With the discontinuation of hotfix development and phasing out of support for Windows NT 4.0 and the release of Windows Server 2003 Service Pack 1 (SP1), now is a great time for those of you still running NT domains to consider switching to Active Directory (AD). To help you with the transition, Microsoft offers the free Active Directory Migration Tool (ADMT), which you can download from http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en. Third-party products from Quest Software, BindView, and NetIQ provide such features as project management, SID history clean-up, and more functional GUIs—all of which can make them worth the price.
Migration involves moving user and computer accounts from one or more source domains to a target domain. You might find yourself performing a migration to move away from NT or to consolidate two or more AD domains. Migrated accounts get a new SID in the target domain, so migration tools also provide a way to ensure that the new account inherits the same access to resources. All the tools I tried maintain SID history and repermission files, folders, and the registry, as well as provide common functionality to deal with other necessary migration tasks. All the reviewed products can migrate user accounts, passwords, local and global groups, computer accounts, and trusts; repermission the file system, registry, and Microsoft Exchange Server mailboxes; join workstations to a new domain; maintain SID history; and run scripted migration tasks. Table 1 sums up each product's features.
I tested each product by migrating a set of NT users and groups, a file share, and a workstation to a Windows 2003 AD domain. I evaluated each product according to its ease of use, its ability to help plan the migration (i.e., migration-project management), and whether the new accounts in the target domain could access the correct resources on both the file share and the workstation after the migration.
ADMT
ADMT supported all the basic functionality I needed to migrate users and computers between domains but provided only a minimal installation process and GUI. Most notably, the product lacks migration-project management, SID history cleanup, and robust reporting. ADMT is probably suitable for smaller migrations, but if you need to keep track of hundreds of users, the tool will require extra work—both in troubleshooting and project management.
Installing ADMT wasn't as simple as you might think. At first glance, I thought the process just involved deploying a Windows Installer package. However, a thorough read of the accompanying documentation revealed that I also needed to configure a slew of permissions and registry settings, designate and configure a Password Export Server in the source domain, and reboot a domain controller (DC) in both the source and target domains. In retrospect, the ease of configuring the other tools made ADMT's setup seem complex and error prone.
As Figure 1 shows, ADMT consists of a set of wizards that let you test or perform each migration task. However, the tool didn't provide a way to save my test settings, so I had to rerun the wizards and recreate the options I'd chosen during my tests. When I tested the process of migrating small batches of users, this lack of project management also made it difficult to plan which users I wanted to migrate in each batch.
ADMT has a minimal but useful set of reports. The Account Name Conflicts report helped me predict some of the errors I ran into and the Migrated User and Groups and Migrated Computer Accounts reports helped me figure out which users I'd already migrated. I would have liked to see reports that compared source and target domains (e.g., something that showed me which users hadn't been migrated yet).
I spent a lot of time troubleshooting ADMT. When a migration task encounters errors, ADMT provides only a text-based log file of the actions it performed. Among the errors I encountered were problems with the configuration of the Password Export Server and SID History permissions. ADMT has a Retry Task Wizard, but the Wizard didn't let me modify a failed task's settings before retrying the task. Also, the Wizard let me retry only distributed tasks, such as computer migrations; I couldn't use the Wizard to retry user migrations that had encountered errors or successful test migrations. Furthermore, ADMT supports undo only for the most recent migration task. Once I got everything working, however, ADMT successfully migrated users, without any permissions problems on the file share or local profiles.
BindView bv-Admin for Windows Migration
bv-Admin for Windows Migration is a project-based migration tool that offers good migration planning, great translation of source-account properties, and complex mapping of migrated objects into organizational units (OUs). This product was the most flexible of those I tested, in terms of organizing accounts in the target AD structure and standardizing account names and properties, but its trial migrations didn't catch errors that occurred during the actual migration. Though troubleshooting wasn't difficult, I was disappointed that it was necessary during my actual migration rather than during the trial migration. This problem, along with its higher price, kept bv-Admin out of the top spot in this review.
The bv-Admin console consists of a set of projects that are organized according to the type of object being migrated. Each project I created represented a set of users, groups, computers, and migration settings. As Figure 2 shows, I could choose a separate destination OU in the target domain for each object to be migrated, and I could set account properties—including the common name (CN), SAM, and user principal name (UPN)—by using an expression that included source-account properties. Additionally, bv-Admin automatically set the first name and last name fields in AD by breaking NT's Full Name field at spaces. None of the other products automatically populated these fields in AD.
After I'd created a project, I could use it to perform either a trial or a real migration. Though the trial migration succeeded, my first real migration produced two errors, one involving permissions for enabling SID history and the other because of the length of the CN field. bv-Admin offered useful error messages, so I was able to resolve both problems easily, but I was frustrated that the trial worked but the actual migration failed. After the real migration succeeded, I turned my project into a template that let me use the same settings for a new project involving different user accounts.
To migrate the file share and workstation, bv-Admin automatically installed agents to apply ACLs and join the workstation to the new domain. Rebooting after the migration was optional, and I didn't encounter any errors during this process.
The product's reporting capabilities impressed me. The reporting tool is called Action Reports and includes a useful set of customizable reports for both domain and migration projects. These reports included data about non-migrated objects, SID history, successfully executed projects, and resources that were skipped during project execution. I could also customize the reports to get data from multiple domains or projects. Furthermore, the reports were actionable when appropriate. For example, right-clicking the SID History report let me launch a SID History clean-up task.
Previous
Register
