During the User account migration you will have the option to migrate passwords from the source domain user accounts to the target domain. If you choose to use this feature there are a few steps you need to carry out. This feature is very useful, and removes the requirement to communicate new passwords to end users.
Migrating Password Prerequisites
Before you can migrate passwords, you will need to install the password export server onto a domain controller in the source domain.
Before you go ahead and install PES onto a DC in the source domain you need to create an encryption key from the machine running ADMT in the target domain. In our case this is ADMT.target.local. From the command prompt run:
admt key /option:create /sourcedomain:source.local /keyfile:"c:\PES Key\PES.pes" /keypassword:*
Now head over to a DC in the source domain (AD01.source.local) and download and run the PES installer. When prompted choose the .key file you created on the ADMT machine.
Provide the password you used when creating the key.
ADMT provides the option to run the PES service under the Local System account or by using the credentials of an authenticated user in the target domain. Itâ€™s recommend that you run the PES service as an authenticated user in the target domain.
The installation is now complete, you will need to restart the domain controller.
For Password migration to work, you will need to manually start the Password Export Server service. You should only start this service when you are running through the User account migration, when you have finished, stop this service.