1. Prepare source and target domains
    1. Install high Encryption software (not needed if domains >= 2003)
    2. Configure DNS on source and target to resolve name space of both domains (conditional forward)
      1. On target domain add conditional forwarder to sourceDomain.xxx.xxx
      2. On source domain add conditional forwarder to targetDomain.xxx.xxx
    3. Establish required trust (bidirectional from source and target domains)
      1. Create a two-way trust between source and target domains
    4. Create Migration Account and group on source domain
      1. In the source domain, create an account called <Source Domain>migrator
      2. In the source domain, add migrator account to Domain Admins group
      3. In the target domain, delegate permissions on OUs that are targets for resource migration to the migrator account.
    5. Configure source and target domains for SID history migration
      1. To enable auditing in the the source domain, create a local group called SourceDomain$$$, where SourceDomain is the NetBIOS name of your source domain, for example, H07$$$. Do not add members to this group; if you do, SID history migration will fail
      2. Enable auditing of account management in the source and target domains. For Windows Server 2008 R2 and Windows Server 2008, you need to also enable auditing for directory service access in order to migrate users with SID history between forests.
        1. Log on as an administrator to any domain controller in the target domain
        2. Click Start, point to All Programs, point to Administrative Tools, and then click Group Policy Management
        3. Navigate to Forest | Domains | Domain | Domain Controllers | Default Domain Controllers Policy
        4. Right-click Default Domain Controllers Policy and click Edit
        5. In Group Policy Management Editor, in the console tree, navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy
        6. In the details pane, right-click Audit account management, and then click Properties
        7. Click Define these policy settings, and then click Success and Failure
        8. Click Apply, and then click OK
        9. In the details pane, right-click Audit directory service access and then click Properties
        10. Click Define these policy settings and then click Success
        11. Click Apply, and then click OK
        12. If the changes need to be immediately reflected on the domain controller, open an elevated command prompt and type gpupdate /force
        13. Repeat steps 1 through 12 in the source domain
      3. configure Firewall on source designed domain Controller (Must be PDC emulator)
        1. Enable Remote Administration
        2. Enable Remote Service Management
    6. Configure the target domain OU for Administration
      1. Log on as an administrator to any domain controller in the target domain
      2. Start Active Directory Users and Computers, and then create the OU structure that your design team specified
      3. Create administrative groups, and assign migrator users to these groups
      4. Delegate the administration of the OU structure to migrators group
    7. Install ADMT
      1. Install or upgrade a server computer (preferably a member server) in either your source or target domain environment as necessary to run Windows Server 2008 R2
      2. grant migrator account local Administrator rights on ADMT server
      3. login on ADMT server as migrator account
      4. install SQL Server 2005 Express and install it (http://go.microsoft.com/fwlink/?LinkId=181159)
      5. (in Database Selection use .\SQLEXPRESS)
      6. Download and install ADMT (3.2)
    8. Enable password Migration
      1. Download PES v3.1 from the Microsoft Download Center 1 (x64) (http://go.microsoft.com/fwlink/?LinkId=147653)
      2. Generate Encryption key for password migration on target domain on computer running ADMT admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath> /keypassword:{<password>|*}
      3. copy the encryption key for password file on source designed Domain Controller
      4. configure the PES service on a domain controller in the source domain
  2. Migrate Users
    1. start PES service on desigened source domain controller (PDC emulator)
    2. start ADMT application on ADMT (target domain) server
    3. right click on "Active Directory Migration Tool" and select "Users Account Migration Wizard"
    4. "On domain selection" select domains and source/target domain controllers (on source domain select domain controller where PES service is installed)
    5. On "Users Selection Options" select "Select Users from Domain"
    6. On "Users selection" select source domain users that has to be migrated
    7. On "Organizational Unit Selection" select OU on target domain where migrated users will be moved
    8. On "Password Options" select "Migrate Password" and select Source Domain controller where PES service is installed in the "Password Migration Source DC" text field
    9. On "Account Transition Options" select "Target same as source" and "Migrate user SID to target domain"
    10. On "User Account" supply credential of an Administrator user on source domain (migrator user should be fine)
    11. On "User Options" select all except "Translate Roaming Profiles"
    12. On "Object Properties Exclusion" proceed with default values
    13. On "Conflict Management" select "Migrate and merge conflicting objects"
    14. Proceeed till the end
  3. Migrate resources (computers)