By Arthur Quan

What is Active Directory Migration?

Active Directory Migration is when you combine two Domains into one.  Splitting part of your Active Directory into a new domain (divestiture) is also an Active Directory Migration.  Active Directory Migrations involve the movement of users, computers, and the associated applications to a new domain making them very complex by nature.

An Active Directory Migration tool is a software that helps you migrate the appropriate objects.

Why do companies need this?

The most common use case for an Active Directory migration is for companies going through mergers, acquisitions, and/or divestitures.

When one company buys another company, the cost of maintaining two separate AD infrastructures can be prohibiting. This is where Active Directory Migrations become important.  It’s best to share resources than doing it separately to create alignment. Of course, there may be a specific business reason to keep thing separate from one another, but in general, you want to share them.

Additionally, sometimes a company might sell a business unit to become its own entity (divestitures). This is where an Active Directory Migration can be used to separate this business unit into its own entities.

What Tools Are Needed for an Active Directory Migration?

The size of the companies do not matter; the tools used are always the same.

The main players for an Active Directory migration are Microsoft Active Directory Migration Tool (aka ADMT) and Quest Migration Manager. Additionally, there are sometimes smaller players (such as ForensiT) used for specific purposes like computer account and user profile migrations. For email migrations, you can use hybrid exchange or BitTitan, just to name a few.

Over my career, I have developed a fondness for using Microsoft ADMT with ForensiT.  The main reason to use ADMT is that it’s free while Quest is a paid tool.

The only downside with Using ADMT is that Microsoft has not updated the tool since 2012, but that’s where ForensiT steps in.  From my experience, I can tell that Microsoft ADMT will work up to Server 2016 or Server 2019.

ForensiT is constantly being updated (just like Window 10) every few months with new features.  The lastest version of ForensiT will allow you to migrate computers to Azure AD and migrate computers to a new AD Domain through VPN (which is something that ADMT cannot do).  I only use ADMT to migrate user accounts with password sync from one domain to another and with sidhistory as an option.  ADMT is also good at doing security translations on re-permissioning windows servers with file shares to the new domain.

Microsoft ADMT

Pros:

  • Free tool from Microsoft
  • Fairly easy to setup
  • Integrates well into all current versions of Windows up Server 2016

Cons

  • The product is dated last version was around 2012

ForensIT

Pros:

  • Very well-designed product for migrating workstations not Servers
  • Fairly easy to setup
  • Update software can be used with the latest version of Windows 10
  • Scales well for large Workstation migrations with many options
  • Inexpensive around $3 per seat

Cons:

  • Instructions are lacking in some places
  • Computer migrations with windows 10 are hit or miss at best

Quest Migration Manager

Pros:

  • Many options to do migrations
  • Good documentation and support
  • Integrates well into all current versions of Windows

Cons:

  • Product is Expensive

BitTitan

Pros:

  • Good documentation and support
  • Easy to use

Cons:

  • Product is only used for mail migrations

How to Perform an Active Directory Migration

Requirements

To start an ADMT migration you will need a windows server (minimum server 2012) with at least 60 gigs of HardDrive space and 12Gigs of Memory. You will also be installing SQL Express 2012 on the server.  The server should be on the domain where all the users are migrating to.

Getting Started

Once you install SQL Express on the box, download the latest version of ADMT.

ForensiT is installed and run from the other domain, as opposed to ADMT where it’s installed in the Domain in which users are migrating to. ForensiT has very good documentation on their website on how to run their tool, but I can tell you from experience it’s the best for workstation and user profile migrations.

One last thought here after doing a lot of AD migrations, I have developed a variety of scripts that augment the software tools I use that have helped me through these complicated AD migrations.  AD migrations are never cookie cutter; they are complicated by nature, and sometimes take years to complete. Patience and persistence are key to successful AD migrations.

FAQs During an Active Directory Migration

Can I have the same password when I migrate to the new domain?

Yes. ADMT comes with a password sync tool.

Can ADMT re-permission my non windows shares?

No, but there are scripts that can help you do this with non-windows CIF shares

Can I have a different account name in the new domain after migrating?

Yes. ADMT can rename your account while preserving all the group memberships.

Will my computer profile migrate with me to the new domain?

Yes. ForensiT will migrate your computer profile to the new domain with all the settings and files.

Active Directory Domain Services On Demand Webinar: Protect & Transform Your Business With A Healthy Active Directory

Presenter: Rob Meyers, Director Of Systems Architecture, MCITP, MBSP, MCSE

Robert Meyers is the Director of Systems Architecture at Managed Solution in San Diego, California. He has well over a dozen current certifications from on various products from Windows Server 2008 to Private Cloud. Robert has had a diverse career, beginning in 1991, and included owning an internet service provider and a managed services provider in the past.

Since joining Managed Solution, he has been Published as “Industry Ally”, Top Tech Exec Awards 2011 by San Diego Magazine in addition to being staff nominated twice, and was a regular at the Microsoft Management Summit. Today he is an avowed technical evangelist, blogger and systems architect.

The webinar covers:

  • Domain Services: New Components And Deployment Scenarios
  • How To Identify Issues Using A Pass/Fail Model
  • Concepts And Best Practices
  • Single Sign On
  • Azure AD Device Registration
  • Workflow Automation

Active Directory Domain Services On Demand Webinar: Protect & Transform Your Business With A Healthy Active Directory

 

 

 

 

 

 

 

As one of Microsoft's TOP 150 partners worldwide, Managed Solution stands among the elite 1% collaborating directly with Microsoft to deliver the best solutions for your business. Microsoft Consulting Services - Managed Solution

[vc_row][vc_column][vc_column_text]

Benefits of Active Directory

Single sign-on to any cloud and on-premises web app
Azure Active Directory provides secure single sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box.

See more supported SaaS apps

Easily extend Active Directory to the cloud

Connect Active Directory and other on-premises directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups, passwords, and devices across both environments.

Connect on-premises directories with Azure

Works with iOS, Mac OS X, Android and Windows devices

Users can launch applications from a personalized web-based access panel, mobile app, Office 365, or custom company portals using their existing work credentials and have the same experience whether they've ’re working on iOS, Mac OS X, Android and Windows devices.

Protect sensitive data and applications

Enhance application access security with unique identity protection capabilities that provide a consolidated view into suspicious sign-in activities and potential vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommendations and risk-based policies to protect your business from current and future threats.

Protect on-premises web applications with secure remote access

Access your on-premises web applications from everywhere and protect with multi-factor authentication, conditional access policies, and group-based access management. Users can access SaaS and on-premises web apps from the same portal.

Reduce costs and enhance security with self-service capabilities

Delegate important tasks such as resetting passwords and the creation and management of groups to your employees. Providing self-service application access and password management through verification steps can reduce helpdesk calls and enhance security.

Enterprise scale and SLA

Azure Active Directory Premium offers enterprise-grade scale and reliability. As the directory for Office 365, it already hosts hundreds of millions of users and handles billions of authentications every day. The high availability service is hosted in globally distributed datacenters in 17 regions, with worldwide technical support that provides a 99.9% SLA.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Through our proven process we’ve transformed over 500 businesses using Powerful Identity Protection Strategies. Contact us today 858-429-3084.

[/vc_column_text][/vc_column][/vc_row]

[vc_row equal_column_height="equal-column" parallax="content-moving" css=".vc_custom_1510683183704{background-color: #7f7f7f !important;}" padding_bottom="50px"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Active Directory Health Check Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FActive-Directory-Pass-Fail.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]

A Healthy Active Directory Can Protect And Transform Your Business

If your Active Directory is unhealthy it can be the root cause to countless issues in a business environment.
How certain are you that your environment will PASS? Contact us today to get started on your Active Directory Pass / Fail Project 800-208-3617.

[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510686800552{background-color: #1e73be !important;}" padding_bottom="50px" padding_top="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Security As A Service Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FEntperrise-Mobility-Security-As-A-Service-Accelerator.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]

Secure Your Staff and Their Devices with Enterprise Mobility + Security (EMS) from Microsoft. EMS lets you keep corporate data secure even on an unsecure network. Meet the needs of your mobile workforce—and their roaming devices.

Managed Solution provides businesses with complete, end-to-end solutions for their technology needs.
Get cutting-edge security as a service to enable mobility without risking company data. For more information call 800-208-3617

[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510687090087{background-color: #dd9933 !important;}" padding_bottom="50px" padding_top="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Data Center Automation Quick Start Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FSystems-Center-Operations-Manager.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]

Monitor Critical Services & Applications With Microsoft System Center Operations Manager

With Infrastructure monitoring and insights for high performance, Managed Solution’s unmatched methodology to deliver Systems Health we can bring a new level of security to your network.
Get Started Today 800-208-3617.

[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510683183704{background-color: #7f7f7f !important;}" padding_bottom="50px" padding_top="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Enterprise Class Remote Client Health with System Center + SHARC Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2018%2F04%2FSystem-Center-Configuration-Manager-with-SHARC-no-pricing.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]

With SCCM & our proprietary SHARC tool, automating your client’s computers health has never been easier.

You can discover, diagnose, and clean all your client devices with just a mouse click, even the ones you didn’t know were on your network... without human intervention.
The future of client health automation is here.

[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510702064784{background-color: #dd9933 !important;}" padding_top="50px" padding_bottom="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Office 365 Migration Project Accelerator (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2017%2F11%2FSystems-Center-Operations-Manager.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]

Optimize Uptime, Take the Fast Track to the Cloud

See how our expert engineers are helping business move quickly & securely to the cloud.

[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1510702064784{background-color: #dd9933 !important;}" padding_top="50px" padding_bottom="50px" margin_bottom="0"][vc_column width="1/2"][vc_column_text css_animation="appear"][/vc_column_text][grve_button button_text="Azure Quick Start (PDF)" button_color="green" button_hover_color="white" button_link="url:http%3A%2F%2Fwww.managedsolution.com%2Fwp-content%2Fuploads%2F2018%2F04%2FAzure-Quick-Start-and-Pilot-Workshop-2017.pdf|||"][/vc_column][vc_column width="1/2"][vc_column_text]

Could this be you?

  • You have purchased Azure licensing, but it is not yet being used.
  • You are currently evaluating Azure for disaster recovery, development, or infrastructure needs.
  • You have implemented Azure, but you are looking to expand and need more assistance with governance or automation.
Azure Quick Start is customizable to your needs. Learn more.

[/vc_column_text][/vc_column][/vc_row]

With time, your Active Directory (A/D) database can malfunction and become filled with data that you do not need anymore, such as references to users or servers that do not exist anymore. Here are 10 things to know before "de-gunking" your Active Directory.

1: Think simple before anything else

Erratic Active Directory behavior is not always due to a corrupt Active Directory database. For example, not being able to create or remove a domain may be due to the fact that the domain controller hosting the FSMO roles for the domain is down, or even more simple, the user attempting to perform the operation may not have the necessary permissions.

 

2: Make sure DNS is properly functioning

Active Directory is completely dependent on DNS, so if this server fails, Active Directory begins to have problems too. Indications of a DNS server issue include error messages such as "Domain Not Found", "Server Not Available", or "RPC Server is Unavailable".

 

3: Know the power and ease of DCDIAG

Windows domain controllers include a command-line utility called DCDIAG. Running this utility performs a number of diagnostic tests on a domain controller, and often times, DCDIAG will help you quickly determine the cause of the problem.

 

4: Delete extinct metadata correctly

While you can use ADSI Edit to manually remove references to extinct servers, doing so often does more harm than good. With Active Directory being a relational database, removing an entry for an extinct server can orphan other database entries and cause a whole slew of problems. A better approach is to use the NTDSUTIL tool's METADATA CLEANUP option. This TechNet article provides a full set of instructions on the process.

 

5: ADSI Edit is unforgiving

You can use ADSI Edit to manually create and delete Active Directory entries, however, making a mistake can destroy your entire Active Directory. Therefore, it is important to know when and when not to use it. For example, Exchange 2007 can't be uninstalled until the last public folder has been removed, but a bug prevents you from removing the remaining public folders. ADSI Edit is useful to work around this issue, but take extreme caution in using it for other purposes.

 

6: Don't use domain controller snapshots

With virtualization being so popular, many organizations have virtualized their domain controller and server virtualization products on the market allow you to create a snapshot of a server. That way, in the event that something goes wrong with the server, you can roll it back to a previous state without having to restore a backup.

While backing up your domain controllers before attempting to repair Active Directory is a good idea, you shouldn't use snapshots. Rolling back to a snapshot of a domain controller can have catastrophic consequences. Active Directory transactions are numbered and rolling back a domain controller causes the numbering sequence to be disrupted. This leads to all sorts of domain synchronization issues.

 

7: Active Directory is based on the extensible storage engine

Normally, NTDSUTIL is the tool of choice for repairing Active Directory problems. But in the case of severe corruption, NDTSUTIL may not be enough for the problem at hand. In this case, the best option is to restore a backup. If that isn't possible, though, you can try using ESEUTIL.

ESEUTIL is a database maintenance tool for extensible storage engine databases and it can be used to repair structural problems within the database. This technique should only be implemented as a last resort due to the possibility of data loss during the repair process.

 

8: The difference between authoritative and non-authoritative restore

When you restore the Active Directory database on a domain controller, the restoration is usually non-authoritative, meaning that the restoration process restores the domain controller to the point at which it existed when the backup was made. The domain controller is brought into a current state by the replication process. Other domain controllers replicate any missing entries to the recently restored domain controller.

An authoritative restore does not backfill a restored domain controller using data from other domain controllers. Instead, you are effectively telling Windows that the recently restored domain controller contains the desired data and that you want to remove any subsequent data from the other domain controllers in the organization.

 

9: Check NTFS permissions

When Active Directory related services fail to start on a domain controller, the problem is often mistaken for database corruption while often, an administrator has recently tried to secure the system volume. Excessive NTFS permissions can actually prevent Active Directory from starting. Microsoft discusses this problem in Knowledgebase Article 258062.

 

10: Back up your domain controllers

Before performing any major repair or cleanup work on your Active Directory, it is imperative to perform a full system state backup of your domain controllers. Countless knowledgebase articles talk about the importance of backing up a system prior to modifying the registry — and modifying the Active Directory database is much more dangerous than editing the registry. If you make a mistake while editing the registry, you can destroy Windows. If you make a mistake in Active Directory, you can destroy the whole thing which potentially affects every system in your organization. Therefore, the importance of a good backup should never be underestimated.

microsoft intune managed solution

Configure automatic Microsoft Intune enrollment of Windows 10 devices when joining Azure Active Directory

As written by Nickolaj on Scconfigmgr.com
If your company is evaluating Windows 10, which I assume they are, one of the new features with Windows 10 is that you can have your end users to join their off-the-shelf purchased Windows 10 PC to Azure Active Directory. With this feature, users simply just have to know their email and password to get started. For IT departments, they’re able to configure their Azure Active Directory subscription for automatic enrollment of AAD-joined devices with Microsoft Intune. To me, this capability is simply just brilliant. End-users are now able to simply just log on, get all their settings and apps and automatically be managed by the IT department.
In this post I intend to outline the steps required to setup the Azure subscription with Azure Active Directory for automatic Microsoft Intune enrollment.

Requirements

In order to enable your Azure Active Directory subscription, you’ll need to have purchased Azure Active Directory Premium licenses (or setup a trial for 30-days). As well for the premium licenses, you’ll of course also need a Microsoft Intune tenant. In order to setup a demo environment for the purpose of demonstrating this feature, I’ve performed the following steps:
•Registered a Microsoft Intune tenant by signing up for a 30-day trial
•Signed up for Azure with the tenant created for Microsoft Intune
•Added a 30-day trial of Azure Active Directory Premium
•Assigned an Azure Active Directory Premium license to my Global Administrator account (this is required to be able to configure the Microsoft Intune app through the Azure portal)
At this point, I’ve created a few test users and an All Users group in the Azure Active Directory. This group comes in handy at a later stage when we’re about to configure the Microsoft Intune application through the Azure portal.
It’s also worth mentioning that every user that’s gonna have their Azure Active Directory joined devices automatically enrolled into Microsoft Intune, needs to have an Azure Active Directory Premium license assigned.


Source:
http://www.scconfigmgr.com/2015/08/23/configure-automatic-microsoft-intune-enrollment-of-windows-10-devices-when-joining-azure-active-directory/

rsz_microsoft-data-center managed solution

Microsoft Investing More Than $10 Billion In Data Centers Annually

We know Microsoft is investing billions in developing their new data centers to power their enterprise and consumer cloud services. Speaking at GreenPages’ CloudScape 2015 conference, Microsoft GM George Taylor has revealed that they are spending over $10 billion in building out data centres, more than they spend annually on R&D.
“We used to invest about $10 billion in research per year, which we still do. Our data center investments are more than that. It is unbelievable,” Taylor said. “I would have never thought that years ago. And they keep growing.”
“It is crazy,” he said. “We continue to pour money into data centers.”
He said Microsoft’s datacenter capacity is growing 10 times annually. Microsoft now has over 90,000 Azure customers, 1.4 million SQL databases in Azure, 475 million Azure active directory users and 3,200 Azure MarketPlace Applications.

Source: http://microsoft-news.com/microsoft-investing-more-than-10-billion-in-data-centers-annually/

Contact us Today!

Chat with an expert about your business’s technology needs.