How to Migrate Local Server Users and Groups Only Between...

How to Migrate Local Server Users and Groups Only Between Member Servers
This document is to help migrate server accounts, local user accounts with properties and passwords
and local server groups from Windows server to Windows server with similar or different OS versions.
Both ADUM ServerMigrator and ManageRED Resemble solutions allow for the migration of local
accounts form server to server automatically.
Software Installation
Install either ADUM ServerMigrator or ManageRED Resemble on the target server. The target server is
the server where the accounts are to be migrated to.
Software Configuration



From the Menu Select Configuration and select Add or Remove Domains or Workgroups.
If the servers are in domains, type the NetBIOS domain name in upper case and click on Verify.
After it is successfully verified click the Add button then Close the window.
If the servers are in workgroups, type the NetBIOS workgroup name in upper case and click on
Add. A Special note for workgroups: Both source and target servers must be in the same work
group. The account being used for the migration must be Administrator, The Service account on
both the source and target servers must be Administrator and ALL Administrator accounts must
have the same password.


From the Menu select Configuration and Select either Add Remove Servers or Add Hidden
Server, if UNC naming format does not list the server.
With either option add both the source and target servers to the server list.
Pre-Migration Check


In the main UI select the source server from the left window labeled Source Servers.
From the Menu Select Server Migration and Choose PreMigration Check…
At this point all entries should have a green checkmark icon representing that each prerequisite is in
place for a successful migration. Click Close to continue or fix any issues and run the pre-migration
Check again until all prerequisites are met.
Pre-Migration Requirements
Requirements Prior to Resemble Installation
Multi Domain Migration - Windows Trust Requirements

Establish a two way trust relationship between domains if the migration involves multiple
domains



Verify the trust relationship – To verify, check that you are able to list accounts from each
domain in each domain
Add the Domain Admins group to each domain’s Administrators group
The account used to perform the migration must be a member of the target servers domain’s
Domain Admins group
Same Domain Server Migration Requirements


Verify or add the Domain Admins group to each server’s Administrators group
The account used to perform the migration must be a member of the domain’s Domain Admins
group
Windows Workgroup Server Migration Requirements




The account used to perform the migration must be the Administrator account.
If the Administrator account has been renamed the account must be changed to back to
Administrator on each server
The Administrator’s password on each server must be the same
On the target server check and verify that the Local Password Policy is equal to or less restrictive
then the source server’s password policy.
NetBIOS Naming Resolution Requirements




NetBios browsing must be enabled to resolve computer names
In the TCP/IP Advanced Network Card Properties of the source and target WINS tab enable
NetBIOS over IP for both the source and target servers
Verify that both source and target servers have Enable lmhost Lookup enabled
If naming resolution is an issue and server names are not resolved create an lmhosts file.
Group Policy Requirements



Verify that Windows Firewall is disabled on both the source and target server.
Verify IP Filtering is disabled for both the source and target servers in the Advanced TCP\IP
Options Setting to Permit All
On Windows 2008 servers, disable User Account Control (UAC)
Server Requirements





Verify that the Windows directory is shared as ADMIN$ on both the source and target servers
Verify that the drives are shared as C$, D$ E$ etc. on both the source and target servers
Verify that the Remote Registry services is running on both the source and target servers
Verify that the RPC services is running on both the source and target servers
Verify that EFS is disabled on both the source and target servers

Verify that the account used as the service account has Logon as a Service and Logon Locally
rights enabled on both the source and target servers.
Know Installation Issues:
The ADUM Scheduling service is not running
This is a common issue at the first installation. To remedy, connect to the server(s) that displays the
error, start the services MMC and navigate to the ManageRED Schedule service or FSTScheduler. Click
on the logon option. Re-enter the service account name and password and click Apply. If the service is
running, stop and restart the service.
Unable to Verify Source or Target Server Names
This issue will arise when the target server is unable to resolve NetBIOS Names. Create an lmhosts file.
Add the IP Address and name of the source domain server, add the IP address and the name of the
target server, add the IP Address of the domain controller and the domain name if required in a domain
scenario. Save the new lmhosts file. Register the lmhosts file to cache and verify the cache table that all
entries are in cache.
Administrator Account Password Containing Special Characters
A known LDAP issue exists if the first character of the Administrator’s password begins with a special
character. This issue will prevent connecting computers from the source to the target because LDAP
translation will drop the first character of the password, the password will become incorrect and the
operation will fail. To remedy this issue change the password of the source or target servers
Administrator’s password so that the password begins with an alpha-numeric character.
64 Bit Windows Servers
Resemble and ServerMigrator supports Windows 64-bit 2003, 2008 and 2008 R2 Servers. In order to
successfully copy 64-bit passwords check the LSA Settings in the Registry of the server that they match
the following details for the Security Packages entry for HKLM System\CurrentControlSet\Lsa\ Security
Pakages – Kerberose msv1_0 Schannel wdigest tspkg ONLY! Remove any other packages not in this list.
If you make changes to the LSA registry settings, you must reboot the server for the changes to take
effect.
Known Issues with Virus Software
Disable Virus software (Norton, Symantec, Sunbelt VIPRE, AVG, McAfee etc.) during installation and
during migration. Virus software will falsely mark and remove the password copy feature as a Trojan.
The User and Local Group Migration Process










Before you begin, create a fake empty folder on the source server on any drive. This fake folder
will be migrated to the target server with no files in order to start a migration project.
From the left window labeled Source Servers select the source server
On the Menu select Server Migration
From the dropdown select Member Server to Member Server Migration.
Enter a meaningful Project Name.
Select and add the fake folder that was previously created on the source server
Select the destination drive to copy the fake folder to
Click OK to begin.
From the popup Files and Folder Migration options select the Do Not Copy DATA (Files and
Folders) During the migration Process… option.
Click Continue

In the Ready to Start Project summary window click Continue
At this point the project will start and the summary of the actions will be displayed in the right Window
of the main UI.
The first step will re-verify the migration prerequisites. Once the verification phase is complete, the
collection process of objects and data begins locally on the source server. User information, group
information, file, folder and share information and security settings are collected and stored. In this
scenario copying of data is not executed.
When the collection phase is completed the collected data is imported to the target server and the
accounts and groups are recreated based on the collected information. Note - all created objects have
new SIDs assigned based on the SID of the target server.
When the project is completed, an option to save the results is displayed.
Results of the Local Account Migration
User Accounts





User account samAccountNames are recreated on the target server.
Passwords for each account are copied.
User name and description properties are copied to the target
Terminal server settings and properties are copied to the target server for each account that is
populated on the source server
All user rights are migrated to the target server
Local groups



Local group samAccountNames are recreated on the target server.
Group description properties are copied to the target
Group membership is populated with migrated accounts of the target server in the same
samAccountName structure as the source server.
How to Migrate local Server Accounts Between Member Servers – Copyright ADUM - ManageRED
Software 2012 all rights reserved.
Revision 1.0 Aug. 7, 2012
ADUM – ServerMigrator, ManageRED Resemble
ManageRED:
http://www.managered.com
Support Blog:
http://winzerofaqs.blogspot.com
Migration blog: http://domainreconfigure.blogspot.com
Twitter Updates: http://twitter.com/managered/
Akos Sandor
WinzeroTech, ManageRED, TECHNVR, ADUM, Resemble, ServerMigrator
Server migration, server account migration, user migration, Windows member server migration
How to Migrate Local Server Accounts Between Member Servers Only
How to migrate local server user accounts and local groups between member servers
8/7/2012