Best Practices for an Active Directory Migration

Written by

Derek Melber MCSE, MVP, President BrainCore.Net AZ, Inc.

WHITE PAPER

PowerGUI. SQLab.quest. SelfServiceADmin. BridgeAutoEscalate. AccessManager. electronic or mechanical. DS Analyzer. PassGo. vConverter. CONSEQUENTIAL. EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. by estoppel or otherwise. Spotlight. NetPro.Click. Vizioncore vAutomation Suite. ChangeManager. Quest Software.A. IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING. I/Watch. iToken. the Quest Software logo. InTrust.O. SharePlex. Npulse. NetBase. THE IMPLIED WARRANTY OF MERCHANTABILITY. VizionCore. SPECIAL OR INCIDENTAL DAMAGES (INCLUDING. MultSess. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT. BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT. OR NONINFRINGEMENT.Done!. vFoglight. BridgeTrak. Imceda. IntelliProfile. Trademarks Quest. Security Lifecycle Map. DirectoryTroubleshooter. express or implied. Webthority.© 2011 Quest Software. LeccoTech. vRanger. Desktop Authority. ReportADmin. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Big Brother. Defender. vControl.. Toad. (―Quest‖). ActiveRoles. BridgeSearch. Vintela. BusinessInsight. Help Desk Authority. Virtual DBA. Vizioncore vMigrator.com Refer to our Web site for regional and international office information. Quest does not make any commitment to update the information contained in this document. including photocopying and recording for any purpose without the written permission of Quest Software. Monosphere. Vizioncore vEssentials. Sitraka. Aelita. T. Akonix. DirectoryAnalyzer.com Email: legal@quest. QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS. JClass. WITHOUT LIMITATION. LogADmin. Inc in the United States of America and other countries. NBSpool. vAutomator. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT. Quest Central. If you have any questions regarding your potential use of this material. Inc. DeployDirector. SQL Watch. to any intellectual property right is granted by this document or in connection with the sale of Quest products. Vizioncore vReplicator. Stat. contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo. Toad World. SQL Navigator. INDIRECT. Quest vToolkit. StealthCollect. RestoreADmin. No license. LiteSpeed. Other trademarks and registered trademarks used in this guide are property of their respective owners. LiveReorg. BridgeAccess. No part of this document may be reproduced or transmitted in any form or by any means. ChangeAuditor. NetControl. The information in this document is provided in connection with Quest products. FITNESS FOR A PARTICULAR PURPOSE. WebDefender. PerformaSure. DAMAGES FOR LOSS OF PROFITS. PUNITIVE. This document contains proprietary information protected by copyright. Xaffire. Quest vWorkSpace. Storage Horizon. Benchmark Factory. Vizioncore vBackup. and XRT are trademarks and registered trademarks of Quest Software. Tag and Follow. Inc. DS Expert. CA 92656 www. BUT NOT LIMITED TO. Foglight. Invirtus. JProbe. AppAssure. vOptimizer. ScriptLogic.D. Jint. Point. MessageStats. ALL RIGHTS RESERVED. SmartAlarm. GPOADmin. White Paper: Best Practices for an Active Directory Migration 1 .

.................................................................................................................................................................................. 7 Choosing the Right Tool ............................................................................................................................... 12 About the Author ....................................................................................................................................................................................... 10 Service Accounts ................................... 8 Inter-forest Migration ....................................................................................... 13 White Paper: Best Practices for an Active Directory Migration 2 ......................................................................................... 6 Re-permissioning of Resources .......................................................................................................................... 10 Laptops .............................................................................................................................................. 10 Servers ...................................................................................................................................................................................................................................................................................... 5 Managing the Migration........................................................................................................................... 8 Site Topology Migration .......................................................................................................................................................................... 8 Intra-forest Migration ...................................... 9 Active Directory Delegation Migration ....... 7 Active Directory Migration Scenarios .................................................................................................................................................................................................................................................................................................... 6 Cleanup ............................................................................................................ 6 Co-existence ............................................................................................ 3 Introduction....................................................Contents Abstract ............................................... 6 SIDHistory Migration ................................................................................................................................................................................................ 11 Cleanup .................................................................................................................................................................................................................................................................................................................................................................................................................................................. 8 Non-trusted Domain Migration ........... 4 Assessing the Source Environment ...... 9 Resource Migration ........................ 6 Active Directory Migration Requirements ................................................. 8 Advanced User and Group Object Property Migration .......................................................................................................................................................................................................................................................................................................... 10 Desktops ................................................ 6 Reporting ............................................................................ 11 Conclusion...................................................................................... 9 Migrated Object Property Customization ........ 10 Resource Permissions ................................................ 6 Rollback ...............................................................................................................................................................................................................................

White Paper: Best Practices for an Active Directory Migration 3 .Abstract This white paper details the major challenges of Active Directory migrations and explains how choosing the right migration tools can help speed your migration and help ensure its success.

Then you need to migrate your servers.Introduction An Active Directory migration can be complex and difficult. migrating complex site topology structures. or migrating domains that can’t have trusts established—add even more complexity to the migration project. This process usually takes weeks or months. and explains how choosing the right migration tools can help speed your migration and help ensure its success. White Paper: Best Practices for an Active Directory Migration 4 . including complex migration scenarios. The goal for most organizations is to provide seamless access to data and services for all users during and after the migration and minimize the impact of the migration on the production environment. you need to understand your source environment at both the domain level and the object level so you can make good decisions about your migration process and minimize the data you have to migrate. during which you must keep the source and target environments in sync. To begin your migration. This white paper details the major challenges of Active Directory migrations. Some migration scenarios—such as migrating multiple domains into a single domain. resources. and permissions from the source domain to the target domain.

audit policies. to automate the assessment process and help ensure you have a complete and accurate picture of your source environment. such as Reporter from Quest Software. Consider investing in a third-party tool. you might want to merge or rename some of these objects during the migration. Computer account status – Organizations often discover ―dead‖ computer accounts that do not need to be migrated. for instance. Most organizations will want to gather the following information: Accounts that have never logged on and inactive accounts – These accounts may not need to be migrated. Many organizations find they do not have the time to assess their source environment properly. is important because when user accounts with weak passwords are migrated into a domain with a stronger password policy. those user accounts are automatically disabled by the operating system and the ―must change password at next logon‖ flag is set.Assessing the Source Environment The first step in a migration is assessing the current environment to determine the scope of your project and properly plan for resources required in the target environment. Duplicate users and groups – If you identify duplicate users between domains. Account policies. File shares by computer – Some shared file resources might require a permissions update as part of the migration process. and password policies – You should assess the level of consistency between the source and target environments for each type of policy. and they often face migration issues later that could have been avoided. collecting this information and developing appropriate reports manually can be difficult and is prone to error. Assessing password policies for domains. Unfortunately. White Paper: Best Practices for an Active Directory Migration 5 .

users must be able to access the data and applications they need. groups. File and Print. SQL Server. White Paper: Best Practices for an Active Directory Migration 6 . Microsoft System Management Center (SMS). The following aspects of migration require particular attention: Re-permissioning of Resources Re-permissioning of resources needs to be tracked. Cleanup After migration. Although we all want the migration process to take a day. both during and after the migration.Managing the Migration Active Directory Migration Requirements Most organizations have two important requirements for their Active Directory migration projects. Reports should indicate the percentage of the migration completed and detailed statistics on the number of successful and failed migrations of users. this is called a rolling migration. and provide a way to recover back to the original environment if a serious issue arises. and tracked to ensure seamless access to resources during and after the migration. The first is to minimize disruption for users. servers must be available. Some of the key synchronization efforts include: Continuous synching of user passwords from the originating domain and the target domain Continuous updating of group membership from the original domain to the target domain Ensuring proper access to resources in both the original domain and the target domain Reporting Administrators need regular statistics and reports so they can always know the status of the migration. permissions. Co-existence Most migrations are done in waves or phases. managed. also both during and after the migration. IIS. organizations need a management system that can track each migration step. you need to update permissions and resources. During this time. most migrations take weeks or even months to complete. and the second is to minimize the impact to the production environment. and Microsoft System Center Configuration Manager. Ensuring that everything is kept in sync during these phases is critical to keeping business operations up and running. SharePoint. Old user and group accounts and new user and group accounts need to be rationalized. and verified during the migration process. Exchange. Repermissioning must take into consideration the domain structure of all domains being migrated. cluster servers. ensure that nothing is missed. etc. and domain membership and resource permissions must be correct. Therefore. If any of these fail during the migration. including Active Directory. Millions of dollars can be lost with a single resource or server failing to migrate successfully. servers. SIDHistory Migration SIDHistory for migrated users needs to be understood. resources. the ramifications can be staggering.

The tool should be able to pinpoint which users are causing the issues and roll back only those users. Detects errors during migration and provides automated rollback. group membership. Automates the migration of servers and resources. and it introduces considerable risk of mistakes and omissions. Choosing the Right Tool Managing a migration manually is usually not practical. Look for a tool that: Enables you to control all migration processes from a single management console. Provides up-to-the-minute statistics to ensure you always know the current status of the migration project.Rollback A final key aspect of any migration is dealing with errors and failures. Investing in a migration management tool can save you time and money and reduce the risk of a failed migration. so users cano continue working totally unaware of the migration project. Rollback in case of error is complex and confusing because so many aspects of the environment need to be considered. The tool should be able to synchronize all changes made during the coexistence period in both directions (from source to target and from target to source). and resource permissions. Ensures true coexistence between migrated and unmigrated users. Automatically updates permissions and resources after migration. White Paper: Best Practices for an Active Directory Migration 7 . including changes to passwords. Attempting to perform a rollback manually is just begging for something to go wrong.

First. DFS servers and resources. consider investing in a quality migration management tool such as Quest Migration Manager for Active Directory. A tool such as Migration Manager for Active Directory will help you successfully execute a site topology migration by providing the detailed information you need. and this requires that the external domain provide appropriate permissions. the existing forest domain administrators must have permission to migrate the users. At the top level. In some instances. Second. permissions are a key concern. Non-trusted Domain Migration When an external domain must be migrated into an existing domain in an Active Directory forest. the migration of the one domain into the other will need some attention to ensure that the domain controllers. A migration tool like Migration Manager for Active Directory can help ensure that all required access is available throughout the migration. Next. security restrictions prevent creation of this trust relationship. and having the right tools to manage the migration is critical. and computers from one domain to another. In an intra-forest migration. users will want daily network activity to function as normal. since you’ll need fewer operating system server licenses and less hardware. groups. including any VLAN configurations. most Active Directory migrations are complex. the process will not be that complicated. users being migrated to the new domain will likely need access to resources in their old external domain for some period of time. The biggest stumbling block with an intraforest migration is ensuring that the users have continuous access to their resources. Inter-forest Migration An inter-forest migration is typical when one company purchases another and wants a centralized Active Directory environment rather than forest trusts. However. trust relationships are normally established to facilitate the migration. White Paper: Best Practices for an Active Directory Migration 8 . considerations for network IP ranges will need to be solved. the site topology for replication will need to be analyzed and potentially updated. making the migration more difficult. groups.Active Directory Migration Scenarios If your migration involves migrating only users. however. DNS servers. If one of the domains currently fits into a hub-spoke site topology and the other domain fits into a complete-mesh. Managing this access manually is time-consuming and prone to error. This can help relieve the stress of managing the overall Active Directory environment and deliver cost savings. and desktops are migrated from one environment to another. and computers from the external domain. Site Topology Migration Migrations that involve migrating and collapsing Active Directory domains and forests into one another are also complex. Intra-forest Migration An intra-forest migration is typically done to reduce the number of domains. If your migration involves scenarios like the following.

If the source domain does not have the same user properties as the target domain. disabled. can handle this migration scenario. which provides seamless control and management of this level of detail to help you successfully migrate the delegation of control over accounts in OUs. management styles. these delegations must be documented. which grants control over the objects contained within the OU. but there is an external database or configuration file that lists the desired properties. saving you considerable time and effort. Migration Manager for Active Directory can import these additional user properties into the migrated user property details during the migration. Since these delegations occur at the OU level and are configured for groups. Migrated Object Property Customization In most migration scenarios. Delegation typically occurs at an organizational unit (OU) level.Some third-party tools. consider using a tool such as Migration Manager for Active Directory. allowing all of the objects from the external domain to be migrated into the Active Directory domain without the establishment of a trust. A tool like Migration Manager for Active Directory can identify expired. groups are granted delegated control of functions such as resetting passwords. and overall group management. In most cases. Advanced User and Group Object Property Migration You can simplify and speed up your migration—and ensure a cleaner target environment—by migrating only the accounts that are needed in the target domain. user property requirements. and system accounts and omit those accounts from the migration. user management. the source domain and target domain have different philosophies. Manually updating the migrated user properties would take more time than the migration itself. Active Directory Delegation Migration Powerful delegations can be granted in Active Directory in order for different users or administrators to control different AD accounts. including Migration Manager for Active Directory. and databases that help manage user account properties. Instead. group membership management. and validated during and after the migration. so having a tool to automate the process is invaluable. White Paper: Best Practices for an Active Directory Migration 9 . Trying to manage the migration of delegation manually is a daunting task. tracked. You will have more time to verify that the accounts you need were properly migrated because you won’t be wasting time trying to clean up accounts that were unnecessarily migrated from the source domain.

Laptops Laptops are a stumbling block in most migrations because they are not normally connected to the corporate network. for instance. In most cases. This is not a easy task. The migration of the computer account in Active Directory is relatively easy. To ensure that all resources are still available after the migration.Resource Migration The migration of resources from one domain to another. With Migration Manager for Active Directory. Service Accounts Service accounts and the accounts used to run scheduled tasks must also be migrated to the corresponding target accounts to ensure that services and scheduled tasks will run correctly after their corresponding service accounts have been migrated. or from multiple domains into a single domain presents some of the most challenging issues in a migration. the difficult part is changing the domain membership on the desktop itself so that the user can log on as a user in the target domain. users needs only to log off and then log back on to see the new domain and log on with their newly migrated user accounts. A tool such as Migration Manager for Active Directory can automatically update service accounts. Each list contains references to security identifiers (SIDs) of the accounts to which the permissions are granted. Desktops Migrating desktops from one domain to another has always been a pain point because of the work that must be done to each desktop. including migration of the following: Resource Permissions In Active Directory. This has historically required configuring the desktop to change the domain membership and then rebooting the desktop. with potentially hundreds of groups listed on a single ACL. these ACLs need to be updated with the new SIDs for the target domain. the laptop is not migrated until it can successfully connect back to the physical network. which might be months for some mobile users and their laptops. The right tool can greatly simplify desktop migration. considering the volume of users and groups that need to access a single resource in one domain. Migration Manager Active Directory addresses this issue by providing logon scripts that alter the laptop domain configuration to make the user—even when he or she is still remote—part of the target domain and no longer associated with the source domain. containing potentially tens of thousands of users. permissions are assigned to users via Access Control Lists (ACLs). White Paper: Best Practices for an Active Directory Migration 10 . A tool like Migration Manager for Active Directory automatically provides these updates. including the new domain being listed on the logon prompt for the user. Migration Manager handles all of the domain configurations on the desktop.

Servers In addition to desktops and laptops. Services like Exchange. Migration Manager for Active Directory automates all of these processes to simplify your migration. SMS. the source domain SID (which became the SIDHistory on the target domain user account) needs to be deleted. This includes not just resource servers. SCCM. Cleanup As part of the post-migration cleanup. and even NAS/SAN devices need to be updated to be migrated to the new domain. IIS. servers also need to be migrated. which were addressed above. SharePoint. eliminating human errors that could introduce security risks. SQL. White Paper: Best Practices for an Active Directory Migration 11 . Although this is not a highly complex task. A tool like Migration Manager for Active Directory can automatically clean up this property for all migrated users. it is necessary In order to ensure the security of the new domain. but servers running Windows services that are Active Directory domain aware and specific.

Every file and folder must be examined.Conclusion Active Directory migrations can be challenging. etc. SCCM. White Paper: Best Practices for an Active Directory Migration 12 . Investing in tools like Quest Reporter and Quest Migration Manager for Active Directory can save you time and money and reduce migration risk by automating migration tasks and providing detailed migration reporting and centralized management. SharePoint. complex. In addition. SMS. resources. and permissions need to be fully tracked and migrated. or migrating domains that can’t have trusts established. and the groups associated with the old ACL must be updated to represent the new groups that exist in the target domain. Migration is even more complex if you are migrating multiple domains into a single domain. and time-consuming. Once the migration begins. but having the right tools can speed your migration and help ensure its success. migrating complex site topology structures. Collecting this information and developing appropriate reports manually can be difficult and is prone to error. so consider using a third-party tool such as Quest Reporter to automate the process and ensure you have an accurate picture of your source environment. all of the servers that run Exchange. All migrated accounts should constantly be updated and verified so that access is not restricted or denied during the migration. must also be migrated from the source domain to the target domain in order to ensure seamless access to resources. IIS. Begin your migration with a careful inventory of your current environment. in order to minimize interruption to business operations. this means that all servers. there are many moving parts that need to be managed.

and desktop management. Inc. As one of only eight MVPs in the world on Group Policy. an independent consultant and speaker. You can reach Derek at derekm@braincore. Derek is the author of the ―The Windows Group Policy Resource Kit‖ by Microsoft Press. You can hire Derek to perform Windows security audits and also train your team on the finer points of Windows security.net. Group Policy. which is the authoritative book on the subject. the perfect resource for learning Group Policy basics. as well as author of many IT books.Net AZ. security. White Paper: Best Practices for an Active Directory Migration 13 . Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek educates and evangelizes Microsoft technology. focusing on Active Directory. MCSE and MVP.About the Author Derek Melber. Derek is also author of the ―Group Policy Video Mentor‖ (Pearson).. is president of BrainCore.

WHITE PAPER About Quest Software. CA 92656 USA Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. CA 92656 | PHONE 800. Quest. the Quest Software logo are registered trademarks of Quest Software.000 customers worldwide.A.quest. Inc.9329 | WEB www. Inc. contact information. and/or other countries. and policies and procedures. you can find your local office information on our Web site. All other trademarks and registered trademarks are property of their respective owners.S.quest. our Web self-service. Contacting Quest Software PHONE 800. virtualization management and IT management. Quest Software. ALL RIGHTS RESERVED. WPW_BP4ADMigrations_US_EC_20110221 . database management. Quest Support provides around-the-clock coverage with SupportLink. and patches for Quest products • Log support cases • Manage existing support cases View the Global Support Guide for a detailed explanation of support programs. you can find local office information on our Web site. World Headquarters 5 Polaris Way Aliso Viejo.com.quest. online services. Inc.com If you are located outside North America.com | E-MAIL sales@quest. Visit SupportLink at https://support. Windows management.com Quest Software. in the U. Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for more than 100. 5 Polaris Way.com. Aliso Viejo. For more information about Quest solutions for application management. © 2011 Quest Software. documentation. enabling customers to save time and money across physical. virtual and cloud environments. SupportLink gives users of Quest Software products the ability to: • Search Quest’s online Knowledgebase • Download the latest releases.9329 (United States and Canada) If you are located outside North America. go to www.306.306. EMAIL MAIL sales@quest. Inc. Our innovative solutions make solving the toughest IT management problems easier.