By Arthur Quan
Active Directory Migration is when you combine two Domains into one. Splitting part of your Active Directory into a new domain (divestiture) is also an Active Directory Migration. Active Directory Migrations involve the movement of users, computers, and the associated applications to a new domain making them very complex by nature.
An Active Directory Migration tool is a software that helps you migrate the appropriate objects.
The most common use case for an Active Directory migration is for companies going through mergers, acquisitions, and/or divestitures.
When one company buys another company, the cost of maintaining two separate AD infrastructures can be prohibiting. This is where Active Directory Migrations become important. It’s best to share resources than doing it separately to create alignment. Of course, there may be a specific business reason to keep thing separate from one another, but in general, you want to share them.
Additionally, sometimes a company might sell a business unit to become its own entity (divestitures). This is where an Active Directory Migration can be used to separate this business unit into its own entities.
The size of the companies do not matter; the tools used are always the same.
The main players for an Active Directory migration are Microsoft Active Directory Migration Tool (aka ADMT) and Quest Migration Manager. Additionally, there are sometimes smaller players (such as ForensiT) used for specific purposes like computer account and user profile migrations. For email migrations, you can use hybrid exchange or BitTitan, just to name a few.
Over my career, I have developed a fondness for using Microsoft ADMT with ForensiT. The main reason to use ADMT is that it’s free while Quest is a paid tool.
The only downside with Using ADMT is that Microsoft has not updated the tool since 2012, but that’s where ForensiT steps in. From my experience, I can tell that Microsoft ADMT will work up to Server 2016 or Server 2019.
ForensiT is constantly being updated (just like Window 10) every few months with new features. The lastest version of ForensiT will allow you to migrate computers to Azure AD and migrate computers to a new AD Domain through VPN (which is something that ADMT cannot do). I only use ADMT to migrate user accounts with password sync from one domain to another and with sidhistory as an option. ADMT is also good at doing security translations on re-permissioning windows servers with file shares to the new domain.
Pros:
Cons
Pros:
Cons:
Pros:
Cons:
Pros:
Cons:
To start an ADMT migration you will need a windows server (minimum server 2012) with at least 60 gigs of HardDrive space and 12Gigs of Memory. You will also be installing SQL Express 2012 on the server. The server should be on the domain where all the users are migrating to.
Once you install SQL Express on the box, download the latest version of ADMT.
ForensiT is installed and run from the other domain, as opposed to ADMT where it’s installed in the Domain in which users are migrating to. ForensiT has very good documentation on their website on how to run their tool, but I can tell you from experience it’s the best for workstation and user profile migrations.
One last thought here after doing a lot of AD migrations, I have developed a variety of scripts that augment the software tools I use that have helped me through these complicated AD migrations. AD migrations are never cookie cutter; they are complicated by nature, and sometimes take years to complete. Patience and persistence are key to successful AD migrations.
Yes. ADMT comes with a password sync tool.
No, but there are scripts that can help you do this with non-windows CIF shares
Yes. ADMT can rename your account while preserving all the group memberships.
Yes. ForensiT will migrate your computer profile to the new domain with all the settings and files.
Presenter: Rob Meyers, Director Of Systems Architecture, MCITP, MBSP, MCSE
Robert Meyers is the Director of Systems Architecture at Managed Solution in San Diego, California. He has well over a dozen current certifications from on various products from Windows Server 2008 to Private Cloud. Robert has had a diverse career, beginning in 1991, and included owning an internet service provider and a managed services provider in the past.
Since joining Managed Solution, he has been Published as “Industry Ally”, Top Tech Exec Awards 2011 by San Diego Magazine in addition to being staff nominated twice, and was a regular at the Microsoft Management Summit. Today he is an avowed technical evangelist, blogger and systems architect.
The webinar covers:
As one of Microsoft's TOP 150 partners worldwide, Managed Solution stands among the elite 1% collaborating directly with Microsoft to deliver the best solutions for your business. Microsoft Consulting Services - Managed Solution
Learn why you should consider the importance of IAM and how Entra ID can support.
Entra ID provides secure single sign-on (SSO) for a wide range of cloud and on-premises applications, including Microsoft 365 and thousands of SaaS applications like Salesforce, Workday, DocuSign, ServiceNow, and Box.
Connect Entra ID with on-premises directories in just a few clicks to maintain a consistent set of users, groups, passwords, and devices across both environments.
Users can launch applications from a personalized web-based access panel, mobile app, Office 365, or custom company portals using their existing work credentials, ensuring a seamless experience across iOS, macOS, Android, and Windows devices.
Protect sensitive data and applications with Entra ID's advanced identity protection capabilities. Gain insights into suspicious sign-in activities, receive proactive security reports, and enforce risk-based policies to safeguard your business against current and emerging threats.
Access on-premises web applications securely from anywhere with multi-factor authentication, conditional access policies, and group-based access management. Users can seamlessly access both SaaS and on-premises web apps from a unified portal.
Empower employees with self-service capabilities such as password resets and group management, reducing helpdesk calls and enhancing security through verification steps.
Entra ID offers enterprise-grade scale and reliability, serving as the directory for Microsoft Office 365 with hundreds of millions of users and billions of authentications daily. Hosted in globally distributed datacenters across 17 regions, Entra provides high availability and worldwide technical support with a 99.9% SLA.
[vc_row equal_column_height="equal-column" parallax="content-moving" css=".vc_custom_1510683183704{background-color: #7f7f7f !important;}" padding_bottom="50px"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Active Directory Health Check Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FActive-Directory-Pass-Fail.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]
[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510686800552{background-color: #1e73be !important;}" padding_bottom="50px" padding_top="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Security As A Service Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FEntperrise-Mobility-Security-As-A-Service-Accelerator.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]
[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510687090087{background-color: #dd9933 !important;}" padding_bottom="50px" padding_top="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Data Center Automation Quick Start Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FSystems-Center-Operations-Manager.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]
[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510683183704{background-color: #7f7f7f !important;}" padding_bottom="50px" padding_top="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Enterprise Class Remote Client Health with System Center + SHARC Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2018%2F04%2FSystem-Center-Configuration-Manager-with-SHARC-no-pricing.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]
[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510702064784{background-color: #dd9933 !important;}" padding_top="50px" padding_bottom="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Office 365 Migration Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FSystems-Center-Operations-Manager.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]
[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510702064784{background-color: #dd9933 !important;}" padding_top="50px" padding_bottom="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Azure Quick Start (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2018%2F04%2FAzure-Quick-Start-and-Pilot-Workshop-2017.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]
[/vc_column_text][/vc_column][/vc_row]
With time, your Active Directory (A/D) database can malfunction and become filled with data that you do not need anymore, such as references to users or servers that do not exist anymore. Here are 10 things to know before "de-gunking" your Active Directory.
Erratic Active Directory behavior is not always due to a corrupt Active Directory database. For example, not being able to create or remove a domain may be due to the fact that the domain controller hosting the FSMO roles for the domain is down, or even more simple, the user attempting to perform the operation may not have the necessary permissions.
Active Directory is completely dependent on DNS, so if this server fails, Active Directory begins to have problems too. Indications of a DNS server issue include error messages such as "Domain Not Found", "Server Not Available", or "RPC Server is Unavailable".
Windows domain controllers include a command-line utility called DCDIAG. Running this utility performs a number of diagnostic tests on a domain controller, and often times, DCDIAG will help you quickly determine the cause of the problem.
While you can use ADSI Edit to manually remove references to extinct servers, doing so often does more harm than good. With Active Directory being a relational database, removing an entry for an extinct server can orphan other database entries and cause a whole slew of problems. A better approach is to use the NTDSUTIL tool's METADATA CLEANUP option. This TechNet article provides a full set of instructions on the process.
You can use ADSI Edit to manually create and delete Active Directory entries, however, making a mistake can destroy your entire Active Directory. Therefore, it is important to know when and when not to use it. For example, Exchange 2007 can't be uninstalled until the last public folder has been removed, but a bug prevents you from removing the remaining public folders. ADSI Edit is useful to work around this issue, but take extreme caution in using it for other purposes.
With virtualization being so popular, many organizations have virtualized their domain controller and server virtualization products on the market allow you to create a snapshot of a server. That way, in the event that something goes wrong with the server, you can roll it back to a previous state without having to restore a backup.
While backing up your domain controllers before attempting to repair Active Directory is a good idea, you shouldn't use snapshots. Rolling back to a snapshot of a domain controller can have catastrophic consequences. Active Directory transactions are numbered and rolling back a domain controller causes the numbering sequence to be disrupted. This leads to all sorts of domain synchronization issues.
Normally, NTDSUTIL is the tool of choice for repairing Active Directory problems. But in the case of severe corruption, NDTSUTIL may not be enough for the problem at hand. In this case, the best option is to restore a backup. If that isn't possible, though, you can try using ESEUTIL.
ESEUTIL is a database maintenance tool for extensible storage engine databases and it can be used to repair structural problems within the database. This technique should only be implemented as a last resort due to the possibility of data loss during the repair process.
When you restore the Active Directory database on a domain controller, the restoration is usually non-authoritative, meaning that the restoration process restores the domain controller to the point at which it existed when the backup was made. The domain controller is brought into a current state by the replication process. Other domain controllers replicate any missing entries to the recently restored domain controller.
An authoritative restore does not backfill a restored domain controller using data from other domain controllers. Instead, you are effectively telling Windows that the recently restored domain controller contains the desired data and that you want to remove any subsequent data from the other domain controllers in the organization.
When Active Directory related services fail to start on a domain controller, the problem is often mistaken for database corruption while often, an administrator has recently tried to secure the system volume. Excessive NTFS permissions can actually prevent Active Directory from starting. Microsoft discusses this problem in Knowledgebase Article 258062.
Before performing any major repair or cleanup work on your Active Directory, it is imperative to perform a full system state backup of your domain controllers. Countless knowledgebase articles talk about the importance of backing up a system prior to modifying the registry — and modifying the Active Directory database is much more dangerous than editing the registry. If you make a mistake while editing the registry, you can destroy Windows. If you make a mistake in Active Directory, you can destroy the whole thing which potentially affects every system in your organization. Therefore, the importance of a good backup should never be underestimated.
Source: http://microsoft-news.com/microsoft-investing-more-than-10-billion-in-data-centers-annually/
Chat with an expert about your business’s technology needs.