Configurer la récupération des mots de passe ADMT

1. Download http://www.microsoft.com/downloads/fr-fr/details.aspx?FamilyID=F0D03C3C-4757-40FD-8306-68079BA9C773&displaylang=fr
2. Make sure that there is a trust in place between the source and target
   domains.
3. Install ADMT by running admtsetup.exe and follow the
   installation wizard on the computer that will be used for the migration (I used
   a domain controller in the source domain but ideally you would have dedicated
   computers for migration activities and it seems logical that this should be in
   the target domain).
4. If not already created by ADMT, create a new domain local group called
   domainname$$$. This group must be empty, and is required in order to
   migrate the sIDHistory
   information between source and target accounts.
5. On the domain controller that will be used to export the account information
   (usually the DC holding the PDC Emulator operations master role for the source
   domain), create/set a value of 1 for a DWORD registry key called
   TcpipClientSupport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\.
6. In both the source and target domains, ensure that success and failure
   auditing is enabled for account management.
7. On a computer with ADMT installed, create a password encryption key for each
   source domain, by shelling out to a command prompt and entering the following
   commands:
   cd %systemroot%\ADMT
   admt key /option:create
   /sourcedomain:<em>domainname</em>
   /keyfile:<em>filename</em>.pes(the domainname can be
   specified in NetBIOS or DNS format.)
8. On the domain controller in the source domain that holds the PDC Emulator
   operations master role, connect to the computer with ADMT installed (e.g. via
   the c$ administration share) and access the %systemroot%\ADMT\PES folder.
9. Run pwdmig.exe to install the ADMT Password Migration DLL and follow the
   installation wizard. During the installation, supply the password encryption
   (.PES) file that was created earlier.
10. This is the step that’s not in the instructions – even
    though the password encyption file was supplied during the installation of the
    ADMT Password Migration DLL, it still needs to be imported manually on the PDC
    Emulator, by shelling out to a command prompt and entering the following
    commands:
    cd %systemroot%\ADMT
    admt key /option:import /sourcedomain:<em>domainname</em> /keyfile:<em>filename</em>.pes
11. On the domain controller that will be used to export the account
    information, create/set a value of 1 for a DWORD registry key
    called AllowPasswordExport in
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\. Note that this key
    constitutes a security risk and should only be enabled during the period of
    migration.
12. Restart the computer with the ADMT Password Migrator DLL installed.
13. Start the Password Export Server service.