NT-to-Win2K Migration Tools

If you administer a Windows NT environment, sooner or later you'll consider moving your infrastructure to Windows 2000. You must plan many details regarding the movement of users, groups, and resources before you can perform the migration. The most significant addition to Win2K is Active Directory (AD), and AD is the component that will require the most attention and planning before you migrate your environment.

Microsoft recommends that in addition to planning for AD, you clean up and flatten domains before moving to Win2K. This process requires a significant effort on your part. Four suites of migration tools have emerged to assist you. Aelita Software's Controlled Migration Suite 5.0, BindView's bv-Admin for Windows 2000 Migration 3.5 beta, FastLane Technologies' DM/Suite, and NetIQ's (formerly Mission Critical Software's) Domain Migration Administrator 6.10 offer NT-to-Win2K domain migration assistance.

The Domain Environment
To test each product, I set up a network for a fictional midsized company. My NT 4.0 network consisted of four account domains, CORPORATE, HRDOMAIN, PRODDOMAIN, and SALES-DOMAIN, which Figure 1 shows. Each domain controller ran NT Server 4.0, Enterprise Edition, with Service Pack 5 (SP5) and contained about 250 user accounts with home directories and roughly 1.3GB of shared files with NTFS permissions. I added a member server running Microsoft Exchange Server 5.5 to the CORPORATE domain and created mailboxes for all user accounts across my domains. I also included one resource domain, RES-DOMAIN, that had printer and file sharing on one domain controller. To verify connectivity during the various migration stages, I used clients running Win2K Professional, NT Workstation 4.0, and Windows 98.

Migration Goals
I planned my migration activities to accomplish five goals. First, I needed to migrate all user accounts to one AD domain, NTLAB.COM, which Figure 2, page 108, shows. (I planned to upgrade the server named Corp in the NT CORPORATE domain to Win2K Advanced Server. This upgrade would result in the NTLAB.COM AD Domain with a NetBIOS domain name of CORPORATE.) Second, I wanted to accomplish administrative distribution by placing current domain objects into appropriate organizational units (OUs) in the AD. Third, I planned to update the permissions on existing resources to provide concurrent access from the original account and the newly migrated account. Fourth, I wanted to relocate file shares from HRDOMAIN, PRODDOMAIN, and SALESDOMAIN to remaining servers, then remove the domain controllers for those domains. (The Win2K upgrade installation updated all the original accounts and objects in the NT CORPORATE domain.) Finally, I intended to clean up permissions to remove access to resources by original domain accounts while maintaining access by new accounts.

I used each product's built-in analysis and planning tools to determine how they assisted a real-world migration. After planning, I tested each product's user and group migration functionality. Following migration, I used the domain consolidation tool, when the product provided one. I used the distributed resource-updating tool from each product to repermission files and shares. I then used the computer migration capabilities to change the domain memberships of my clients. Throughout the migration steps, I verified that client computers provided users uninterrupted access to appropriate resources and maintained local user profiles. I also checked permissions, accounts, and other affected objects after each operation. Finally, I used each product's cleanup facilities to remove permis-sions on resources for original domain accounts.

The Verdict
These products offer trade-offs between flexibility and ease of use. Domain Migration Administrator was easy to use but might not provide the flexibility some large organizations need. DM/ Suite and bv-Admin for Windows 2000 Migration offered more options, but some of the options were distracting and redundant.

In my test environment, Controlled Migration Suite was the most robust product and the best equipped to perform the migration as planned. Controlled Migration Suite struck a balance between simplicity and flexibility.

In terms of value, if domain consolidation isn't currently a concern, Domain Migration Administrator's price-for-performance punch is powerful. However, Controlled Migration Suite delivers the knockout blow with great features at an attractive price.

Controlled Migration Suite 5.0
Enterprise Delegation Manager, Enterprise Directory Reporter, and Domain Migration Wizard make up Aelita's Controlled Migration Suite. Installing the suite was reasonably simple. I installed Enterprise Delegation Manager, Enterprise Directory Reporter, and Microsoft Access 2000 runtime to Corp from the Controlled Migration Suite CD-ROM. Although Enterprise Directory Reporter can utilize a Microsoft SQL Server database, I chose to use Access 2000 runtime, which came with the suite, to keep things simple. I received a prompt to enter credentials and the startup method for the Aelita Delegation Service, then the service registered with the OS. After setup was complete, I inserted the Domain Migration Wizard CD-ROM and launched the setup program for Domain Migration Wizard from the CD-ROM's root directory. This process installed the Domain Migration Wizard, DMW Project Manager, DMW Agent Manager, Directory Processing Wizard, and DMW Data Mover components.

Preparing the Migration
I launched Controlled Migration Suite from the Start menu, and a Microsoft Management Console (MMC) snap-in opened to display the migration tool icons. To begin the planning phase of my migration, I clicked the Enterprise Directory Reporter icon. I opened the online Help for Enterprise Directory Reporter and read the Getting Started section, which said to run Centralized Directory Collector. Centralized Directory Collector guided me through the steps necessary to collect information for reporting. It also provides options for reporting on the entire spectrum of hardware and software on your network. I chose to collect data for a network report and accepted the default parameters for data collection. Various templates were available to ensure relevant reporting. I chose the Domains and Computers template, which listed users, groups, and user rights for all the computers. The Exchange Server reporting function requires you to configure an Exchange Server client on the system that runs Enterprise Directory Reporter. I installed and configured Microsoft Outlook 2000 on Corp, then ran my Exchange Server reports.

Enterprise Delegation Manager provides the same type of granular control over the administration of NT 4.0 domains that you can achieve with AD. The most useful application of Enterprise Delegation Manager is that it lets you model an AD structure before performing a migration. At the time of testing, Aelita planned to add the ability to export the modeled Enterprise Delegation Manager environment structure directly into a migration project. I set up a few OUs and delegated administrative tasks to nonadministrators to learn how Enterprise Delegation Manager operated. The modeling feature is a great asset if you need to organize a complex AD structure before migrating domains.

Migrating Users and Groups
To begin the migration process, I opened the DMW Project Manager, which Figure 3 shows, from the MMC snap-in and created a new migration project. The MMC snap-in window's right pane listed the steps necessary to complete my migration project. Throughout the steps, several options were available for customizing the migration project. The first step, selecting domains, let me provide a description for the project and select the source and target domains for the migration.

Step 2 preprocessed the users and groups in the source domain and let me set up rules for handling special concerns such as disabled and duplicate accounts. I could also rename accounts and specify different group and password migration settings.

Step 3, migrate users and groups, created users and groups in the target domain according to the settings I specified in step 2. Migrating about 275 accounts took 1 minute and 40 seconds.

Step 4, migrate resources, let me update selected computers' permissions to profiles, shares, printers, services, the file system, and the Registry. You can also update local group memberships and user rights during this step. I also had the option to change the domain membership of specific computers at this point. The complete repermissioning of two computers, Production and WINWS, took 25 seconds, which was much faster than repermissioning was with the other products I tested.

For larger migration projects, the suite includes a tool called DMW Agent Manager. This tool provides a more granular approach to updating resources, and you can distribute DMW Agent Manager and project files to let second-tier administrators perform migration tasks. The product performed resource updating with ease and used DMW Agent Manager to accomplish fast, scalable, and complete processing.

Step 5, migrating the Exchange Server system, updated the primary NT account and permissions properties on the mailboxes belonging to migrated users. The software handled Exchange Server mailboxes without requiring you to install Microsoft Exchange Administrator. Instead, the product used an efficient export, amend, and import methodology for updating the Exchange Server database. The product took just over 1 minute to update the mailbox permissions for the selected 275 users in this project.

Step 6, document migration, gave me access to organized categories of reports that detailed the results of the migration steps. I was able to view and print all the available reports. After migration, the suite used the Directory Processing Wizard to move the migrated security principals into a specific OU in AD. Using the Directory Processing Wizard, I created a new OU and moved all of this project's migrated users, groups, and computers to the new OU in less than 20 seconds.

Domain Consolidation
Another tool that the Domain Migration Wizard includes is DMW Data Mover. This tool performs data migration and server consolidation. I used DMW Data Mover to move user home directories and file shares from HRDOMAIN, PRODDOMAIN, and SALESDOMAIN to computers in the NTLAB.COM domain. Again, the suite provided several options for controlling how and when to migrate and synchronize shares. I didn't use the on-the-fly object re-permissioning option because I had already updated the resources I planned to migrate. Controlled Migration Suite migrated all files without error and with ACLs intact.

Migrating Computers
I used DMW Agent Manager again to change the domain membership of my workstations. I selected NTLAB.COM as the target domain and selected a check box to preserve the computer's account in the original domain. After changing a computer's membership, the program provided a check box, which I left clear, to reboot the computer. Controlled Migration Suite was the only product capable of changing a computer's domain membership without a reboot, and this feature worked seamlessly.

Cleanup and Rollback
After verifying that all migrated users had access to the appropriate resources, I used DMW Agent Manager to clean up local group membership, rights, and object permissions for migrated accounts. To accomplish this cleanup, I chose the same options I used during the original resource update, then selected the cleanup option in the interface. The process worked very quickly; I cleaned up the HRDOMAIN server in about 10 seconds.

Domain Migration Wizard doesn't provide a way to clean up changes made to Exchange Server mailboxes. All the mailboxes still had permissions listed for the original and migrated account. You need to remove the original account access manually, outside the Domain Migration Wizard. The product supports full rollback of all migration activities, including Exchange Server mailbox updates.

A Very Good Tool
Aelita provides the most comprehensive suite of migration tools to enable smooth migrations for organizations of all sizes, from midsized companies to very large enterprises. All the tools were fairly intuitive, and I was happy with the suite's performance and functionality. The Domain Migration Wizard is my tool of choice for migrating from NT to Win2K. One shortcoming is the product's inability to access context-sensitive Help from some operational screens. But overall, Controlled Migration Suite met all my needs and performed well.

Controlled Migration Suite 5.0
Contact: Aelita Software * 614-336-9223 or
Web: http://www.aelita.com
Price: Starts at $17 per account; volume discounts available
Decision Summary:
Pros: Comprehensive tools cover all facets of migration;is easy to use;offers fast performance;provides good value
Cons: Application doesn't provide context-sensitive Help or cleanup for updated mailbox permissions

bv-Admin for Windows 2000 Migration 3.5 beta
I tested BindView's bv-Admin for Windows 2000 Migration 3.5 beta, which is part of the bv-Admin suite. BindView and Entevo merged in February 2000 in an effort to provide administrators a full suite of migration and directory-management tools.

The installation required me to enter a license key and took only 1 minute. Starting the tool launched DirectManage, which presents an MMC-like interface. A container with Projects, Templates, and Migration Utilities subgroups appeared in the Entevo DirectManage console, which Figure 4 shows.

Preparing the Migration
The bv-Admin package offers powerful tools to assist you in planning and modeling your migration. The bv-Admin suite lets you model and create an AD-type structured environment in NT 4.0 domains. You can then use that structure in bv-Admin for Windows 2000 Migration to populate AD and migrate users and groups.

To create a new project, I right-clicked the Windows 2000 Migrations container and chose Create from the context menu. The Create Migration Project Wizard guided me through several migration steps. I needed to specify whether I wanted to create an account migration project or a local group migration project. I chose to create an account migration project and specified whether my source and target domains were NT 4.0 or AD. To select user accounts to migrate, I had to select the domain from which I wanted to migrate the accounts. This step was confusing because even though I chose to migrate user accounts, I could select users, groups, and computers for migration. I selected only the check box for users, selected all the accounts, and clicked Next. I then received a prompt to specify the destination containers for the selected objects. Before specifying the destination, I created a new OU in my AD on the fly.

The product presented a thorough set of options (e.g., duplicate account handling, password handling, account disabling) to control the user-account migration. The program provided a unique option for associating well-known SIDs. When I selected it, this option merged security for well-known accounts such as Administrator and Guest in the target domain rather than treating them as duplicates. Overall, the wizard seemed a bit clumsy and nonintuitive for simple procedures such as connecting to a domain and specifying a destination.

Migrating Users and Groups
After I finished the migration configuration steps, I clicked Finish, which saved the project and created a subcontainer under the Windows 2000 Migrations container. I selected the subcontainer, which displayed a grid in the right pane. The grid listed the accounts I had chosen for migration and the groups that contained at least one migrated account as a member.

Right-clicking the project container displayed a menu of options: Trial Migrate, Migrate, Edit Project Settings, Edit Account Selection, Reports, and Create Template. I selected Trial Migrate to test my migration, and the trial migration completed without errors. Then, I selected the Reports item to view reports about the migration. The logical report groups made finding information about a specific migration element easy. The reports showed that the software didn't migrate groups with conflicting names the way I wanted it to. Assuming that the wizard would guide me through the necessary configuration steps, I hadn't set group migration options. Although I had selected the Migrate groups to which the user belongs check box, the program didn't present group migration options.

To configure group migration options, I edited the project settings and clicked the Groups icon. After I achieved and verified the results I wanted for my migration, I right-clicked the project container and selected Migrate to migrate users and groups. The tool took about 25 seconds to create the user accounts and groups in my AD domain. I created a template according to the settings for the migration project and used the template to set up projects for other domain migrations. The template kept the configuration of the subsequent migrations consistent; I had to modify only options specific to a given domain.

Updating Resources
After migrating my user accounts and groups to the AD domain, I chose to update resource permissions to give objects concurrent equal access to AD and NT domain accounts. I right-clicked a project and chose Update to open the Resource Permissions Wizard. I selected the PDC to update share permissions on. I chose the D$ and E$ administrative shares and began the resource update.

The bv-Admin for Windows 2000 Migration tool's resource-updating component was the slowest of the products I reviewed. The distributed resource permissions update tool didn't work in my test environment, so I had to use the centralized update method, which was very slow. BindView representatives said I would have received faster results from the distributed method and mentioned that the beta version's debug code also affects performance.

Another problem was that I couldn't update permissions for files that the Administrator account didn't have access to. This inability caused a considerable problem in migrating users' home directories, which only the owners have access to. To update permissions and provide the new AD account access, I had to take ownership as an administrator. If you use this tool for your migration, you'll need to do a lot of documentation, planning, and manual permission updating for directories that an administrator doesn't own or have access to.

Next, I used the Resource Permissions Wizard to update the permissions on my Exchange Server mailboxes. I ran into a dangerous bug during this step. As the product updated the mailboxes, it set the Primary Windows NT Account field for each mailbox to the first user account in my list of mailboxes to update. BindView is aware of this bug and plans to resolve it and other problems I discovered before the final product's release.

Domain Consolidation
I used the Resource Migration Wizard in an attempt to consolidate my HRDOMAIN, SALESDOMAIN, and PRODDOMAIN server resources to computers in the NTLAB.COM domain. However, I ran into another permissions problem with objects that the Administrator account didn't have access to. I was unable to migrate user home directories and other locked-down files. Again, given the destructive nature of taking ownership of an object, this inability presented a significant problem. Obtaining permission to these objects, moving them, then repermissioning them is no small task. Instead, I chose to translate security on the HRDOMAIN, PRODDOMAIN, and SALESDOMAIN servers and not consolidate them. BindView is investigating alternative methods to access these types of files, but the company has no scheduled time frame for implementing a solution.

Migrating Computers
I created separate projects to make my workstations members of the NTLAB.COM domain. I set each project to migrate computers, selected the computers for the product to migrate, and specified the target OU for the computer account. The product successfully migrated all computers and rebooted them as members of the new domain.

Cleanup and Rollback
The bv-Admin suite provides no cleanup utility. A BindView representative recommended I use BindView's bv-Control product to report on and modify permissions for the source accounts. I didn't use bv-Control for this purpose because the product is outside the realm of domain migration tools that I tested. Having a cleanup utility within the migration tool makes the most sense because the tool can leverage its saved history of activities for resources and accounts to ensure complete cleanup. You can use bv-Admin for Windows 2000 Migration to easily migrate users and groups, but the product doesn't provide facilities for rolling back a resource or updating Exchange Server mailboxes.

Not Quite Ready
The beta version of the bv-Admin package needs to overcome some sizable hurdles before it's ready for market. You can look forward to the future integration of this migration tool with other BindView products. The merger with Entevo should enable BindView to create a powerful suite of tools to handle any migration project, but the enhanced product might not be ready for early Win2K adopters.

bv-Admin for Windows 2000 Migration 3.5 beta
Contact: BindView * 713-561-4000 or
Web: http://www.bindview.com/
Price: $9.95 per user; volume discounts available
Decision Summary:
Pros: Planning and modeling tools are strong; performs migrations according to modeled environment; provides granular rollback of migrated objects
Cons: Permission update performance is poor; isn't able to access locked-down files; interface isn't intuitive

I tested FastLane's DM/Suite, which consists of DM/Administrator 4.5, DM/ Consolidator 2.1.1, DM/Developer 7.1, DM/Manager 5.1, and DM/Reporter 2.6. I installed all the tools except for DM/ Developer, which is a tool for developing directory-management applications.

Preparing the Migration
I installed DM/Reporter to assist with my migration project. DM/Reporter uses Seagate Crystal Reports as a back end for the creation of reports, then the Historical Data Collector tool collects data and maintains a database for quick report generation. When realtime reporting is necessary, DM/Reporter can query computers directly to gather information. You can define scopes to narrow report results. The product sets a one-domain-per-scope limit, so you can't set a scope to report on multiple domains.

Policy Manager is one of DM/ Reporter's most useful built-in features. Policy Manager is a set of tailored reports that helps you gauge policy compliance for categories such as computers, groups, and user accounts. These reports help ensure that you've appropriately configured all computers in your organization before migration.

The only DM/Reporter problem I encountered was the onscreen presentation of reports. The product didn't provide a way to change the report's font size, so when the text was too long for a field, the letters ran together, making the text unreadable.

I opened DM/Administrator, which provided the same granular control over NT 4.0 domain administration that AD offers. FastLane uses Migration Mapping Technology (MMT) to define migration settings in the DM/Manager component. The program saves MMT files in a delimited text format, which you can easily import into a spreadsheet or database or edit from a text editor. To streamline migration projects according to the environment's structure, DM/Administrator supports creating MMT files according to the DM/Administrator environment. I used DM/Administrator before the migration to model an AD structure. The ability to model an AD structure and test it in a live environment before migration makes DM/Administrator an extremely valuable tool for environments with distributed administration. The product's ability to create a migration project based on the modeled AD structure adds even more value.

Migrating Users and Groups
You use the DM/Manager component to migrate users and groups from an NT domain to a Win2K domain. The FastLane DM/Manager 5.1 interface, which Figure 5 shows, displays NT 4.0 domains in the upper pane and AD domains in the lower pane. DM/Manager includes a simple drag-and-drop migration feature for small migrations. To use the drag-and-drop method, you must configure all the standard options to migrate users, groups, and computers. Then, to migrate objects, you can drag them from NT domains to AD domains.

I chose to test the project-based migration capabilities in DM/Manager. DM/Manager's Project Manager keeps track of migration settings for an entire project and uses wizards to configure those migrations. I created a separate project for each domain migration. Separate migration wizards for users, global groups, and computers stepped me through choosing source and target domains and specifying parameters for handling the migrated objects. After configuring the project, I had the option of saving the configuration as an MMT file. After a preprocess routine verified that all objects could migrate successfully, I launched the migration.

Domain Consolidation
I installed DM/Consolidator to migrate files from the HRDOMAIN, SALESDOMAIN, and PRODDOMAIN servers to servers in the NTLAB.COM domain. DM/Consolidator scans the source and target hard disks, then builds a snapshot containing information about all the elements necessary to completely rebuild the server directory structure on a separate system.

I clicked Add Computer, then selected the computers that I wanted to migrate data from. The Add Computer Wizard launched, discovered that I needed to install DM/Consolidator on the selected computers, then stepped me through installing the software. I configured the source and target shares for replication and configured general options for copying the files. The option to rename duplicate shares and folders during consolidation was very useful in my environment because I was consolidating similar shares from multiple servers to single servers. DM/Consolidator was able to keep security intact and migrate all my specified files and folders regardless of ownership or access permissions.

Translating Security
After the software completed the migration of all the accounts and groups, I used the Enhanced Updater tool to update security for the migrated accounts across my servers and workstations. Enhanced Updater provides local updating of a machine's resources by distributing an updater to handle jobs locally and report the results to the administrative console. I added a list of computers to update to Enhanced Updater's queue and configured Enhanced Updater to update local groups, ACLs, profiles, and user rights on those computers. The Enhanced Updater Controller window lets you monitor an update job from installing Enhanced Updater to completing the update.

I used Exchange Updater to update permissions on the Exchange Server mailboxes for all my migrated users. The process was very simple. I selected my Exchange Server system from a list of domains and clicked the Update option. After the software completed the update, a log file displayed a summary of the updated items and the View Report option let me view an extensive description of updated items.

Migrating Computers
You can migrate computers the same way you migrate users and groups. I used the DM/Manager*Project Manager to run the Computer Migration Wizard. The wizard stepped me through choosing a source and target domain, target OU, and which computer to migrate. I also directed the migrated computers to reboot in 5 minutes and display a message informing the user about the reboot. As with the other migrations (i.e., the users and groups migrations), a preliminary process verified that the operation could complete error-free; I then performed the migration. The migrated workstations rebooted on schedule and became members of the target domain.

Cleanup and Rollback
DM/Manager can roll back any migrated item except migrated computers and Exchange Server mailbox permission updates. Rolling back a migration also results in the rollback of resource updates for that migrated account. The documentation warns about the possible loss of permissions as a result of rolling back a migration.

A Thorough Set of Tools
FastLane provides a complete set of tools for managing a migration project from start to finish. As a first-time user, I thought the components seemed loosely integrated and didn't leverage the advantages of being a suite. The suite's price was higher than other products that offered the same functionality. The many migration options and the ability to create migration projects according to a pretested modeled environment are features that might make the product worth the extra cost. Overall, the product did everything I required and was fairly intuitive and easy to use.

Contact: FastLane Technologies * 902-421-5353 or
Web: http://www.fastlane.com/
Price: $25 per account; volume discounts available
Decision Summary:
Pros: Lets you model environments; provides easy drag-and-drop migration; has undo capabilities; includes a good domain consolidation tool
Cons: Has poor Exchange Server mailbox update performance; provides no cleanup for updated mailbox permissions; report format isn't customizable

Domain Migration Administrator 6.10
NetIQ's Domain Migration Administrator 6.10 was the easiest product to learn and to use to start performing migrations. The company built all the migration tools into the Domain Migration Administrator interface, so all operations retain a consistent look and feel.

I installed Domain Migration Administrator onto the Corp server from the installation CD-ROM. I pointed the installation program to a license key file and installed and licensed the software in less than 1 minute. Domain Migration Administrator uses an MMC snap-in for all operations, and the console's left pane displays the Domain Migration Administrator container, which Figure 6 shows. Selecting the Domain Migration Administrator container displays the Migrate Trusts, Map and Merge Groups, Migrate User Accounts, Migrate Groups, Translate Security Settings, and Translate Security for Exchange Mailboxes tasks in the right pane. Each task in the list includes a brief description of its intended use.

Creating a Project
I began my migration by selecting Create a Migration Project, which launched the Project Settings Wizard. I could create a new project or import a project from a Microsoft Access database (MDB) file. I chose to create a new project. Several steps prompted me to specify a source and target domain, choose whether to skip disabled accounts, and name the new project. This process created a Sales 2 Corp container for my new project under the Domain Migration Administrator container. Selecting the Sales 2 Corp container displayed a split right pane; the left section of the pane displayed the project status, and the right section displayed icons to run specific migration tasks. The right section of the pane organized the tasks under Defining the Project, Preparing the Migration, and Performing the Migration headings and listed the tasks in the order I needed to perform them.

I opened the Project Object Selection Wizard and selected the users, groups, and computers to migrate. After I selected those items, a Data Modeling window opened. From the window, I chose fields to add to an Access database for data modeling. This feature provides granular control over how objects make the transition from source to target domain. Access 2000 must be available on the same system as Domain Migration Administrator before you can take advantage of this capability. After I selected the objects to migrate, additional tasks necessary to complete the project appeared in the right console pane.

I next needed to specify Fast Track Settings. The Migration Settings Wizard helped me configure a target OU in the AD, name-conflict handling, account renaming, password options, account disabling, account skipping, terminal server profiles translation, and roaming profiles translation. The specified settings apply to all migrations in the project, but you can use database modeling for a migration to override any setting.

NetIQ also offers Directory and Resource Administrator for distributed administration of NT domains. You can use Directory and Resource Administrator's ActiveViews structure as a source for populating AD and migrating users and groups in Domain Migration Administrator.

Preparing the Migration
I opened Reporting Wizard and specified which directory to store the reports in. I selected a variety of reports that would be helpful in preparing my migration, then the program generated the reports and saved them in HTML format to the specified directory. The program also created a Reports container under the Sales 2 Corp container. The report list included all possible reports, even those that hadn't yet run. I selected a report that hadn't run, when the right pane displayed a message that said the report hadn't been run but that I could run it by clicking a link. I clicked the link to generate and display the report on the fly.

I then went into the Service Account Migration Wizard to find accounts that services use to log on to the system. This process used Domain Migration Administrator Agent to perform a task on a remote system. The agent queried my server for accounts that a service was using for logon, listed the account name and related service, and selected that account to include it in the migration.

The next step was to import modeling data into the Access database. The program imported the 270 objects I had selected for migration into Access in about 40 seconds. After importing the data, I could choose to edit either the user data or group data. I made minor changes to a few user and group descriptions in the database, then exited Access. The modeling capability is a very simple yet powerful tool for previewing and making changes to a migration project. From the Access interface, you can make minor or wholesale changes to any migration project before you perform the migration.

Migrating Users and Groups
The Trust Migration Wizard recognized that a bidirectional trust relationship between my source and target domains was in place, so no action was necessary. I then launched the Group Mapping and Merging Wizard to learn how to merge multiple groups from a source domain into one group in the destination AD domain. This tool is good for cleaning up groups with redundant permissions.

The User Account Migration Wizard lets you perform a test migration to confirm that the migration will run without errors, then performs the migration. I also had the option to use the configured Fast Track Settings or the modeling database to migrate user accounts. I chose to use the modeling database, then the User Account Migration Wizard stepped me through the prepopulated migration settings, which showed the values I had selected in the Fast Track Settings. The wizard also reminded me about the service account that the Service Account Migration Wizard discovered earlier, and I chose to migrate that account. After verifying the settings, the program migrated user accounts to the destination OU in the target AD domain. The results pane's status section showed the migration of 266 of the 268 users. I checked the migration log and found messages for the Administrator and Guest accounts explaining that Domain Migration Administrator doesn't process built-in NT accounts.

I then launched the Group Account Migration Wizard, which lets you use either Fast Track Settings or the modeling database to perform a test or actual migration of groups from the source to the target AD domain. I chose to use the modeling database for this domain. The migration processed 17 groups and migrated 9 of those groups. An error message showed that Domain Migration Administrator doesn't process built-in accounts or change the membership of built-in groups. I examined the migration log file and verified that the eight unmigrated groups were built-in NT groups. After migrating users and groups, additional icons appeared for translating security and synchronizing passwords.

Server Consolidation
Part of my migration project's design included consolidating the HRDOMAIN, PRODDOMAIN, and SALESDOMAIN servers' functions and distributing them among servers in the NTLAB.COM domain. NetIQ said the company will include a server consolidation tool in the Domain Migration Administrator 6.2 release but didn't have this tool available at press time. Manually moving resources from those domains would require taking ownership as an administrator of some objects. Taking ownership results in some destructive side effects to original ACLs that skew the testing of security translation (i.e., reassigning ACLs). I chose instead to translate security on the HRDOMAIN, PRODDOMAIN, and SALESDOMAIN servers and not consolidate them.

Translating Security
I opened the Security Translation Wizard to update ACLs and give both the original and migrated accounts access to appropriate files. I received a prompt to specify which users' files to update and on which computers to update those files. The program dispatched Domain Migration Administrator Agent to each selected computer. The agent performed the security translation and reported the status to the Domain Migration Administrator console, which detailed the operation. Domain Migration Administrator Agent automatically removes its program from the remote computer after the agent completes its job. The security translation for the Files and Users shares on the HRDOMAIN server took about 15 seconds.

In the next project step, I used the Exchange Directory Migration Wizard to translate security for Exchange Server mailboxes. For the Wizard to perform its job, I needed to install the Microsoft Exchange Administrator application on the same computer as Domain Migration Administrator. I chose to add equivalent security references for each user-migrated mailbox in the AD domain. The wizard updated 246 mailboxes with the appropriate permissions in about 20 seconds, which was extremely fast compared with the other products I tested.

Migrating Computers
Domain Migration Administrator lets you remotely rename a computer and change its domain membership. I used this capability to make my workstations members of the NTLAB.COM domain after I had updated and verified the functionality of all the users, groups, and objects. This capability works only for member servers or workstations, so you can't use it on a domain controller. The Computer Migration Wizard stepped me through selecting computers to migrate, choosing the destination OU, selecting objects for security translation, and specifying the number of minutes before a reboot occurs.

Cleanup and Rollback
After verifying appropriate access to files and mailboxes by the accounts in the AD domain, I began the cleanup phase. Cleanup of ACLs was simple because I only needed to repeat the steps I used for translating security. This time, I selected the check box to remove security for the original accounts. Cleaning up the Exchange Server mailbox permissions was also simple, using the same remove-security functionality. The program supports undo only on the last operation performed.

Domain Migration Administrator 6.10
Contact: NetIQ * 408-330-7000 or 800-814-9130
Web: http://www.netiq.com/
Price: $9 per account
Decision Summary:
Pros: Has an intuitive interface; provides good performance for permission updates; offers mailbox permission cleanup functionality
Cons: Doesn't provide a consolidation tool; console scrolled to the top instead of staying in place during task execution
Corrections to this Article:
  • Lab Reports: "NT-to-Win2K Migration Tools" states that NetIQ's Domain Migration Administrator 6.2 will include a domain consolidation tool. The product will include a server consolidation tool. We apologize for any inconvenience this error might have caused.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.