Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘ADMT’ Category

(2014-06-21) Installing PES v3.2 On W2K12(R2)

Posted by Jorge on 2014-06-21


To download PES see this blog post.

If in addition to migration objects (users, groups, computers, etc.) you also need to migrate passwords, then you also need to install the Password Export Service (PES) on a(ny) writable DC in the source AD domain. PES cannot be installed on a read-only domain controller (RODC). The default behavior of ADMT, when migrating passwords, is to configure every target user account with "change password at next logon", unless "password never expires" (most likely service accounts) or "smartcard is required for interactive logon" on the source user account. After the password migration, it is also possible to revert the setting of "change password at next logon" by using PowerShell, ADMOD or any other LDAP modification tool.

Assuming the OU "OU=Migrated-Users,DC=ADCORP,DC=LAB" contains all migrated user accounts…

  • PowerShell –> Get-ADUser -SearchBase "OU=Migrated-Users,DC=ADCORP,DC=LAB" -Filter * | %{Set-ADUser $_.SamAccountName -ChangePasswordAtLogon $false}
  • ADFIND/ADMOD –> ADFIND -b "OU=Migrated-Users,DC=ADCORP,DC=LAB" -f "(&(objectCategory=person)(objectClass=user))" -adcsv | ADMOD pwdLastSet::-1

PES has a very tight relation with ADMT. Because of that you must first create a so called encryption key on the server where ADMT is installed before even starting the installation of PES!

To create the encryption key on the server with ADMT:

  • Open a command prompt window and navigate to the folder "C:\Windows\ADMT"
  • ADMT key /option:create /sourcedomain:ADCORP.LAB /keyfile:C:\Windows\ADMT\ADMTPESEncryptionKeyFile.pes /keypassword:*

image

Figure 1: Creating The Encryption File For PES On The Server With ADMT

Securely transfer the encryption file to the RWDC that will host the PES service. You can now start the installation of PES.

image

Figure 1: Selecting The Encryption File For PES

image

Figure 2: Specifying The Password Securing The Encryption File

The "Password Export Server (PES)" can be configured to run with a service account. This enhancement removes the dependency on the "pre-Windows 2000 compatible access" group that PREVIOUS should contain the well-known security principals "Everyone" and "Anonymous Logon" (in W2K only "Everyone" as that by default already contained "Anonymous Logon"). THEREFORE, preferably use a service account instead of the Local System account.

image

Figure 3: Specifying The Service Account That Will Be Used By The Password Export Service

The PES service account will be granted the "logon as a service" user right. After the installing you must reboot the RWDC.

For additional info see the ADMT Migration Guide.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in ADMT, Migration/Upgrade, PES | 5 Comments »

(2014-06-20) Installing ADMT v3.2 On W2K12(R2)

Posted by Jorge on 2014-06-20


To download ADMT see this blog post.

To be able to install the latest version of ADMT, it must be either a GUI based member server (preferred!) or a writable DC (RWDC). Server Core installations are not supported, nor is it possible to install on a read-only domain controller (RODC).

Remember that you require either SQL Express or SQL Server to be able to use ADMT. While using W2K12R2 I was not able to use the Windows Internal Database feature. For the free version of SQL I had to download and install SQL Express. The latest available version (at the time of writing) of SQL Express (Microsoft SQL Server 2012 Service Pack 1 (SP1) Express) can be downloaded through this link. During the installation of SQL Express will may be invited to download and install additional updates. After installing SQL (Express), you can start the ADMT install. It is not possible to upgrade current ADMT installations. You must uninstall old ADMT versions before installing the latest version. Assuming you chose to use SQL Express, the default instance name is .\SQLEXPRESS as you can see below in the picture.

image

Figure 1: The Default Connection String For SQL Express

image

Figure 2: ADMT Being Installed

image

Figure 3: The Possibility To Import Old ADMT Databases

image

Figure 4: The Installation Of ADMT Finishing Successfully

On W2K12(R2), after clicking the Start button, do not search "ADMT", but rather search for "Active Directory Migration Tool" or just "Migration".

image

Figure 5: The ADMT GUI

For additional info see the ADMT Migration Guide

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in ADMT, Migration/Upgrade, PES | Leave a Comment »

(2014-06-19) Microsoft Released An ADMT Version To ALSO Support W2K12(R2)

Posted by Jorge on 2014-06-19


As mentioned about 6 months ago in this blog post, Microsoft was going to release an update for ADMT to support W2K12(R2). Well, the time has come and Microsoft has made available an update to provide for that support.

You can download the new ADMT version from CONNECT and you need to sign in with your Windows Live ID. All previous versions of ADMT are now deprecated! This version of ADMT supports Windows/AD versions up to the latest and greatest Windows Server 2012 R2.

Navigate to https://connect.microsoft.com/directory/non-feedback, and somewhere at the top (at the time of writing) find in the "product" column "Azure Active Directory Customer Connection" with in the "program" column "Windows Server Active Directory Migration Tool (ADMT)". Then in the "actions" column click on "join" to join the program. If you do not see "join" but rather you see "quit", then you are already able to download ADMT. You will now be able to download the ADMT update. To download the ADMT update click on "Windows Server Active Directory Migration Tool (ADMT)". On the arriving page you will see a link for both ADMT and PES.

Click on "Active Directory Migration Tool (ADMT) QFE – x86" to go to the download section for ADMT

Click on "Password Export Server (PES) – x64" to go to the download section for PES.

Page 54 of the ADMT Migration Guide (see below) for link explains how to install ADMT.

The latest ADMT Migration Guide in WORD format can be downloaded through this link. The web-based version of the ADMT Migration Guide can be downloaded through this link. For additional migration related information you may also want to check this link.

Regarding the installation of ADMT, check this link.

Regarding the installation of PES, check this link.

UPDATE 2015-01-17:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in ADMT, Migration/Upgrade, PES | 8 Comments »