ADMT: Migration Order
I'll have a more complete list later, but here is the order the network admins at work have figured out works best when using the Active Directory Migration tool to migrate from NT 4 to Server 2003 (be sure to check the rest of the blog for other scripts which are necessary when using ADMT):
1. User with SID (/Groups with SIDs) 2. Machine 3. Security Translation Wizard
We are currently bringing over groups, along with their SIDs, during the User migration. This allows us to filter out old groups that once had a purpose but no longer have members. Since ADMT does not migrate or translate the SID for built-in groups, we used sidhist.vbs, a file available in the Windows Server 2003 Support Tools.
cscript sidhist.vbs "/srcsam:Domain Users" "/dstsam:Domain Users" /srcdom:ourOldDomain /dstdom:ourNewDomain /srcdc:anOldDC /dstdc:aNewDC
When we ran it in the order Machine -> User -> Security Translation Wizard, the users' profiles (Desktops, Outlook, etc) were not migrated. We thought we'd have to resort to using Windows User State Migration Tool (USMT) but thankfully, this was no longer necessary once the correct migration order was discovered. Thanks to Jerf & Neddles for sharing this info!