How to Use the Active Directory Migration Tool on Windows Server 2012 R2

How to Use the Active Directory Migration Tool on Windows Server 2012 R2

The Active Directory Migration Tool (ADMT) is a Microsoft-provided utility for migrating and restructuring Active Directory objects between domains and forests. Common ADMT use cases include domain consolidation, forest restructuring after mergers or acquisitions, migrating from an older AD domain to a new Windows Server 2012 R2 domain, and splitting a large domain into multiple smaller domains. ADMT version 3.2 is the current release compatible with Windows Server 2012 R2 and supports migrating users, groups, computers, service accounts, trusts, and permissions. This guide covers ADMT installation, preparation, and the key migration workflows.

Prerequisites

Before using ADMT, ensure the following are in place:

ADMT 3.2 must be installed on a domain controller or member server in the target domain. ADMT requires a backend database — either SQL Server 2012 Express (included with ADMT) or a full SQL Server instance. A two-way trust must exist between source and target domains, or ADMT must use explicit credentials. The ADMT service account needs Domain Admin rights in both source and target domains. SID History must be enabled (if migrating SID history for access preservation). Source and target domains must be running at minimum Windows Server 2003 functional level.

Installing ADMT 3.2

# Download ADMT 3.2 from Microsoft
# https://www.microsoft.com/en-us/download/details.aspx?id=56570
# Install SQL Server Express as backend (if no SQL Server available)

# Install SQL Server 2012 Express LocalDB (included with ADMT installer)
# Or specify an existing SQL Server instance during ADMT setup

# Verify ADMT installation
Get-Item "C:Program FilesActive Directory Migration Tooladmt.exe"

Preparing the Source Domain

Several configuration changes are required in the source domain before migration:

# Enable SID History migration in the source domain
# ADMT uses a local group to control SID History allowance
# The source domain must allow SID History updates

# On the source domain controller, enable auditing for account management
# (Required by ADMT for the SID migration process)
auditpol /set /subcategory:"Account Management" /success:enable /failure:enable

# Create the required local group in the SOURCE domain
# ADMT looks for: domain$$$(TargetDomain)$$$
# This is created automatically by ADMT during the first migration

Migrating User Accounts

The ADMT GUI wizard or command-line interface can be used to migrate users. The command-line approach is better for large-scale migrations:

# ADMT command-line syntax for user migration
# Run from the ADMT server in the target domain

admt user /sd:source.com /td:contoso.com `
    /sdc:DC-SOURCE-01.source.com /tdc:DC-LON-01.contoso.com `
    /u:sourceAdministrator /p:* `
    /to:"OU=MigratedUsers,OU=Contoso,DC=contoso,DC=com" `
    /c:"C:ADMTMigrateUsers.csv" `
    /sidhist:yes `
    /migrate:yes `
    /password:complex `
    /passwordoption:CopyPasswordIfPossible

For GUI-based migration in ADMT:

Open the ADMT console from Administrative Tools. Right-click the ADMT node and select User Account Migration Wizard. Specify source domain and domain controller, then target domain and domain controller. Select the user accounts to migrate from the source domain browser. Configure the destination OU, password options, and account transition options. On the Account Transition Options page, choose to disable source accounts, set expiration dates, and configure SID History migration. Review the migration report after completion.

Password Migration Service (PES)

The Password Export Server (PES) service must be installed on a domain controller in the source domain to migrate passwords. Without PES, migrated users receive new (or no) passwords:

# Install PES on the source DC
# PES is installed from the ADMT installation media
# Copy PwdMig.msi to the source DC and install

# On the source DC, install PwdMig.msi
msiexec /i PwdMig.msi /quiet

# Export the PES encryption key from the ADMT server
admt key /opt:create /sd:source.com /sdc:DC-SOURCE-01

# Install the encryption key on the source DC's PES
# The key file (*.pes) must be copied to the source DC first

# Start the Password Export Server service
Start-Service MsPwdMigration

Migrating Groups

# Migrate security groups
admt group /sd:source.com /td:contoso.com `
    /sdc:DC-SOURCE-01.source.com /tdc:DC-LON-01.contoso.com `
    /u:sourceAdministrator /p:* `
    /to:"OU=MigratedGroups,OU=Contoso,DC=contoso,DC=com" `
    /c:"C:ADMTMigrateGroups.csv" `
    /sidhist:yes `
    /migrate:yes `
    /members:yes `
    /updateusergroups:yes

Migrating Computer Accounts

Computer migration in ADMT changes the computer’s domain membership as part of the process. The ADMT agent is installed on each computer, which handles the domain join and SID update:

# Migrate computer accounts and re-join to target domain
admt computer /sd:source.com /td:contoso.com `
    /sdc:DC-SOURCE-01.source.com /tdc:DC-LON-01.contoso.com `
    /u:sourceAdministrator /p:* `
    /to:"OU=MigratedComputers,OU=Contoso,DC=contoso,DC=com" `
    /c:"C:ADMTMigrateComputers.csv" `
    /sidhist:yes `
    /migrate:yes `
    /reboot:5 `
    /VerifyOnComputerChange:yes

Translating Security Permissions

After migrating accounts, file share and NTFS permissions still reference the source domain SIDs. The Security Translation Wizard updates these permissions to reference the target domain accounts:

# Translate security permissions on a file server
admt security /sd:source.com /td:contoso.com `
    /sdc:DC-SOURCE-01.source.com /tdc:DC-LON-01.contoso.com `
    /u:sourceAdministrator /p:* `
    /c:"C:ADMTMigrateComputers.csv" `
    /n:"\FileServer01ShareName" `
    /t:nt `
    /translate:AddACE

Monitoring Migration Progress

# ADMT logs all operations to the migration log database
# View logs in the ADMT console under Migration Log
# Or query the database directly

# Check migration status via ADMT console
# Right-click "Migration Log" to view all migration operations and their status

# Export migration log
admt /log:"C:ADMTMigrationLog.csv"

Post-Migration Cleanup

# Verify migrated users can log on to the target domain
# Test a sample of migrated accounts

# Disable source accounts after successful migration period
Get-ADUser -SearchBase "OU=MigratedUsers_Source,DC=source,DC=com" -Filter * |
    Disable-ADAccount

# After validation period, remove SID History (optional, reduces security risk)
# SID History is useful during coexistence but can be a security risk long-term
Get-ADUser -Identity "jsmith" -Properties SIDHistory |
    Set-ADUser -Remove @{SIDHistory = (Get-ADUser "jsmith" -Properties SIDHistory).SIDHistory}

Summary

The Active Directory Migration Tool 3.2 on Windows Server 2012 R2 provides a comprehensive, tested workflow for migrating AD objects between domains and forests. Successful migrations require thorough preparation including trust configuration, enabling SID History, installing the Password Export Server for password migration, and planning the target OU structure. ADMT’s phased approach — test mode, then production migration with source account coexistence — allows validation before permanently transitioning users. SID History preservation during migration ensures users retain access to resources in the source domain during the transition period. Always maintain a clear migration timeline with defined cutover dates to limit the coexistence period and the associated security complexity.