Active Directory密码移植/迁移到数据库

Question

我们正在扩展现有的软件产品，该产品使用Active Directory将用户凭证存储到云解决方案中，以存储用户凭证。

我想知道我们如何迁移/移植这些AD密码到新的数据库，而不是要求用户重置他们的密码。我知道我们无法检索纯密码，但我想了解我们如何移植这些密码并使用特定的解密库来验证这些密码。

我们可以将此密码移动到新的SQL数据库中，但我们将如何验证密码？我们将使用哪种加密算法和盐？

谢谢

Answer 1

我大部分时间都在本月与客户谁是整合各种Active Directory林成一个单一的领域工作。我们没有使用任何第三方工具 - 只是标准的Microsoft实用程序，即Active Directory迁移工具（ADMT）v3和Exchange迁移向导（Exchange Server 2003部署工具之一） - 但他们似乎完成了这项工作。

由于将几百个用户迁移到新帐户（​​使用新密码）会导致大量支持呼叫，因此我希望ADMT密码迁移DLL能够正常工作。这花了一些时间，但在我的企业支持同事（实际上是PSS调用）的帮助下，我们找到了一条途径。这是所需的知识：

（为了参考，在源和目标域是在Windows Server 2003域和林功能模式，与服务的混合物运行Windows Server 2003 Pack 1和2）

Make sure that there is a trust in place between the source and target domains. 
Install ADMT by running admtsetup.exe and follow the installation wizard on the computer that will be used for the migration (I used a domain controller in the source domain but ideally you would have dedicated computers for migration activities and it seems logical that this should be in the target domain). 
If not already created by ADMT, create a new domain local group called domainname$$$. This group must be empty, and is required in order to migrate the sIDHistory information between source and target accounts. 
On the domain controller that will be used to export the account information (usually the DC holding the PDC Emulator operations master role for the source domain), create/set a value of 1 for a DWORD registry key called TcpipClientSupport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\. 
In both the source and target domains, ensure that success and failure auditing is enabled for account management. 
On a computer with ADMT installed, create a password encryption key for each source domain, by shelling out to a command prompt and entering the following commands: 
cd %systemroot%\ADMT 
admt key /option:create /sourcedomain:<em>domainname</em> /keyfile:<em>filename</em>.pes 
(the domainname can be specified in NetBIOS or DNS format.) 
On the domain controller in the source domain that holds the PDC Emulator operations master role, connect to the computer with ADMT installed (e.g. via the c$ administration share) and access the %systemroot%\ADMT\PES folder. 
Run pwdmig.exe to install the ADMT Password Migration DLL and follow the installation wizard. During the installation, supply the password encryption (.PES) file that was created earlier. 
This is the step that’s not in the instructions – even though the password encyption file was supplied during the installation of the ADMT Password Migration DLL, it still needs to be imported manually on the PDC Emulator, by shelling out to a command prompt and entering the following commands: 
cd %systemroot%\ADMT 
admt key /option:import /sourcedomain:<em>domainname</em> /keyfile:<em>filename</em>.pes 
On the domain controller that will be used to export the account information, create/set a value of 1 for a DWORD registry key called AllowPasswordExport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\. Note that this key constitutes a security risk and should only be enabled during the period of migration. 
Restart the computer with the ADMT Password Migrator DLL installed. 
Start the Password Export Server service. 

大部分情况完全按照文档 - 主要区别是需要手动导入密码加密文件。没有这个，我收到以下消息：

错误 无法与密码导出服务器建立会话。源密码导出服务器和目标服务器对源域没有相同的加密密钥。

最后，需要什么权限？我使用本地系统作为密码导出服务器服务。对于其他所有内容，我使用在两个森林中创建的帐户，其密码相同，并且是Domain Admins组的成员。这有点过分，最佳做法是使用具有最低所需权限的帐户。基本上，需要一个帐户：

Domain administrator in the source domain. 
Local administrator on the computer on which ADMT is installed. 
Delegated permissions on OUs that are targets for resource migration in the target domain, including the extended right to Migrate SID History (visible in the Security for an object using the Advanced Features view in Active Directory Users and Computers). 

有关更多的建议，请参阅ADMT v3迁移指南。