The Password Export Server (PES) is a Microsoft toolset component used alongside the Active Directory Migration Tool (ADMT) to securely migrate user passwords during interforest Active Directory migrations. By default, Active Directory does not allow anyone to read password hashes. PES acts as a secure proxy to the Local Security Authority Subsystem Service (LSASS), allowing ADMT to transfer identical passwords from a source domain to a target domain without forcing users to reset them. 1. Prerequisites and Setup
Before implementing PES, specific infrastructure and environmental conditions must be met:
Trust Relationship: A two-way forest trust must be established between the source and target domains.
DNS Resolution: Conditional forwarders must be properly configured so that both domains can resolve each other’s names flawlessly.
Matched Policies: Ensure the target domain’s password complexity and length requirements match or are less restrictive than the source domain.
Placement Restrictions: PES must be installed on a Writeable Domain Controller (RWDC) in the source domain; it cannot be installed on a Read-Only Domain Controller (RODC). 2. Step-by-Step Implementation Guide Step 1: Generate the Encryption Key (On the Target Domain)
The encryption key protects the password list in transit. This key must be generated from the machine running ADMT in the target domain.
Open a Command Prompt as an Administrator on the ADMT server. Execute the following command to generate the key file:
admt key /option:create /sourcedomain: Use code with caution. Enter a secure password when prompted.
Safely transfer the created .pes file to a local drive on the target source domain controller (e.g., via a secure network share or removable storage). Step 2: Install PES (On the Source Domain Controller)
Download Password Export Server version 3.1 (x64) from Official Microsoft Download Center
Leave a Reply