This is a setup guide for ADMT cross-forest migrations with password migration support. We’ll need 5 things for this, SQL Server Express, ADMT (Active Directory Migration Tool), & PES (Password Export Server). Two domain controllers, one in the target forest, and one in source forest). Core installs & read-only DCs will not work.

DC in target domain:

  • Download/Install SQL Express 2005 SP3 (chose integrated windows authentication) –
  • Download/Install ADMT 3.2, specify .\SQLEXPRESS, did not import db –
  • Open ADUC and add “Everyone” to the “Pre-Windows 2000 Compatible Access Group”
  • Create encryption key for PES
    admt key /option:create /sourcedomain:contoso.local /keyfile:c:\tmp\pes-key /keypassword:SOMEPASSWORDGOESHERE

DC in source domain:

  • Download PES 3.1 (x64 links in related downloads) –
  • Copy over pes-key.pes from the target DC
  • Run the PES 3.1 Installer
  • Browse for the key & confirm the pw used to create it one the target DC
  • Choose “Local System Account”
  • Reboot the DC
  • Log back in and start the “Password Export Server Service” service

Testing User Migration:

  • Create test user in source domain, set pw, uncheck “User must change password at next logon”
  • Open ADMT MMC on DC in target domain
  • Right-click on tree root, select “User Account Migration Wizard”
  • Select source/target domains & domain controllers
  • Check “Select Users from domain”
  • Add -> Find the user you created
  • Browse for target OU in target domain
  • Check “Migration Passwords”
  • Select password migration source DC (the one we just installed PES on)
  • Under “Target Account State” select “Target same as source”
  • Under “Source Account Disabling Options” select “Days until source account expires” and input 90
  • Put a check in “Migrate user SIDs to target domain”
  • You will may receive a message stating “Auditing is currently not enabled on the target domain. Would you like to enable auditing?” if so, click “Yes” and input credentials in the source domain to enable it.
  • Put a check in “Update user rights”
  • Leave a check in “Fix users group permissions”
  • Don’t exclude any objects, just click next
  • Leave a check in “Do not migrate source object if a conflict is detected in the target domain”
  • Cross fingers and click “Finish”
  • Watch the presented window for verification the migration was successful, “View Log” to see the gritty details.
  • Open ADUC mmc in the target domain to double check the user account migration was successful


  • ADMT does not check all settings of the target domain password policy, users need to explicitly set their password after migration unless the Password never expires or Smartcard is required for interactive logon flags are set.
  • The PES service doesn’t startup automatically. This is because it should only be running when only when you are migrating accounts.