Setting Up Password Export Server for Active Directory Domain Migration

Migrating user accounts between Active Directory domains, especially when moving from older, native-mode domains to newer environments in different forests, presents unique challenges. One significant hurdle is password migration. Fortunately, Domain Migration Administrator (DMA) version 7.2 and later provides a robust solution: the Password Export Server (PES). This article will guide you through the process of setting up the Password Export Server to facilitate secure password migration during Active Directory domain migration.

Understanding the Need for Password Export Server

When migrating from a native-mode source Active Directory domain, standard migration tools often fall short when it comes to passwords. Without a specialized tool, users would be forced to reset their passwords after migration, leading to disruption and increased help desk workload. The Password Export Server addresses this issue by enabling the secure transfer of passwords from the source domain to the target domain, ensuring a seamless transition for users.

This guide is specifically for setting up PES when migrating from a Windows 2000 or later native-mode domain to a domain in a different forest using DMA 7.2 or later. If you are using an older version of DMA, password migration from native-mode domains will not be possible.

Step-by-Step Guide to Installing Password Export Server

The installation process involves several key steps, starting with generating an encryption key, installing the PES software, and configuring necessary permissions.

1. Generate a Password Export Server Encryption Key File

Security is paramount when dealing with password migration. The Password Export Server uses encryption to protect passwords during transfer. To establish a secure, trusted connection between DMA and PES, you need to generate a unique encryption key file. This key is specific to your source domain and the DMA computer you are using.

Steps to create the encryption key:

1. Prerequisites: Ensure that the Microsoft 128-bit high encryption pack is installed on the computer where DMA is running.
2. Launch DMA: Start the Domain Migration Administrator application.
3. Navigate to Key Creation: In the DMA console, either click Domain Migration Administrator in the left pane or select a specific project.
4. Initiate Key Creation: Go to the Action menu and select Create Password Export Server Encryption Key.
5. Configuration: The Password Export Server (PES) Encryption Key Creation window will appear. Fill in the required information. Use the Help option for details on each setting if needed.
6. Create the Key: Click Create Key to generate the encryption key file.

Important Security Warning: For optimal security, it is strongly recommended to save the generated encryption key file onto removable media like a USB drive or CD-ROM. Storing it on your local hard drive poses a security risk. Unauthorized access to this key file could compromise the security of your domain by allowing malicious actors to potentially learn migrated account passwords. Handle this key file with extreme care.

2. Install Password Export Server in the Source Domain

With the encryption key generated, the next step is to install the Password Export Server on a domain controller within your source domain. This installation involves running an MSI package and then enabling PES functionality by modifying a registry setting.

Installation Procedure:

1. Domain Controller Access: Log in to a domain controller in the source Active Directory domain using an account that is a member of the Domain Administrators group.
2. Encryption Pack Check: Verify that the Microsoft 128-bit high encryption pack is also installed on this domain controller.
3. Copy PES Files: Locate the necessary PES installation files on your DMA computer. By default, these files are located in the Program FilesNetIQPES folder. Copy the following files to the domain controller:
   • pwdmig.exe
   • pwdmig.ini
   • pwdmig.msi
4. Run Installer: Execute the pwdmig.msi program on the domain controller. The installer will guide you through the process. You will be prompted to provide the PES encryption key file you created earlier. Insert the removable media containing the key file when requested.
5. Complete Installation: Follow the on-screen instructions to complete the Password Export Server installation.
6. Enable PES via Registry: After installation, you need to enable PES by modifying the Windows Registry.
   • Registry Editor Warning: Incorrectly modifying the registry can lead to serious system problems. Back up your registry before making any changes.
   • Modify Registry Value: Use Registry Editor (regedit.exe) to navigate to the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaAllowPasswordExport.
   • Set the value of AllowPasswordExport to 1. This enables the Password Export Server to accept password migration requests. To disable PES later, you can set this value back to 0.

(Note: Replace “RegistryEditorExample.png” with an actual image URL or consider adding a textual description if image embedding is not preferred.)

3. Configure Permissions and Group Policy in the Target Domain

To ensure successful password migration using PES, specific permissions and Group Policy settings must be configured in the target domain. These settings allow the necessary communication and access for password migration to occur.

Required Configurations in the Target Domain:

1. Anonymous Access Group Policy:

   • Windows 2000 Target Domain: Set the Additional restrictions for anonymous connections Group Policy to None or undefined.
   • Windows 2003 and Later Target Domains: Configure the relevant Security Options Group Policies that restrict anonymous access to allow access. Specifically, ensure the following are set to allow access:
     • Network access: Do not allow anonymous enumeration of SAM accounts
     • Network access: Restrict anonymous access to Named Pipes
     • Network access: Restrict anonymous access to Shares
   • These settings are crucial for allowing the necessary communication between the source and target domains during the migration process.

2. Grant Permissions to Pre-Windows 2000 Compatible Access Group:

   • Grant the Pre-Windows 2000 Compatible Access group Read permissions to the CN=Server,CN=System,DC=*targetdom*,DC=*tld* object in the target domain. Replace DC=*targetdom*,DC=*tld* with the actual distinguishedName of your target domain.

3. Add Everyone Group to Pre-Windows 2000 Compatible Access Group:

   • Make the Everyone group a member of the Pre-Windows 2000 Compatible Access group. The Active Directory Users and Computers tool prevents this action through the GUI.
   • Command Line Method: Use the command prompt to add the Everyone group:

     NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE ACCESS" EVERYONE /ADD

4. Windows 2003+ Target Domains: Add ANONYMOUS LOGON User:

   • On Windows Server 2003 and later target domains, add the ANONYMOUS LOGON user account as a member of the Pre-Windows 2000 Compatible Access group.

4. Migrate User Accounts

Once the Password Export Server is installed and configured along with the necessary permissions, you can proceed with migrating user accounts using Domain Migration Administrator. Refer to the DMA & SC User Guide for detailed instructions on the user account migration process itself.

Conclusion

Successfully setting up the Password Export Server is a critical step in ensuring seamless password migration during Active Directory domain migrations from native-mode environments. By following these steps carefully, you can enable DMA to securely migrate user passwords, minimizing disruption and maintaining user productivity during the domain migration process. Remember to prioritize security by properly handling the encryption key and carefully configuring permissions and Group Policy settings. This will contribute to a smoother and more secure domain migration project.