Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 2)

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/3/2011 10:25:53 PM

Exporting Password Key Information

The Password Export Server (PES) service is used to migrate passwords during interforest migrations. This service must be installed on the source domain and uses a password key generated previously.

A 128-bit encrypted password key must be installed from the target domain on a server in the source domain. This key allows for the migration of password and SID History information from one domain to the next.

To create this key, follow these steps from the command prompt of the ADMT server in the target domain:

1.
Insert a USB drive to store the key. (The key can be directed to the network but, for security reasons, directing to a USB drive is better.)

2.
Open a command prompt.

3.
Type admt key /option:create /sourcedomain:<SourceDomainName>/keyfile:f:\domain.pes /keypassword:*, where <SourceDomainName> is the NetBIOS or DNS name of the source domain, f: is the destination drive for the key, and domain.pes is the password encryption filename. Then press Enter.

4.
The utility prompts for the password and confirmation of the password. Then the utility creates the password onto the destination drive.

5.
Upon successful creation of the key, remove the USB drive and keep it in a safe place.

This needs to be repeated for each domain to be migrated.

Installing PES on the Source Domain

After exporting the password key from the target domain, the encrypted password key needs to be installed on a domain controller in the source domain. The procedure uses the key generated previously. The following procedure outlines this installation:

1.
Insert the USB drive with the exported key from the target domain into the server’s disk drive.

2.
The installation source is a separate download from Microsoft with a version for 32-bit servers and one for 64-bit servers. This should be downloaded to the source domain controller.

3.
Start the Password Migration Installer by browsing to find the downloaded file, PwdMig.msi, and running it.

4.
On the Welcome page, click Next.

5.
Accept the license agreement, and then click Next.

6.
Enter the location of the key that was created on the target domain; normally, this is the USB drive that was used to transfer the key. Click Next to continue.

7.
Enter and confirm the password that was set on the key file, and click Next.

8.
On the Verification page, click Next to continue.

9.
Select an administrator account in the target domain for the service in the form domain\account and the password, and then click OK.

10.
Click Finish after the installation is complete.

11.
Open the Services console (Start, Administrative Tools, Services). Select the Password Export Server service and change its startup type to Automatic.

12.
The system must be restarted, so click Yes when prompted to automatically restart. Upon restarting, the proper settings will be in place to make this server a Password Export Server.

The account used for the service will be granted the Logon As a Service right. This needs to be installed on at least one source domain controller in each domain to be migrated.

Setting Proper Registry Permissions

The installation of the proper components creates special Registry keys, but leaves them disabled by default for security reasons. One of these is the AllowPasswordExport value. You need to enable this Registry key on the source domain to allow passwords to be exported from the Password Export Server. The following procedure outlines the use of the Registry Editor to perform this function:

1.
On the PES domain controller in the source domain, open the Registry Editor (Start, Regedit).

2.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

3.
Double-click the AllowPasswordExport DWORD value.

4.
Change the properties from 0 to 1 (Hexadecimal).

5.
Click OK and close the Registry Editor.

6.
Reboot the machine for the Registry changes to be enacted.

This allows passwords to be exported from the source domain to the target domain.

Configuring Domains for SID Migration

Migration of the source security identifiers (SIDs) into the target domain SID History allows the security assigned in access control lists (ACLs) to work transparently after the migration. This gives the administrator time to reset ACLs on a gradual basis or even after all objects are migrated.

There are several settings that need to be configured to allow for the SIDs to be transferred. These settings include creating a local group in the source domain for auditing, enabling TCP/IP client support on the source PDC emulator, and, finally, enabling auditing on both the source and target domains.

To create the local group on the source domain for auditing, execute the following steps:

1.
Log on to a domain controller on the source domain.

2.
Launch Active Directory Users and Computers.

3.
Create a domain local group named SourceDomain$$$, where SourceDomain is the NetBIOS name of the source domain. For example, the local group for the companyabc.com domain would be companyabc$$$.

Do not add any members to the group, or the migration process will fail.

To enable TCP/IP client support, execute the following steps:

1.
Log on to the PDC emulator domain controller in the source domain.

2.
Launch the Registry Editor.

3.
Navigate to \HKEY\LocalMachine\System\CurrentControlSet\Control\LSA.

4.
Create the value TcpipClientSupport REG_DWORD and assign it a value of 1.

5.
Exit the Registry Editor and restart the computer.

To enable auditing in Windows Server 2008 R2 domains, execute the following steps:

1.
Select Start, Administrative Tools, Group Policy Management.

2.
Drill Down to Forest, Domains, Domain, Domain Controllers, Default Domain Controller Policy, and then right-click and select Edit.

3.
Drill down to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, and select the Audit Policy node.

4.
Double-click on the Audit Account Management policy.

5.
Check the Define These Policy Settings and select both Success and Failure.

6.
Click OK to save the changes.

7.
Exit the Group Policy Management Editor.

8.
Repeat the preceding steps for all source and target domains.

Now the source and target domains will be prepared to transfer SIDs into the SID History.

Other -----------------
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 4) - Upgrading Domain and Forest Functional Levels & Moving AD-Integrated DNS Zones to Application Partitions
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 3) - Moving Operation Master Roles & Retiring “Phantom” Domain Controllers
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 2)
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 1) - Migrating Domain Controllers
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Big Bang Migration
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Beginning the Migration Process
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server