How to Configure Windows Server 2016 Active Directory Migration Tool

The Active Directory Migration Tool (ADMT) is a Microsoft utility used to migrate users, groups, computers, and service accounts between Active Directory domains. In Windows Server 2016 environments, ADMT version 3.2 is the supported release and is commonly used for domain consolidation, domain restructuring, mergers and acquisitions, and forest migrations. ADMT supports both inter-forest migrations (between separate forests) and intra-forest migrations (between domains in the same forest).

ADMT works by copying or moving objects from a source domain to a target domain, optionally preserving SID history to maintain access to resources in the source domain during transition periods. It also includes a Password Export Server (PES) component for migrating user passwords.

Step 1: Plan the Migration

Before running ADMT, complete a thorough planning phase. Document the source and target domain structures, identify dependencies, and establish a migration timeline. Key questions to answer:

Source Domain: sourcedomain.com
Target Domain: targetdomain.com
Migration Type: Inter-forest (two separate forests)
Objects to Migrate: Users, Groups, Computers
SID History: Required (to maintain resource access)
Password Migration: Required
Rollback Plan: Source accounts remain enabled for 30 days post-migration

Step 2: Establish Prerequisites

ADMT requires specific prerequisites on both the source and target domain controllers. On the target domain, install ADMT 3.2 (download from Microsoft). ADMT also requires SQL Server or SQL Server Express for its database:

# Install SQL Server Express (if not already installed)
# Then install ADMT from the downloaded MSI
msiexec /i ADMT.msi /qb TARGETDIR="C:ADMT"

Verify ADMT installed correctly:

Get-Service -Name ADMT

Step 3: Configure the Trust Between Domains

ADMT requires a trust relationship between the source and target domains. For inter-forest migrations, create a two-way external trust or forest trust between the domains. Verify the trust is working before proceeding:

netdom trust targetdomain.com /domain:sourcedomain.com /verify

Step 4: Set Up the Password Export Server

To migrate user passwords, install the Password Export Server (PES) component on a domain controller in the source domain. PES is included with the ADMT download package.

msiexec /i PES.msi /qb

After installing PES, create an encryption key file to secure password transmission between the source PES and the target ADMT server. Run this on the ADMT server in the target domain:

admt key /option:create /sourcedomain:sourcedomain.com `
    /keyfile:C:ADMTPESKey.pes /keypassword:*

Copy the key file to the source domain controller and import it on the PES:

admt key /option:restore /sourcedomain:sourcedomain.com `
    /keyfile:C:PESKey.pes /keypassword:*

Step 5: Configure Source Domain Permissions

For SID history migration, you must configure permissions in the source domain. Open the source domain’s Default Domain Controllers Policy and configure the following audit policy:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account management: Success, Failure

Also enable the local group policy on each source DC to allow SID history migration:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "TcpipClientSupport" -Value 1 -Type DWord

Step 6: Migrate User Accounts Using ADMT

Open the ADMT console from the target domain server. Right-click the ADMT node and select User Account Migration Wizard. Configure the migration settings:

Source Domain: sourcedomain.com
Source Domain Controller: dc01.sourcedomain.com
Target Domain: targetdomain.com
Target Domain Controller: dc01.targetdomain.com

For scripted migrations using the ADMT command-line interface, migrate users from a CSV file:

admt user /N /SD:sourcedomain.com /TD:targetdomain.com `
    /UF:C:ADMTuserlist.txt `
    /TO:"OU=MigratedUsers,DC=targetdomain,DC=com" `
    /NOPASSWORD:NO /PAM:YES /SH:YES

Step 7: Migrate Groups

Migrate security groups to maintain access control membership. Use the Group Account Migration Wizard in ADMT or the command line:

admt group /SD:sourcedomain.com /TD:targetdomain.com `
    /GF:C:ADMTgrouplist.txt `
    /TO:"OU=MigratedGroups,DC=targetdomain,DC=com" `
    /SH:YES /MM:YES

Step 8: Migrate Computer Accounts

Computer account migration is a multi-step process. ADMT first migrates the computer account in Active Directory, then renames and re-joins the computer to the target domain. This requires the ADMT agent to be deployed to each workstation or server being migrated:

admt computer /SD:sourcedomain.com /TD:targetdomain.com `
    /CF:C:ADMTcomputerlist.txt `
    /TO:"OU=MigratedComputers,DC=targetdomain,DC=com" `
    /RC:YES /RA:YES

Step 9: Verify the Migration

After migration, verify that accounts were created correctly in the target domain and that SID history was preserved:

Get-ADUser -Identity "migrateduser" -Properties SidHistory |
Select-Object Name, SID, SidHistory

ADMT provides a structured and reliable approach to Active Directory migrations in Windows Server 2016 environments. By carefully planning the migration, testing in a non-production environment first, and following a phased rollout approach, organizations can migrate between domains with minimal disruption to end users and services.