pre-creating user account in the target domain is a common scenario these days due to single-sign-on solution, HR management procedure etc. This will make the user migrate procedure more challenging. During the migration you need to make sure these accounts are properly “merged” with correct SID information.
In this example, I will explain a procedure to migrate and merge user accounts using Active Directory Migration Tool (ADMT). In Part II of this document I will explain the account migration and merging procedure using Quest Migration Manager (QMM).
I have a pre-created user accounts in the target domain. Their logon name (samAccoutnName) is different in the target domain. My goal to migrate an account from the source domain, merge it with the corresponding account in the target domain and maintain the source SID in the migrated object.
My plan is to use an input file (include file) for the migration. This file contains a mapping between source and target user account. I am using a TXT file. You can use CSV or any other format. Here is an example of my include file:
1. Open Active Directory Migration Tool console.
2. Right click on the Active Directory Migration Tool node and select User Account Migration Wizard.
3. On the Welcome window, select the correct source and target domains and domain controllers. Click Next.
4. Select Read object from an include file option on the User Selection Option window. Click Next.
5. In the Input File Selection window, click Browse and select the previously created include file. Click Next.
6. On the Organization Unit Selection window, select the correct destination OU. Click Next.
6. Select appropriate option on the Password Options window. Click Next.
7. Select appropriate option on the Password Options window. Make sure to select Migrate user SIDs to target domain option. Click Next.
8. On the User Account window, enter the proper credentials. Click Next.
9. Select appropriate options on the User Options window. Click Next.
10. Select appropriate options on the Object Properties Exclusion window. Click Next.
11. Select the following options on the Conflict Management window. Click Next.
- Migrate and merge conflicting objects
- Uncheck Before merging remove user rights for existing target account – I have some pre-assigned groups and don’t want to remove those.
- select Move merged objects to the specified target Organizational Unit – I am moving user objects from a pre-created OU to Migrated OU after the migration.
12. Click Finish to complete the user migration process.
13. You will see the migration status on the Migration Process window.
Your target account should be merged and have the same SID in the sIDHistory attribute.
Sid and sIDHisotry Info:
When a User object migrated from one domain to another, a new SID must be generated for the user account and stored in the ObjectSID property. Before the new value is written to the property, the previous value (ObjectSID from source domain) is copied to another property of a User object, sIDHistory in the Target domain. So you can use the sIDHistory value to search the Source domain using the ObjectSID attributes to identify the corresponding user in the Source domain. In other words, the sIDHistory value will be equal to the source ObjectSID. You can SID and sIDHistory using the following procedure:
Other Related Articles:
Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html
Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html
ADMT Include File - http://portal.sivarajan.com/2011/06/admt-include-file.html
User Migration and Input File Format - http://portal.sivarajan.com/2010/12/user-migration-and-input-file-format.html