Exam AZ-801 topic 12 question 1 discussion

Generate encryption key in admtcomputer and install PES in dc2 Reference: https://akhil0087.home.blog/2020/09/10/password-migration-using-admt/

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974435(v=ws.10)?redirectedfrom=MSDN#to-create-an-encryption-keyhttps://learn.microsoft.com/en-us/answers/questions/130203/admt-pes-password-export-server-31-x64-package-dow.html The PES service can be installed on any writable domain controller in the source domain The PES service installation in the source domain requires an encryption key. However, you must create the encryption key on the computer running the ADMT in the target domain Install PES on dc2.europe.fabrikam.com Generate encryption key on admtcomputer.fabrikam.com

Fabrikam Case Study On-Premises Migration Plan Fabrikam has an Active Directory Domain Services (AD DS) forest that syncs with an Azure Active Directory (Azure AD) tenant. The AD DS forest contains two domains named corp.fabrikam.com and europe.fabrikam.com. The office in Paris contains a physical server named dc2.europe.fabrikam.com that runs Windows Server 2016 and is a domain controller for the europe.fabrikam.com domain. Migrate all users, groups, and client computers from europe.fabrikam.com to corp.fabrikam.com. - The migration will be performed by using the Active Directory Migration Tool (ADMT). - A computer named ADMTcomputer will be deployed to the corp.fabrikam.com domain to run ADMT migration procedures. - User accounts will retain their existing password Answer • Install the PES service on: dc2.europe.fabrikam.com • Generate the encryption key on: admtcomputer.fabrikam.com ADMTcomputer will be deployed to the corp.fabrikam.com domain so to name admtcomputer.fabrikam.com more likely is wrong. The right name could be : admtcomputer.corp.fabrikam.com

admt is used for create key -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/supplied-password-not-match-encryption-keys-password becauss admt srv it's in DC1 domain, it's destination , source domain must be DC2, and PES must be installaed in source dom, DC

If you're using password synchronization, you must install Password Export Server (PES) on a domain controller in the source.

Apologies - this was hard to pin down- -I was wrong earlier again - answer is : Source - Dc1.europe ENcryption key- ADMTserver === 1. The Encryption tool can be installed on the ADMT server in the target domain member server 2. The PES is installed on the DC in the source domain controller 3. generate the key in target admt and input into source PES 4. Run PES server to perform the migraiton - https://social.technet.microsoft.com/wiki/contents/articles/13904.how-to-migrate-users-across-forest-cross-forest-using-admt-3-2-with-sid-and-passwords.aspx https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974435(v=ws.10)?redirectedfrom=MSDN#to-create-an-encryption-key https://learn.microsoft.com/en-us/answers/questions/130203/admt-pes-password-export-server-31-x64-package-dow.html

Ok so the answers are backwards- the source is corp and the target is europe- and alos PES must be intalled on a DC - same witht he KEY generations - so its DC1.corp as the source and DC2.eurpoe - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/supplied-password-not-match-encryption-keys-password

So you : 1. Generate the Key on the ADM computer in target 2. DOwnload the PES tool and install in source DC - 3. Run the wizzard and it adds this key 4. Open the ADM tool on the target and complete the migration - the order of the two questions is also backwards get the key first then run the PES. its also not the whole process.

The explanation given below the answer and the link provided both state that the encryption key is created on ADMTComputer.fabrikam.com. So that would be the answer to the second question, I assume...