I recently got the request to migrate users from one local domain to another local domain.
I have also heard some talks about ADMT not functioning on Windows Server 2019 anymore. Since I am involved in multiple projects that have to do with domain consolidation i decided to do some research on this matter and spin up my lab environment for this.
My lab environment for this case where two DC,s running Windows Server 2019 hosted in Azure and network connectivity between both DCs and networks were possible due to a Site to Site VPN.
I have configured trust relation between the domains and will not get into that in this post.
For more information on how to setup a domain trust relation see :
Configure DNS to Enable a Trust Between Two Active Directory Forests – Petri
Active Directory trust Relationship between two domains in Server 2016 | Windowstechpro
I will not go into the installation process of ADMT as this is pretty straight forward and no issues are to be expected here.
Before install you need to have SQL Server up and running. You can use the latest SQL Server Express for this.
My advise is also to install the SQL Server management studio.
Downloads can be found here :
SQL Server Express : SQL Server Downloads | Microsoft
SQL Server Management Studio : https://aka.ms/ssmsfullsetup
You can install the above with the default settings.
Now download and install ADMT 3.2 on the Windows Server you want to move the users away from (Source Server).
ADMT 3.2 : Download Active Directory Migration Tool version 3.2 from Official Microsoft Download Center
Install ADMT as usual but when asked for SQL database location fill in the following and press Next :
Continue the installation.
The ADMT service account needs to have proper permission in source and target domains. You don’t need to use 2 separate accounts. You can use a single service account for the entire migration. Here is the procedure:
- Create an account in the Target Domain
- Add this account to the Domain Admins group in the Target Domain
In Source Domain, add this account (from target) to the built-in administrator group (not Domain Admin)
If you get the following error message, make sure you have the proper permissions in both source and target domains.
Unable to establish a session with the password export server. Access is denied
After you have done the above open SQL Server Management Studio and give the created user DB Owner rights on the ADMT database.
First create a login account from Sql Server Management Studio
Select Windows Authentication and search for the created user in the target domain and press OK to add the login.
Double click on the created login and assign the DB Owner role to the ADMT database under User Mapping.
Press OK and exit the Management Studio.
Log off the Windows Server.
Log on to the Source Windows Server using the newly created account on the target domain. So don’t forget to add the target domain before the user account name during login. Example “TargetDomain\NewUserAccount”.
Start ADMT and perform the migration tasks as usual. When asked for credentials use the target domain account that you have created above.
So conclusion is that ADMT 3.2 is working fine on Windows Server 2019 setups and can be used to perform domain migrations.