1, establish a two-way trust relationship on the target domain.
2. Turn off SID filtering on the target domain
SOURCE domain: old.com
Target domain: net.com
Netdom Trust Old.com/domain:net.com/quarantine:no
/usero:old\administrator/password:*
3, the ADMT tool is arranged on the target domain.
4. Run the command line ADMT key on the target domain to generate the. pes file (password is not the source domain administrator's password, but to protect the PES file password)
ADMT key old.com c:\*
5. Copy the. pes files on the target domain to the source domain.
6. Modify the security policy of the domain controller on the target domain to change the audit account management to "success" and "failure". The same is true on the source domain. Run the policy refresh tool after completion.
7. Modify a group in the target domain "ad users and Computers", "Pre-Windows Compatible Access" under the Bulitin container, and add anonymous Login;everyone two users to its group.
8, in the source domain installed password Export tool Set password export, in the installation process to find the copied. pes file. You cannot use the Password export tool if you want to modify the registry when you are finished.
(1) Turn on Password export function: hkey LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA below "AllowPasswordExport" key value, change 0 to 1;
(2) Allow the ADMT tool to access the SAM database: Hkey LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA The key value of the new DWORD type below, named " TcpipClientSupport sets the value to 1. and restart the computer.
9. Use the ADMT tool in the target domain to migrate users and computers, and use LDP to monitor SIDHistory.