Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Archive for October 4th, 2011

Quest and ADMT comparison

Posted by Awinish on October 4, 2011

There are various tools used for migration such as ADMT(Active Directory Migration Tool) from Microsoft, DMM(Domain Migration Manager) from the Quest, Netiq etc.

ADMT is the free tool from the MS and there is no licensing cost involved. Any number of AD objects/servers/computers can be migrated to other domain without need to pay single penny whereas Quest tool is paid and licensing is based on the number of enabled users migrated or mailbox migration for exchange.

Each tool has its own pros and cons, but features and support should be considered in the first place while opting for any migration tool. ADMT has its own advantages like support through MS forum, ability to handle and its working is known to most, getting reference on the internet is easy where as handling/using quest tool requires some kind of skill and learning, quest documents are not easily available, support might be pocket burning here, so both the tool has its own benefits and demerits.

The table below shows the features available with the Quest DMM tool and ADMT tool.





Continuous synchronization



Since migration can last for a long time, migrated data might become obsolete and need to be updated. To address this, ADMT performs remigrations throughout the process with different options. This means that it is necessary to repeat the same actions every day, requiring more time and manual effort. Migration Manager greatly simplifies this task, providing real-time directory synchronization and ensuring that critical data is kept up to date. Additionally, Migration Manager  also provides two-way synchronization, making it possible to manage both directories simultaneously. This is especially critical for keeping passwords   and group memberships up to date between the  two environments.




Migration Manager Statistics Portal gives you detailed information about the migration project.




Migration Manager allows you to revert any performed changes at any time without restoring data from backup. ADMT cannot roll back resource updating tasks. Directory migration undo is restricted to the last session only; account

Inter-forest migration



ADMT cannot roll back resource updating tasks. Directory migration undo is restricted to the last session only; account merging cannot be undone.

Intra-forest migration



In case of intra-forest migration, ADMT deletes a source account and its tombstone immediately after moving it to the target domain. Functionality to roll back this operation is not provided – it is necessary to re-migrate the account and workstation from the target back to the source.

Migration without trusts



In some organizations, trusts between source and target domains cannot be established due to security reasons. Unlike ADMT, Migration Manager allows migration in this case.

Advanced object selection capabilities



ADMT uses a standard “select users and groups” dialog for object selection. It shows objects in flat list and doesn’t allow filtering of disabled, expired, or system accounts.

Property population rules



Migration Manager lets you modify any object properties before the migration data is actually applied to the target domain, using import file technology. It allows you to populate values from  an HR database or according to some other rules. ADMT does not allow you to modify all object properties, only the Container Name (CN), Relative Distinguished Name (RDN), sAMAccountName and userPrincipalName.

Security descriptor migration



If administrative rights are delegated on the OU level and you plan to preserve the existing delegation model after migration, security descriptors of OUs and accounts should be migrated. ADMT does not migrate security descriptors, and all permissions must be granted manually.

Consolidated resource updating



If you migrate multiple domains, resources should be updated for users from all domains. With ADMT, you have to update the same resources multiple times, separately for each source-target domain pair.

Workstation update



Migration Manager provides complete user workstation update. Whereas ADMT requires a reboot of the workstation in order to complete migration, only a logoff/logon is needed with Migration Manager. When migrating the workstation with Migration Manager, you can automatically change the default domain name on the workstations’ logon prompt, making the switch invisible to users. In contrast to ADMT, it also includes update of scheduled tasks and migration   of certificates for encrypted files and mail.

Laptop update



Usually laptops are disconnected from the corporate network and cannot be updated as ordinary workstations. Migration Manager allows you to update laptops via user logon scripts and without additional interaction with users.

Server infrastructure update

• Active Directory

• Exchange 5.5/2000/2003/2007

• SharePoint Services 2.0/3.0, SharePoint Portal Server 2003/2007

• Internet Information Services 5.0/6.0

• SQL Server 7.0/2000/2005

• Systems Management Server 2003/System Center Configuration Manager 2007

• NAS/SAN devices

Exchange 5.5

ADMT has incomplete server resource updating. It requires a great deal of administrator effort because all permissions must be updated manually.

Clean-up SIDHistory



To preserve network security, the SIDHistory attribute of objects should be cleaned up after migration. ADMT does not provide this functionality.

Note:  I’m neither a Quest agent nor MS agent, the above reference posted for reference and informational purpose only during migration tool selection for performing forest/domain migration based on the cost and complexity.

The table posted above is taken from the Quest site.



Posted in Directory Services, Exchange, SCCM/SCOM | Tagged: , , | 7 Comments »

All About (RODC)Read Only Domain Controllers

Posted by Awinish on October 4, 2011

RODC is the new feature introduced from the windows 2008 means domain controller with read only partitions which includes AD database and Sysvol/Netlogon folder. In order to introduce RODC in existing windows 2003 environment you need to prepare your existing environment Adprep /Rodcprep (Adprep32.exe or Adprep.exe is dependents on OS means Adprep32.exe required to be executed on 32bit OS and Adprep.exe on 64 bit OS). Adprep /rodcprep should be executed on the DC holding  Domain Naming Master FSMO role not on any DC. It is not mandatory to run Adprep /rodcprep in existing windows 2000 or 2003 AD environment until you plan to deploy RODC may be now or in future. There is one more prerequisite you need at least one writable DC in windows 2008 before you can deploy RODC in existing windows 2003 AD environment, since RODC doesn’t consider windows 2003 DC.

Rodc is basically fitted to be deployed in the sites/locations where you can’t afford or don’t want to keep an AD Experts to manage/modify any changes in the AD. RODC hold the read only database means the location where RODC is deployed you can’t make any changes and changes made on the RODC is not replicated to any other DC since replication is unidirectional from RWDC to RODC only not vice versa.

RODC enhances the authentication locally where it is been placed, but again it should not be considered as replacement of writable DC. You can configure RODC as GC and DNS server too for enhancing authentication locally.

RODC can safely host RODC on virtual machine where as RWDC should not be because of performance issues. I’m not big fan of RODC, reason is RODC alone doesn’t work like a domain controller but for each and everything it relies on RWDC(Writable domain controller) causing heavy replication traffic.

The replication happens in RODC is unidirectional means changes made on RODC is not replicated to RWDC, but you can still connect to RWDC console from RODC and make modification on RWDC which is still vulnerable. RODC can’t provide substitute for a DC when WAN link is down and the reason is RODC can’t issue Kerberos ticket to the domain clients. RODC can’t navigate the trust and it only utilizes the RWDC in other domains.

One of the biggest drawback feature of RODC is that it doesn’t work with any version of Exchange servers(2000-2010 SP1), so if you have deployed a Exchange server in site or want to deploy you can’t utilize RODC in that site you need to have RWDC’s only. There are few other application too which doesn’t work with RODC.

RODC can actually enhance the local authentication but you need to cache the local computes password to form a secure channel with RODC else it will query RWDC.

RODCs don’t register the generic DClocator record by default & they only register the site specific locator records in DNS. RODC doesn’t point itself for SOA records like RWDC. RODC doesn’t register NameServer records in dns. When client wants to update/modify its records in DNS, it contacts RODC and using SOA record RODC find the best/suitable RWDC, update takes place on RWDC and back to RODC.

MSA(Managed service account) doesn’t support RODC’s but only writable domain controllers, but there is hotfix to resolve the issue.

RODC References

Read-Only Domain Controllers Step-by-Step Guide

Chris has nice writeup on RODC integration with DNS .

Windows Server 2008 RODC Interview Questions !

Read-Only Domain Controller Planning and Deployment Guide

Windows 2008 RODC Tick List for Deployment

Steps for Deploying an RODC

Read-Only Domain Controller (RODC) Branch Office Guide

RODC Post-Installation Configuration

Designing RODCs in the Perimeter Network

Deploying RODCs in the Perimeter Network

AD DS/RODC in the Perimeter Network (Windows Server 2008)

Understanding “Read Only Domain Controller” authentication

RODC Frequently Asked Questions

Read-Only Domain Controllers Application Compatibility Guide

Performing a Staged RODC Installation

Testing Application Compatibility with RODCs

Known Issues for Deploying RODCs

Troubleshooting RODC’s: Troubleshooting RODC location in the DMZ

Microsoft KB’s and Hotfixes

You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2

Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista

Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network


Posted in Directory Services | Tagged: | 3 Comments »