstation where you have installed the Active Directory Migration Tool (ADMT).
Note The migration workstation in this scenario is a master workstation.
- Your resource domain is across a wide area network (WAN) link, and you want to migrate this domain by using other workstations that are local to the resource domain.
When you perform a resource domain migration to Windows Server 2003, you must run the Security Translation Wizard to translate the security information about resources from the source domain to the target domain. If you must perform the migration from workstations other than the master workstation to correctly translate the security principals on various resources, you must either copy the Protar.mdb database from the master workstation to the alternative workstations or use a SID mapping file.
The Protar.mdb database resides in the installation folder of the ADMT tool. By default, this is the following folder:
C:\Program Files\Active Directory Migration Tool
This database contains a complete list of the migrated objects, including the source and the target SIDs of objects.
During the security translation process, the ADMT references the database to determine the security principals that must be modified. It is a best practice to perform the migration from a single workstation where the Active Directory Migration Tool (ADMT) is installed so that the program can access the Protar.mdb database.
However, if you must perform the migration from alternative workstations, make sure that you copy the Protar.mdb database from the master migration workstation to the alternative workstations. Additionally, if you copy the Protar.mdb database from the master workstation to the alternative workstations, make sure that you first follow these steps:
- Make sure that both the source and the target computers are running ADMT version 2.
- Back up the existing Protar.mdb database on the target workstations before you copy the master database.
- Copy the Protar.mdb database from the installation folder of the ADMT tool on the master workstation to the installation folder of the ADMT tool on the target workstations.
If WAN bandwidth limitations make it inconvenient to copy the database, you must generate a SID mapping file on the master migration workstation and then copy this to the alternative workstations. This SID mapping file is used by the Security Translation Wizard.
The SID mapping file is a comma separated values (CSV)-formatted file. In the SID mapping file, specify first the source SID and then the target SID, separating each SID value by a comma. If the account domains are accessible, you can specify the source and the target account names and then separate them by a comma instead of specifying the source and the target SIDs. To specify the account names, use the following format:
For example, to generate a SID mapping file on the master migration workstation by using Microsoft Visual Basic Scripting Edition (VBScript), follow these steps:
- Connect to the Protar.mdb database, and then retrieve the recordset:
Note "C:\Program Files\Active Directory Migration Tool\Protar.mdb" represents the default path of the Protar database, and “rs” is the recordset. Also, the ADMT installation path can be determined by querying the HKEY_LOCAL_MACHINE\Software\Microsoft\ADMT\Directory registry subkey.
Set objConnection = CreateObject("ADODB.Connection")objConnection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Program Files\Active Directory Migration Tool\Protar.mdb"Set rs= CreateObject("ADODB.RecordSet")Set rs = objConnection.Execute ("Select * FROM [MigratedObjects]")
- Create a new SID mapping file to write the contents of the recordset to:
Note "Sidmapping.txt" is the file where the SID records will be written.
Set fso = CreateObject("Scripting.FileSystemObject")Set fo = fso.OpenTextFile("sidMapping.txt", 2, True)
- Move through the recordset, and then write the source SID and the target SID to the SID mapping file:
Do while not rs.EOFfo.write rs("SourceDomainSid") & "-" & rs("SourceRid") & "," & rs("TargetDomain") & "\" & rs("TargetSamName") & vbcrlfrs.MoveNextloop
Now you can copy the SID mapping file, SidMapping.txt, to the alternative workstations and use it in the security translation process.
For more information about the ADMT utility, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to set up ADMT for Windows NT 4.0 to Windows 2000 migration
How to use Active Directory Migration Tool Version 2 to migrate from Windows 2000 to Windows Server 2003