Exporting Password Key Information
A
128-bit encrypted password key must be installed from the target domain
on a server in the source domain. This key allows for the migration of
password and SID history information from one domain to the next.
To
create this key, follow these steps from the command prompt of a domain
controller in the target domain where ADMT is installed:
1. | Insert
a floppy disk into the drive to store the key. (The key can be directed
to the network but, for security reasons, directing to a floppy is
better.)
|
2. | Change to the ADMT directory by typing cd C:\program files\active directory migration tool, where C: is the OS drive. Then press Enter.
|
3. | Type admt key <SourceDomainName> a: <password>, where <SourceDomainName> is the NetBIOS name of the source domain, a: is the destination drive for the key, and <password> is a password that is used to secure the key. Refer to Figure 2 for an example. Then press Enter.
|
4. | Upon successful creation of the key, remove the floppy and keep it in a safe place.
|
Installing a Password Migration DLL on the Source Domain
A
special password migration dynamic link library (DLL) must be installed
on a domain controller in the source domain. This machine will become
the Password Export Server for the source domain. The following
procedure outlines this installation:
1. | Insert the floppy disk with the exported key from the target domain into the server’s disk drive.
|
2. | Insert
the Windows Server 2003 CD into the CD-ROM drive of the domain
controller in the source domain where the Registry change will be
enacted.
|
3. | Start the Password Migration Utility by choosing Start, Run, and typing d:\i386\ADMT\Pwdmig\Pwdmig.exe, where d: is the drive letter for the CD-ROM drive. Then click OK.
|
4. | At the welcome screen, click Next.
|
5. | Enter the location of the key that was created on the target domain; normally, this is the A: floppy drive, as indicated in Figure 3. Click Next to continue.
|
6. | Enter the password twice that was set on the target domain, and click Next.
|
7. | At the Verification page, click Next to continue.
|
8. | Click Finish after the installation is complete. |
9. | The
system must be restarted, so click Yes when prompted to automatically
restart. Upon restarting, the proper settings will be in place to make
this server a Password Export Server.
|
Setting Proper Registry Permissions on the Source Domain
The
installation of the proper components creates special Registry keys but
leaves them disabled by default, for security reasons. You need to
enable a specific Registry key to allow passwords to be exported from
the Password Export Server. The following procedure outlines the use of
the Registry Editor to perform this function:
1. | On a domain controller in the source domain, open the Registry Editor (Start, Run, Regedit).
|
2. | Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
|
3. | Double-click the AllowPasswordExport DWORD value.
|
4. | Change the properties from 0 to 1–Hexadecimal.
|
5. | Click OK and close the Registry Editor.
|
6. | Reboot the machine for the Registry changes to be enacted.
|
At
this point in the ADMT process, all prerequisites have been satisfied,
and both source and target domains are prepared for the migration.