Content area
Full Text
Operating Systems: Microsoft Windows NT Server 4.0, Microsoft Windows Server 2003
In the article "Active Directory Migration Tool, part 1: Preparing for the migration" in our January 2004 issue, we showed you how to prepare a Windows NT 4.0 source domain and a Windows Server 2003 target domain so you could use Active Directory Migration Tool (ADMT). After you've completed these steps, you're ready to start using ADMT to migrate users, groups, computers, and security settings. As you'll see, ADMT provides several handy wizards to guide you through the process to ensure your accounts and settings are successfully migrated with minimal interruption for your users.
Time to fire up ADMT
In this article, we'll show you how to complete two migrations using ADMT. First, we'll give you some important background information on the sIDHistory attribute in Active Directory and explain why it's important to understand it when you migrate users from one domain to another. Then, we'll show you how to prepare your domains so you can migrate user passwords with their accounts.
Then, you'll learn how to migrate users and their associated groups using the User Account Migration Wizard. We'll show you all the options you can set during the wizard, depending on the needs of your organization and your network setup.
Finally, we'll show you how to migrate security settings using the security Translation Wizard. We'll show you how to use the wizard to update access control lists on files, folders, and shares for users that have been migrated from Windows NT 4.0 to Windows Server 2003.
The slDHistory attribute
You can't cover ADMT and account migrations without covering slDHistory. As you may know, security identifiers (SIDs) are domain-specific IDs that Windows uses to identify users, groups, and computer accounts. Each user account has a unique SID, as does each group account to which the user belongs.
How Windows NT uses SIDs
When a user logs on, the user is granted an access token that includes the user's SID and a SID for each of the groups of which the user is a member. That access token is used to determine access to network resources, the permissions to which are granted to SIDs through each resource's access list (ACL). If a...