The Sysadmins

Tips and tricks from the Sysadmins

ADMT Series – 4. Password Export Server

During the User account migration you will have the option to migrate passwords from the source domain user accounts to the target domain. If you choose to use this feature there are a few steps you need to carry out. This feature is very useful, and removes the requirement to communicate new passwords to end users.

 

Migrating Password Prerequisites

Before you can migrate passwords, you will need to install the password export server onto a domain controller in the source domain.

Download the tool here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10370 https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53422

Before you go ahead and install PES onto a DC in the source domain you need to create an encryption key from the machine running ADMT in the target domain. In our case this is ADMT.target.local. From the command prompt run:

admt key /option:create /sourcedomain:source.local /keyfile:"c:\PES Key\PES.pes" /keypassword:*

Now head over to a DC in the source domain (AD01.source.local) and download and run the PES installer. When prompted choose the .key file you created on the ADMT machine.

Provide the password you used when creating the key.

ADMT provides the option to run the PES service under the Local System account or by using the credentials of an authenticated user in the target domain. It’s recommend that you run the PES service as an authenticated user in the target domain.

The installation is now complete, you will need to restart the domain controller.

For Password migration to work, you will need to manually start the Password Export Server service. You should only start this service when you are running through the User account migration, when you have finished, stop this service.

ADMT Series – 1. Preparing Active Directory
ADMT Series – 2. Preparing the ADMT Machine
ADMT Series – 3. SID History
ADMT Series – 4. Password Export Server
ADMT Series – 5. Machine Preparation
ADMT Series – 6. Service Account Migration Wizard
ADMT Series – 7. Group Account Migration Wizard
ADMT Series – 8. User Account Migration Wizard
ADMT Series – 9. Merging Users with a Different sAMAccountName
ADMT Series – 10. Security Translation Wizard – Local Profiles
ADMT Series – 11. Computer Migration Wizard

13 Comments

  1. Loving the series so far, any idea when the rest will be available?

    thanks

    N.

    • Tom@thesysadmins.co.uk

      April 25, 2012 at 10:34 pm

      Thanks! I’d like to have the bulk of the series completed in the next 4-5 weeks and will hopefully get some time this weekend to put another post up.

  2. Thought I wrote this last night but it appears I didn’t hit submit.
    Not sure what causes this but I could not get past this error: “the password does not match this encryption key”
    Till (days of searching) I came across a blog on blogger (http://clintboessen.blogspot.com/2009/10/windows-server-2008-admt-31-pes.html) that now appears to be gone.
    Stating to run the pwdmig.msi from an administrative command prompt: msiexec -i pwdmig.msi
    This fixed the problem and the password utility finally installed correctly! This is must have information!

  3. I am loving this guide and appreciate the time you took out to do this. Good work man.

  4. Not sure if I’m the only one to ever encounter this but it seems like passwords are being sent over as somewhat complex 16~ character hashes rather than what their actual password is…. Anyone ever seen this issue?

    • Tom@thesysadmins.co.uk

      August 15, 2013 at 9:28 pm

      Hey Andrew, Microsoft state:

      Passwords are copied from the source domain to the target domain in hash form; therefore, it is not possible for a password filter to verify that the complexity or length of the passwords meet the requirements of the organization. The target domain controller used to set the password can, however, verify password history by comparing the hash of the password against previous hashes.

      http://technet.microsoft.com/en-us/library/cc755729(v=ws.10).aspx

  5. Hi,

    Great article, however it seems Microsoft no longer provide a download for the PES? Have they moved the download link or have they stopped supporting this feature ?

    thanks

  6. To able to use the “Migrate passwords” option, I had to import the PES key on my ADMT machine as well:
    admt.exe key /option:import /sourcedomain:source.local /keyfile:”c:\PES Key\PES.pes” /keypassword:*

  7. Dushyant Sharma

    August 15, 2016 at 2:20 pm

    Tom, this series answered all my problems with migration of AD. I just followed it step by step and it worked wonderfully. Thank you so much for investing your time and effort in this.

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.