By Arthur Quan

What is Active Directory Migration?

Active Directory Migration is when you combine two Domains into one.  Splitting part of your Active Directory into a new domain (divestiture) is also an Active Directory Migration.  Active Directory Migrations involve the movement of users, computers, and the associated applications to a new domain making them very complex by nature.

An Active Directory Migration tool is a software that helps you migrate the appropriate objects.

Why do companies need this?

The most common use case for an Active Directory migration is for companies going through mergers, acquisitions, and/or divestitures.

When one company buys another company, the cost of maintaining two separate AD infrastructures can be prohibiting. This is where Active Directory Migrations become important.  It’s best to share resources than doing it separately to create alignment. Of course, there may be a specific business reason to keep thing separate from one another, but in general, you want to share them.

Additionally, sometimes a company might sell a business unit to become its own entity (divestitures). This is where an Active Directory Migration can be used to separate this business unit into its own entities.

What Tools Are Needed for an Active Directory Migration?

The size of the companies do not matter; the tools used are always the same.

The main players for an Active Directory migration are Microsoft Active Directory Migration Tool (aka ADMT) and Quest Migration Manager. Additionally, there are sometimes smaller players (such as ForensiT) used for specific purposes like computer account and user profile migrations. For email migrations, you can use hybrid exchange or BitTitan, just to name a few.

Over my career, I have developed a fondness for using Microsoft ADMT with ForensiT.  The main reason to use ADMT is that it’s free while Quest is a paid tool.

The only downside with Using ADMT is that Microsoft has not updated the tool since 2012, but that’s where ForensiT steps in.  From my experience, I can tell that Microsoft ADMT will work up to Server 2016 or Server 2019.

ForensiT is constantly being updated (just like Window 10) every few months with new features.  The lastest version of ForensiT will allow you to migrate computers to Azure AD and migrate computers to a new AD Domain through VPN (which is something that ADMT cannot do).  I only use ADMT to migrate user accounts with password sync from one domain to another and with sidhistory as an option.  ADMT is also good at doing security translations on re-permissioning windows servers with file shares to the new domain.

Microsoft ADMT

Pros:

• Free tool from Microsoft
• Fairly easy to setup
• Integrates well into all current versions of Windows up Server 2016

Cons

• The product is dated last version was around 2012

ForensIT

Pros:

• Very well-designed product for migrating workstations not Servers
• Fairly easy to setup
• Update software can be used with the latest version of Windows 10
• Scales well for large Workstation migrations with many options
• Inexpensive around $3 per seat

Cons:

• Instructions are lacking in some places
• Computer migrations with windows 10 are hit or miss at best

Quest Migration Manager

Pros:

• Many options to do migrations
• Good documentation and support
• Integrates well into all current versions of Windows

Cons:

• Product is Expensive

BitTitan

Pros:

• Good documentation and support
• Easy to use

Cons:

• Product is only used for mail migrations

How to Perform an Active Directory Migration

Requirements

To start an ADMT migration you will need a windows server (minimum server 2012) with at least 60 gigs of HardDrive space and 12Gigs of Memory. You will also be installing SQL Express 2012 on the server.  The server should be on the domain where all the users are migrating to.

Getting Started

Once you install SQL Express on the box, download the latest version of ADMT.

ForensiT is installed and run from the other domain, as opposed to ADMT where it’s installed in the Domain in which users are migrating to. ForensiT has very good documentation on their website on how to run their tool, but I can tell you from experience it’s the best for workstation and user profile migrations.

One last thought here after doing a lot of AD migrations, I have developed a variety of scripts that augment the software tools I use that have helped me through these complicated AD migrations.  AD migrations are never cookie cutter; they are complicated by nature, and sometimes take years to complete. Patience and persistence are key to successful AD migrations.

FAQs During an Active Directory Migration

Can I have the same password when I migrate to the new domain?

Yes. ADMT comes with a password sync tool.

Can ADMT re-permission my non windows shares?

No, but there are scripts that can help you do this with non-windows CIF shares

Can I have a different account name in the new domain after migrating?

Yes. ADMT can rename your account while preserving all the group memberships.

Will my computer profile migrate with me to the new domain?

Yes. ForensiT will migrate your computer profile to the new domain with all the settings and files.