As below diagram I have few users in Parent domain (vcloud-lab.com) and I will be migrating them to Child domain (child.vcloud-lab.com) using ADMT tool installed earlier in PART 1.
Here are some gotchas I found while using ADMT Tool (Active Directory Migration Tool) between Parent and child domain.
1) When migrating users note down what group they are in. If they are domain local group, membership will be removed after migration.
2) If you would like to retain user's group memberships, Convert associated groups to Universal Group, as you can keep users from other domain in forest.
3) When migration is done domain controller with Infrastructure role is doing all the task, Make sure all the Forest AD domain controllers are reaching each other and in fully sync.
4) Once AD Objects are migrated Users will be moved from Parent domain to child domain.
5) Make sure you have enterprise admins permissions while performing this operations.
6) Password will be retained but change password at next logon will be set.
7) There must be a trust between domains in forest.
PART 1 : INSTALLING ADMT TOOL (ACTIVE DIRECTORY MIGRATION TOOL)
PART 2 : MIGRATE ACTIVE DIRECTORY USERS TO ANOTHER DOMAIN USING ADMT
Just to show this is how my Active directory forest looks like, I have parent domain name vcloud-lab.com and it has one child domain child.vcloud-lab.com. On the left side of the screenshot the users I want to migrate from vcloud-lab.com, and have been moved users in separate OU (Organization Unit). I have created universal group, and users need to migrate are member of this group (just to show group memberships are not removed even after migration). On the right hand side at child domain OU is blank and i will migrate users there.
Launch Active Directory Migration Tool, right click on the node and click User Account Migration Wizard, there are other context menu for migrating group, computer, service account and etc.
Once User Account migration Wizard launched it shows this wizard helps you migrate users accounts between AD domains in a different forest (interforest migration) or the same forest (intraforest migration), I am using intraforest migration, next right hand side screen shows to define source and target domain. Source is my Parent Domain vcloud-lab.com and Target is Child.vcloud-lab.com. You can select the domain controller from the list, What i found is you must select DC holding Infrastructure role., As in my environment each and every DC is connected to each other, I am keeping it default, and it will automatically select required domain controllers.
Next screen is Use selection options from Parent domain, I will take the default select users from domain, (It is possible to read user list from file). and on the next screen right side choose and add users in the list, click next.
Once users are selected click browse on target child domain controller to choose OU to move users to.
When migrating users this tool can translate roaming profile, Update user rights and migrate associated user groups. I am keeping default checkbox Update user rights, this way ADMT will try to maintain group memberships of user (to retain those membership if possible make sure you are changing associated group to universal (Global group memberships still will lose), Please read Microsoft documents impact before making such changes), Next is Migrate associated user groups, is self explanatory, User groups are also moved to target domain, check this box very carefully as users can lose global group memberships and can cause inability to access.
next screen is about conflict management, Migration conflicts occur when an object in the target domain conflicts with an object being migrated from the source domain. Default option is do not migrate if there is conflict and right side is the finish screen of the wizard and summary, check out the logfile location it defaults to c:\windows\ADMT\logs\migration.log, helpful later if there are any error.
Once I finished it shows the migration process screen, shows status, If i see users status it is copied and successful, if there are any error it can be troubleshooted using view logs.
Now I verify in my active directory users and computers console to view migrated objects (Compare with earlier pasted screenshot in the top, press F5 button or right click on domain refresh), universal group membership are retained for users. One thing to not, Password are retained but change password at next logon property is checked now. Some of the errors I faced was this user account had configured exchange active sync and I had to delete those mobile devices from exchange server and ADSIEDIT tool before migration.
Next article will be about Active Directory Migration reports.