Online Manual: "MigrateMagic"
Go to: MigrateMagic homepage
Tools4ever's End-to-End Migration Solution
Abstract
Migrating from Windows NT4 to Windows 2000 can prove to be difficult
when using the Active Directory Migration Tool (ADMT). Tools4ever presents
the complete end-to-end migration solution by providing a product that
eliminates all important drawbacks of ADMT, while preserving its extremely
easy user interface.
Key aspects of Windows 2000 and Active Directory
With the arrival of the Active Directory services in Windows 2000, Microsoft
somewhat abruptly put an end to the existing domain model that Windows
NT uses. This new network model opens up a wide area of new possibilities
that were simply impossible with the older domain model. The new hierarchical
structure allows for intranets to span over several locations, or sites,
and tightens up security within the entire organization.
The new model also makes it virtually impossible for Windows 2000 servers
to coexist with Windows NT systems, so Microsoft incorporated the previous
domain model as well. However, Microsoft encourages all network administrators
to make the transition to the Active Directory model as soon as possible.
Microsoft's vision on migration
Because of the differences between the two models, Microsoft realized
that most network administrators would hesitate to make the transition
to Windows 2000. Microsoft feared that network administrators, afraid
of migration costs, impact on the organization and new investments in
hardware, would postpone their migration.
Microsoft answered to this signal by implementing the "Mixed-mode"
domain model. This allows for Windows NT and Windows 2000 domain controllers
to coexist peacefully. While this does not solve the transition, it allows
for a smoother migration process, in which it's possible to host users
on Windows NT and on Windows 2000 simultaneously.
To really alleviate the migration issue, Microsoft released the Active
Directory Migration Tool (ADMT), to help network administrators make the
final step to Windows 2000.
About the Active Directory Migration Tool (ADMT)
Microsoft released ADMT as a free download for Windows 2000 to help
network administrators migrate from Windows NT to Windows 2000 Active
Directory. ADMT allows several key resources, e.g. user accounts, computer
accounts, group accounts and service accounts to be migrated.
However, ADMT has some major drawbacks which makes it less useful for
larger migration projects. These drawbacks are:
No
support for password synchronization. No
removal of SIDhistory entries on Windows 2000 users. No
removal of disabled and/or expired Windows 2000 users. - No support for synchronizing
data with ACL's.
Importance of password migration
Passwords are the most important security resources found on today's
networks. Using ADMT, these resources cannot be copied from Windows NT
to the Active Directory.
The absence of this functionality is very problematic, even for the
smallest networks. To cope with this drawback, only two options remain:
the network administrator supplies new passwords to all users, or each
user has to enter a new password. The latter implies a possible security
breach, because users may be allowed to log on to other users' accounts.
Both options take a considerable amount of time, especially when passwords
have to apply to a certain company policy involving security.
Native vs. Mixed mode
Microsoft implemented two models within the Active Directory, called
"Native" and "Mixed" mode. In "Mixed-mode",
both Windows NT and Windows 2000 servers can host users and process logon
requests, while in "Native-mode", only Windows 2000 servers
can perform these operations. Only in "Native-mode", the full
functionality of the Active Directory, such as advanced replication features,
are available.
While for most network administrators, the sudden change to Windows
2000 and immediately switching to "Native-mode" seems a bit
drastic, there's no need to worry. The only important thing to remember
is that all domain controllers need to run Windows 2000. All other servers,
like file servers and database server, can continue to run Windows NT4.
Migrating directly to "Native-mode" is also a one-step operation,
which is a huge benefit. By skipping the additional step to "Mixed-mode",
the migration process is greatly simplified.
Switching to "Native-mode" also tightens up the security.
There are several advanced crack-engines available to derive passwords
from NT, while this is virtually impossible in Windows 2000. Certain crack-engines
are able to extract the password hashes from a Windows NT Primary Domain
Controller using a normal user account. Windows 2000 uses the "Kerberos"
protocol which makes it impossible for users except for the administrator
to access the password hashes.
SIDhistory? Do I need it?
The second drawback of ADMT is the lack of support for SIDhistory removal.
It became clear to Microsoft that a lot of network administrators hesitated
to migrate to Windows 2000. If the Active Directory runs in "Native-mode",
resources like files and printers that reside on Windows NT servers can
still be accessed from Windows 2000 users. This is accomplished through
the so-called SIDhistory attribute of a user. With this attribute, a user
holds rights in the Active Directory, but also retains the rights the
former user in Windows NT had.
While this seems a great way to make the migration process easier, ADMT
does not allow this attribute to be removed. If the migration process
is finished and there are no more Windows NT servers in the network, the
user shouldn't have any more rights to access those Windows NT servers.
Removing these attributes will prevent security holes and losing performance
over checking security for servers that no longer exist.
ADMT: the migration solution&ldots;..or not?
Microsoft released the Active Directory Migration Tool as a free supplement
on Windows 2000 to help network administrators and to convince managers
to migrate to Windows 2000. Microsoft developed ADMT as a wizard-based
MMC snap-in, which allows network administrators to migrate several key
resources from a Windows NT domain to the Windows 2000 Active Directory.
However, it soon became apparent that ADMT had some major shortcomings,
such as the absence of password migration, removal of SIDhistory entries
on migrated Windows 2000 users and the synchronization of data, including
their security settings, between Windows NT and Windows 2000. These drawbacks
made ADMT only useful to companies with smaller networks, while companies
with larger networks were forced to invest in expensive third-party migration
tools.
About MigrateMagic: the ADMT extensions
Tools4ever recently released MigrateMagic: the ADMT extensions to fill
the gaps ADMT left behind. With MigrateMagic, network administrators can
still use ADMT to migrate basic resources from Windows NT to Windows 2000,
while extending it's functionality with MigrateMagic. MigrateMagic sports
the same wizard-based user-friendly interface, and thus virtually eliminates
a learning-curve.
MigrateMagic supports the synchronization of passwords between Windows
NT and Windows 2000 user accounts. It also allows network administrators
to get rid of obsolete SIDhistory entries, and supports the synchronization
of files and folders including ACL's.
Though MigrateMagic is a stand-alone product and doesn't require another
program to be installed, it relies on a separate migration tool to migrate
basic network resources, like user accounts.
ADMT and MigrateMagic: a perfect harmony
To provide an end-to-end migration solution, Tools4ever filled the gap
between ADMT and much more expensive third-party migration tools. By combining
the strength of the easy wizard-based approach of ADMT and the advanced
features of MigrateMagic, Tools4ever delivered a complete migration solution.
Migrate user accounts with ADMT and copy passwords with MigrateMagic
In this scenario, the user accounts are migrated from a Windows NT4
domain to the Windows 2000 Active Directory. To migrate the user accounts,
ADMT's User Migration Wizard is used. This wizard lets you choose the
source and target domain, the users which have to be migrated and several
options. Among these is the option to add a prefix or a suffix to the
username. This is an important options, because the usernames are about
to be modified. Once the wizard has been finished, you can use the "Password
Migration" wizard from MigrateMagic. This wizard has the same layout
as the previous ADMT User Migration Wizard. In this wizard, you choose
the same target and source domain, as well as the users. Because MigrateMagic
needs to map the source and target users, specify the prefix or suffix
you chose earlier in ADMT's User Migration Wizard. After the wizard has
completed, your target users have the exact same passwords as the source
users.
Migrate user accounts with ADMT and remove SIDhistory with MigrateMagic
Like the previous scenario, migrate the user accounts using ADMT's User
Migration Wizard. Select the source and target domain, the users which
have to be migrated and the naming options. Once the wizard has completed
its task, start MigrateMagic and choose the "SIDhistory Cleanup"
wizard. This wizard lets you select the source and target domain, as well
as the users from which the SIDhistory should be deleted. The naming options
should reflect the options selected in ADMT's User Migration Wizard. After
the wizard has finished, the SIDhistory is removed from all selected users.
Migrate user accounts with ADMT and copy user data with MigrateMagic
Migrate user accounts using ADMT's User Migration
Wizard. After this wizard has finished, run the "Copy Home directory"
wizard from MigrateMagic. This wizard will copy all home directory data
from the Windows NT4 user account to the new location of the Windows 2000
user account. This does not need to be the same location, as MigrateMagic
retrieves the new home directory location from the Active Directory.
| 
