How to Set Up Windows Server 2016 Active Directory Migration
Migrating an Active Directory environment is one of the most consequential infrastructure tasks an administrator can undertake. Whether you are consolidating domains after a merger, upgrading a forest functional level, or moving resources from a legacy environment to a new one, a structured migration plan minimises downtime and prevents data loss. Windows Server 2016 includes native tools and integrates with the Active Directory Migration Tool (ADMT) to facilitate both intra-forest and inter-forest migrations.
This tutorial walks through the key stages of an AD migration: preparation, domain controller deployment, object migration with ADMT, and decommissioning legacy infrastructure.
Phase 1 – Pre-Migration Assessment
Begin by documenting the source environment. Capture the domain and forest functional levels, the number and roles of domain controllers, trust relationships, DNS configuration, and all FSMO role holders.
Get-ADForest | Select-Object Name, ForestMode, SchemaMaster, DomainNamingMaster
Get-ADDomain | Select-Object Name, DomainMode, PDCEmulator, RIDMaster, InfrastructureMasterInventory all user accounts, computer accounts, and groups:
Get-ADUser -Filter * | Measure-Object
Get-ADComputer -Filter * | Measure-Object
Get-ADGroup -Filter * | Measure-ObjectReview Group Policy Objects, application service accounts, and any schema extensions that need to be replicated to the target forest before objects can be moved.
Phase 2 – Deploying the Target Domain Controllers
Install the AD DS role on the target Windows Server 2016 machine:
Install-WindowsFeature AD-Domain-Services -IncludeManagementToolsIf creating a new forest:
Install-ADDSForest `
-DomainName "target.contoso.com" `
-DomainNetbiosName "TARGET" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns `
-ForceIf adding a domain controller to an existing forest:
Install-ADDSDomainController `
-DomainName "contoso.com" `
-InstallDns `
-Credential (Get-Credential) `
-ForcePhase 3 – Establishing a Trust
For inter-forest migrations, create a two-way forest trust between the source and target domains so that ADMT can access both environments and SID History can be migrated:
netdom trust source.local /domain:target.contoso.com /twoway /add /passwordt:TrustPassword123!Enable SID History migration on the source domain by setting the TcpipClientSupport registry value and ensuring auditing is active on the source domain controller:
reg add "HKLMSYSTEMCurrentControlSetControlLsa" /v TcpipClientSupport /t REG_DWORD /d 1 /fPhase 4 – Installing and Running ADMT
Download ADMT 3.2 from the Microsoft Download Center and install it on a member server in the target domain. ADMT requires SQL Server (or SQL Server Express) for its database. After installation, open the ADMT console to begin migrating objects.
To migrate user accounts via the command line (useful for scripting large batches):
admt user /N source.local /D target.contoso.com /SD source.local /TD target.contoso.com `
/UF C:migrationusers.txt /PF C:migrationpasswords.txt /SO /MH TRUEMigrate security groups:
admt group /N source.local /D target.contoso.com /SD source.local /TD target.contoso.com `
/GF C:migrationgroups.txt /MH TRUEMigrate computer accounts (this also installs the ADMT agent on target machines to update group memberships and local profiles):
admt computer /N source.local /D target.contoso.com /SD source.local /TD target.contoso.com `
/CF C:migrationcomputers.txt /TO target_ou_dn /ROPhase 5 – Verifying Migrated Objects
After migration, verify that accounts exist in the target domain and retain SID History:
Get-ADUser -Identity jsmith -Properties SIDHistory | Select-Object Name, SID, SIDHistoryConfirm group memberships transferred correctly:
Get-ADPrincipalGroupMembership -Identity jsmith | Select-Object Name, SIDPhase 6 – Seizing FSMO Roles and Decommissioning
Transfer FSMO roles to the new domain controllers gracefully while the source controllers are still online:
Move-ADDirectoryServerOperationMasterRole -Identity "NewDC01" -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMasterOnce all resources are confirmed operational in the target domain, demote and decommission source domain controllers:
Uninstall-ADDSDomainController -LastDomainControllerInDomain -RemoveApplicationPartitions -ForceFinally, remove the trust relationship after all authentication is flowing through the target forest and all SID History dependencies have been confirmed resolved.
