How to Set Up Windows Server 2019 Active Directory Migration
Migrating Active Directory involves moving objects — users, groups, computers, and policies — from one domain or forest to another, or upgrading an existing AD infrastructure to Windows Server 2019 domain controllers. The primary Microsoft tool for cross-domain and cross-forest migrations is the Active Directory Migration Tool (ADMT). This guide covers the complete process of migrating Active Directory using ADMT on Windows Server 2019, including domain consolidation, inter-forest migration, and upgrading existing domain controllers.
Migration Planning Considerations
Before starting any migration, thoroughly assess the source environment. Document all OUs, GPOs, group memberships, trusts, and service accounts. Identify applications that use Kerberos or NTLM and will be affected by SID changes. Determine whether you need SID history to maintain access to resources during the transition period. Audit the source domain’s health:
dcdiag /test:all /s:sourcedc.source.local /v > C:Premigrationdcdiag-source.txt
repadmin /showrepl sourcedc.source.local > C:Premigrationrepadmin-source.txt
repadmin /replsummary > C:Premigrationreplsummary.txtInstalling ADMT 3.2 on Windows Server 2019
Download ADMT 3.2 from the Microsoft Download Center. ADMT requires Microsoft SQL Server (including the free SQL Server Express) for its database backend. Install SQL Server Express first:
Start-Process -FilePath "SQLEXPR_x64_ENU.exe" `
-ArgumentList "/Q /IACCEPTSQLSERVERLICENSETERMS /ACTION=Install /FEATURES=SQLENGINE /INSTANCENAME=ADMT /TCPENABLED=1 /SECURITYMODE=SQL /SAPWD=ADMTdbP@ss!" `
-WaitInstall ADMT:
Start-Process -FilePath "admtsetup32.exe" -Wait
# ADMT will prompt for the SQL Server instance name: .ADMTAfter installation, verify ADMT is accessible:
& "C:WindowsADMTadmt.exe" helpConfiguring Trusts Between Source and Target Domains
ADMT requires a two-way trust between the source and target domains for inter-forest migrations. Create an external trust from the target domain to the source domain:
netdom trust target.local /domain:source.local /twoway /addtrust /UserO:sourceAdministrator /PasswordO:* /UserD:targetAdministrator /PasswordD:*Verify the trust is operational:
netdom verify target.local /domain:source.localMigrating User Accounts with ADMT
Use ADMT to migrate users from the source domain to the target domain. The command-line interface allows scripted migration of large volumes of accounts. Migrate a specific OU of users:
admt user `
/somain:source.local `
/sdomain:source.local `
/tdomain:target.local `
/ou:"OU=MigratedUsers,DC=target,DC=local" `
/users:"OU=Finance,DC=source,DC=local" `
/sidhistory:YES `
/passwordoption:complex `
/translate:inplace `
/logfile:"C:ADMTLogsuser-migration.log"Migrate a specific list of users from a text file (one samAccountName per line):
admt user `
/sdomain:source.local `
/tdomain:target.local `
/userfile:"C:ADMTLogsusers-to-migrate.txt" `
/ou:"OU=MigratedUsers,DC=target,DC=local" `
/sidhistory:YES `
/passwordoption:complexMigrating Groups
Migrate security groups including their membership. ADMT handles nested group migration and resolves member references across domains:
admt group `
/sdomain:source.local `
/tdomain:target.local `
/groups:"OU=Groups,DC=source,DC=local" `
/ou:"OU=MigratedGroups,DC=target,DC=local" `
/sidhistory:YES `
/fixmembership:YES `
/logfile:"C:ADMTLogsgroup-migration.log"Migrating Computer Accounts
Computer migration joins the machines to the target domain and optionally translates local profiles:
admt computer `
/sdomain:source.local `
/tdomain:target.local `
/computers:"OU=Workstations,DC=source,DC=local" `
/ou:"OU=Workstations,DC=target,DC=local" `
/translateroamingprofile:YES `
/logfile:"C:ADMTLogscomputer-migration.log"Upgrading Domain Controllers to Windows Server 2019
For in-place forest upgrades (not cross-forest migrations), prepare the forest and domain for Windows Server 2019. On the existing Schema Master, run adprep using the Windows Server 2019 installation media:
D:Supportadprepadprep.exe /forestprepRun domain prep on the Infrastructure Master:
D:Supportadprepadprep.exe /domainprep
D:Supportadprepadprep.exe /domainprep /gpprepPromote a Windows Server 2019 server to domain controller:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController `
-DomainName "contoso.local" `
-Credential (Get-Credential) `
-InstallDns:$true `
-CreateDnsDelegation:$false `
-DatabasePath "C:WindowsNTDS" `
-SysvolPath "C:WindowsSYSVOL" `
-LogPath "C:WindowsNTDS" `
-NoRebootOnCompletion:$false `
-Force:$trueRaising the Domain and Forest Functional Level
After decommissioning all old domain controllers, raise the functional levels to Windows Server 2016 or 2019:
Set-ADDomainMode -Identity contoso.local -DomainMode Windows2016Domain -Confirm:$false
Set-ADForestMode -Identity contoso.local -ForestMode Windows2016Forest -Confirm:$falseVerify the new functional levels:
Get-ADDomain | Select DomainMode
Get-ADForest | Select ForestModeActive Directory migration is a high-stakes operation requiring meticulous planning, thorough testing in a lab environment, and a well-documented rollback plan. Migrating users with SID history preserves resource access during the transition, while scripted ADMT operations ensure consistency across large migrations. Always communicate with application owners before migrating service accounts and computer objects.
