Tag Archives: Migration

Migrating User and Password Objects between Active Directory Forests

As part of some internal lab work, I had to move the user objects with their passwords to a new forest. It was key to migrate the passwords to ensure that disruption to the users was minimized.

To migrate the users, I used the Microsoft Active Direction Migration Tool (ADMT + documentation) alongside the Password Migration Service.

In this blog post I am going to cover;

  • Create connectivity between both AD Forests
  • Installing the ADMT software + Password Migration Service
  • Creating a user list for migration
  • Migrating User objects + Passwords between AD Forests

Create connectivity between both AD Forests

There must be IP network connectivity between the DC’s in your Forests.

DNS setup

You need to configure conditional forwarders between your forests, so they can resolve one another.

On the source domain controller;

  1. Open up the DNS console, and right click the Conditional Forwarder folder to create a new record.
  2. Enter your target domain name and IP address/es of your domain controllers in the target domain. Select “store this conditional forwarder in active directory”, to replicate to other DCs in the source domain.

It is also a good idea to add the target domain DNS suffix to your Source DC network adapter, this allows for short name resolution.

Repeat the same steps on the target domain controllers, pointing the conditional forwarder to your source domain.

After this, ensure you can successfully look up the domains from another with the correct Domain controller IP addresses being returned. Also check short name resolution works.

Create Active Directory Forest Two-Way Trust

Next you need to create a forest trust

  • You can read about the different options here

I will create a two-way forest trust which means we are able to authenticate users between domains, and this trust will be removed after I’ve migrated the users.

On the source domain controller

  1. Open Active Directory Domains and Trusts. right click your domain name and go to properties
  2. Click the trusts tab, and click the new trust button
  3. Enter the name of your target domain
  4. Select forest trust
  5. Select two-way trust
  6. Select forest wide trust
  7. Enter trust password (you will use this when you create the trust on the target domain side)
  8. Click next x2
  9. If you click to confirm the trust at this point, it will fail as it does not exist on the target domain side yet. (See screenshots)

Installing the ADMT software

Install this on your Target domain controller, or a machine in target domain. There is a requirement for an SQL server to host a database. I used SQL Express for the lab setup.

Installing the Password Migration Service

First you must generate an encryption key from a DC in your target domain. Open CMD as administrator and run;

admt /key option:create /sourcedomain:{source domain name} /keyfile:{folder path to save the file} /Keypassword:*

Using * for the pwd flag, will then prompt you for the password when the command is run

On your source domain, in the built-in Administrators group, add in the domain administrator from your target domain.

On the domain controller in your source domain, install the Password Migration Service.

When prompted, install the service as the domain admin from your target domain, this account will be added the log on as service right.

A reboot of the machine where this service is installed will be needed.

After the reboot, you will need to manually start the “Password Export Server Service”, after you’ve migrated your users, for security, you should stop this service.

Creating a user list for migration

The last step before migration, is creating a CSV file with a list of the users we want to migrate. I will do this using a simple PowerShell command

get-aduser –filter * -searchbase {OU full path} | Export-csv {path}

You can be more complex if you need to target users who are part of a security group or multiple OUs.

You will need to edit this CSV to use the accepted headers for use as an “include file” for ADMT. You can follow the official documentation for these headers.

Migrating users between AD Forests

Ok, we’ve finished the prep work. Now time to migrate the users.

  1. Open up ADMT console, right click on the Migration tool folder and select “User Account Migration Wizard”
  2. Type in your source domain, and select your target domain from the drop down
  3. Select the option “read objects from include file”
  4. Set your include file location and Source OU where your users are located
  5. Select the option to migrate the user’s passwords
  6. Select account options for after the migration
    1. If selected SID History Migration, accept the options
  7. Input the domain admin detail to authenticate to the Source Domain
  8. Configure user options for after the migration
  9. Select any user object attributes you do not want to be migrated
  10. Select your option for how to handle user conflicts
  11. Complete the user migration wizard
  12. Watch the progress, you also have easy access to view the logs from here
  13. Configure user’s password so that they do not need changing upon next login.
get-aduser -filter * -searchbase {OU path} | set-aduser -changepasswordatlogon $false


Hope this helps someone out there, I recommend that you read the ADMT document first before undertaking a migration of AD users in production, and then test in a lab environment.

VMware LifeCycle Manager – Migration error “SSH is not enabled or invalid” – LCMMIGRATION15102

During my migration from vRSLCM 2.1 patch 2 to the latest version 8 release, I encountered the following error;

Error Code: LCMMIGRATION15102

vRSLCM Migration Failed with SSH is not enabled or Root credential invalid. Please make sure SSH is enabled or porvide the correct root credential by adding the credential to the home page locker app

Pretty obvious error, however the provided root credentials were correct, and I could use putty to connect to my existing LCM instance.

The fix

Continue reading VMware LifeCycle Manager – Migration error “SSH is not enabled or invalid” – LCMMIGRATION15102

VMware vRealize LifeCycle Manager 8 – Migration Process Screenshots

VMware vRealize LifeCycle Manager 8 released earlier this week, 17th October 2019.

Note the official name and abbreviation, its a long one!

  • vRSLCM (vRealize Suite LifeCycle Manager)

You can find the supporting official documentation here;

What's New Blog Link:
What's New Blog Post

Download Link:
Product Download

Release Notes:
Release Notes

Documentation Link:
Migration Process

The best news about this release is the “easy installer“, which also allows you to migrate from older versions. In this post, I’ve documented the screenshots in steps for you, as I know many of you out there like to see the end to end process before you undergo an update yourself, so you know what to expect.

During this migration process the following will happen;

  1. New LCM virtual appliance deployed
  2. New IDM appliance deployed (unless you select to link to an existing environment)
  3. Existing LCM settings and content will be migrated
Migration Process Screenshots

Continue reading VMware vRealize LifeCycle Manager 8 – Migration Process Screenshots

Upgrading VMware vSphere 5.5 to vSphere 6.5 (VMUG Presentation)

Blog post born from a VMUG Presentation

Mid Feb, one of the London VMUG leaders posted on twitter, looking for someone to present on the subject of “upgrading from vSphere 5.5 to vSphere 6.5”.

So I jumped at the chance, kind of, and offered to present. This blog post covers the content from that presentation.

  • vSphere 5.5 – End of Support
  • vSphere 6.5 – New features
  • OK, so let’s just upgrade then?
  • The plugin’s
  • SSO is gone!
  • Understand your topologies
  • Pre-Upgrade Tasks
  • The Upgrade, the big event
  • Gotcha’s
  • VSAN Considerations
  • vShield Manager is no more! Upgrade to NSX Manager
  • Resources

The presentation is available to download here – http://vexpert.me/London-vmug-dean (case sensitive link)

Or I’ve figured out how to embed it from Slideshare.net below (But animations don’t seem to work);

vSphere 5.5 – End of Support
  • End of General Support for vSphere 5.5 is September 19, 2018
    • Includes vCenter 5.5, ESXi 5.5, VSAN 5.5
    • KB 51491
  • In the event you are unable to upgrade before the End of General Support (EOGS) and are active on Support and Subscription, you have the option to purchase extended support in one year increments for up to two years beyond the EOGS date.
    • Expect this to be more costly than general support.
    • SLA’s are more akin to that of basic support rather than production support
    • Annual security patch. Includes catastrophic/critical security fixes only
    • Ability to create hot patches for Severity 1 issues only
  • Technical Guidance for vSphere 5.5 is available until September 19, 2020 primarily through the self-help portal.
  • During the Technical Guidance phase, VMware does not offer new hardware support, server/client/guest OS updates, new security patches or bug fixes unless otherwise noted.
    • For example, there was no SPECTRE/Meltdown security patches released for vSphere 5.1

It’s not only the core vSphere 5.5 products that are affected, as we can see from the End-of-Support tracking page provided by virten.net. There are other VMware solutions that you have deployed that may also need upgrading.

Continue reading Upgrading VMware vSphere 5.5 to vSphere 6.5 (VMUG Presentation)