I'm in the midst of migrating users between two domains and need to keep their passwords in sync. Currently, we're using the Active Directory Migration Tool (ADMT) for user migration, but I'm looking to see if it's possible to sync passwords via a CLI command.
I've attempted the command `admt user /N "targetuser" /SD:"sourcedomain.com" /TD:"targetdomain.com" /PO:COPY /PS:"passwordexportserver.com" /PF:"passwordfile.pes"`, but even though it reports a successful execution, the passwords aren't syncing. We already have the Password Export Server (PES) set up on the source domain controller, and while the ADMT Password Migration Tool works through the GUI, we're interested in achieving this through command line. Is there an alternative tool I could use, or could my command syntax be off?
5 Answers
Quest has tools for password synchronization if you're looking for a long-term solution. But if this is purely for migration and not intended as a permanent setup, it'll be essential to evaluate your reasoning for maintaining synced passwords long-term.
Unfortunately, you can't sync passwords directly because the source domain only retains the password hash, not the actual password. For syncing to work, you would need to establish a trust relationship between the domains.
I’m not a Windows admin, but on Linux, you could transfer the hash directly between systems, as they both handle hash calculations in the same way. Just make sure to include the salt with the hash.
That’s interesting! We do have a two-way trust but are migrating users slowly. I wonder if there’s a workaround.
You might want to try using DSInternals for this, which syncs the NTLM password hash. Just keep in mind that this won’t enable Kerberos authentication right away, but users will be able to log in to the other domain. A forced password change later will fix the Kerberos issue.
Just a heads up, some security recommendations like NIS2 advise against using NTLM, which we've also disabled due to compliance.
It should work as long as you’re running the ADMT tool on a domain controller in the target domain. If you’re on a member server, you might run into issues. Check the logs to see if there’s been any password sync recorded. You can also use a config file to simplify the command options, like with "/O option_file.txt".
You’re right about forcing a password reset after migration. For our setup, PES is on the Source DC while ADMT operates on the Destination DC. Ideally, we’re looking for an automatic sync every time a user changes their password.
Yes, you can definitely sync passwords! I did something similar at a previous job without Quest Migration Manager. You’ll want to make sure the PES component is installed properly and that you create the encryption key on the target domain before importing it on the source. Here are some helpful blog links that explain the process: [Petenetlive Guide](https://www.petenetlive.com/KB/Article/0001306), [My Blog on ADMT PES Setup](https://sandeshvidhate.wordpress.com/2012/02/16/how-to-setup-admt-password-export-server/), [Akhil’s Post on Password Migration](https://akhil0087.home.blog/2020/09/10/password-migration-using-admt/)
Thanks for the links! We have PES ready, but I’m still searching for the CLI version of the ADMT Password Migration Tool.
We’re focused on retiring the old domain, but the transition is tricky since we operate 24/7/365. Shutting down a server isn’t an option!