Active Directory Migration Checklist

During an AD DS greenfield installation and migration, system engineers need checklists to keep up with what
they should be doing to stand up a new domain.  This checklist is a working checklist, one that has been created
here for peer review and peer additions.  This checklist should try and take into account all the high-level items
one needs to look for and do during an AD DS migration.  This checklist is not meant to be a step-by-step guide
but a high-level overview to keep track of what needs to be discovered.

 Design new target domain

 Start discovery (Source domain)
 Determine the type of migration (restructure then migrate, migrate then restructure)
 Setup and build Target domain
o Create the network connections between the Source and Target domains
o Create DNS forwarders from Source to Target and Target to Source domains
o Forklift DNS zone if needed (needed if Source domain contains the zone named, the same
name as the Target domain)
o Mirror sites from the Source domain to the target domain
o Apply schema updates
o Apply appropriate ACLs
o Create Target domain OU structure
 Create trusts between Domains
 Setup migration software in target domain (ADMT)
o Install software
 Target domain
o Set Auditing
 Source domain
 Target domain
o Disable SID filtering
 Source domain
 Target domain
o Enable SIDHistory
 Source domain
 Target domain
o Create migration user accounts
 Source domain
 Target domain
o Create $$$ groups for NETBIOS names of domains
 Source domain
 Target domain
o Setup and prepare password export service
 Source domain (PDC)
 Test migration after installation with a test user
o Troubleshooting
 IT training plan (ongoing)
o Help Desk
o Desktop team
o Server team
o Storage team
o SharePoint team
o Exchange team
o DBA team
o Application team(s)
o Etc.
 Clean up / Delete stale objects
o Users
o Computers
o Groups
o Contacts
o Etc.
 Prepare applications for migration
o Pre-Migrate and synchronize service accounts from Source domain to Target domain
o Configure applications to point to Source domain and Target domain for authentication
 Alternate: Build virtual directory
 Create proxy user accounts
 Point all applications to virtual directory for authentication
o Test authentication
o Loop until finished
 Troubleshooting
 Migrate or build new GPOs
o Loop until finished
 Troubleshooting
 Prepare scripts for migration of objects
o Test group migration and synchronization
 Loop until finished
 Troubleshooting
o Test user migration and synchronization
 Loop until finished
 Troubleshooting
o Test computer migration
 Loop until finished
 Troubleshooting
 Pre-Migrate Groups with SID History from Source domain to Target domain
 Pre-Migrate Users with SID History from Source domain to Target domain
 Migrate contacts from Source domain to Target domain
 Make configuration changes to Exchange if needed
 Create end user communication plan
o Send EU communication email once a week for 4 weeks prior to migration
 Prepare Computers for Migration
 Re-Migrate all Groups
 Re-Migrate all Users
 User Acceptance Testing (UAT)
o Migrate each desktop image for testing (if the business has 5 different images for desktop
deployments, migrate each one)
o Run through the "Start Live Migration" steps for the above images
o Have real users test the migrated desktops in a live production environment
o List all issues
o Troubleshooting
o Loop until comfortable, then proceed
 START LIVE MIGRATION
o Determine and outline back out plans for critical applications
o Define collection of computers and users to be migrated (may or may not include servers)
 GROUP ONE
 Re-Migrate Groups (Collection 1)
 Re-Migrate Users (Collection 1)
 Users enabled in Target domain, disabled in Source domain
 Migrate passwords (if desired)
 Uncheck require to change password (if desired)
 Disable firewalls
 Migrate Computers (Collection 1)
 Troubleshooting
  GROUP TWO
 Re-Migrate Groups (Collection 2)
 Re-Migrate Users (Collection 2)
 Users enabled in Target domain, disabled in Source
domain
 Migrate passwords (if desired)
 Uncheck require to change password (if desired)
 Disable firewalls
 Migrate Computers (Collection 2)
 Troubleshooting
 GROUP ETC.
 Continuously define and re-migrate users and groups
 Move forward with migrating next round of computers and users
 Loop until finished
 Troubleshooting
 File Server migration
o Pray SIDHistory works
o Backup current permissions
o Lay down new permissions based on old permissions with scripts
 Finalize migration
 Set all users in the Source domain to have a new password that is unknown to user
o Ensure all users in the Source domain have been disabled
o Troubleshooting
o Wait one business week
o Shutdown Source domain, Domain Controllers
 Troubleshooting
 End engagement

Active Directory Domain Deployment

Checklist
During an AD DS greenfield installations, system engineers always need checklists to keep up with what they
should be doing to stand up a new domain.  This checklist is a working checklist, one that has been created here
for peer review and peer additions.  This checklist should try and take into account all the high-level items one
needs to look for and do during an AD DS deployment.  This checklist is not meant to be a step-by-step guide
but a high-level overview to keep track of what needs to be discovered.

For a checklist on Active Directory Domain Discovery check out:

https://social.technet.microsoft.com/wiki/contents/articles/38512.active-directory-domain-discovery-
checklist.aspx

 Plan and Design High-Levell Information listed only)

o Number ofForestst
o Number of Domains
o Namespace
 FQDN
 NetBIOS name
o DNS
o FSMO Roles
o Sites and Services
 Stand up new domain
o Assign Domain Name
o Build DCs
 DC Name
 DC IP addressing
 Install AD DS role
 Configure AD DS role
 Complete AD DS configuration
 Restart DCs
o Update DCs
o FSMO placement
 Move FSMO roles
 Schema Master on PDCe of the forest root domain
 Domain Naming Master on PDCe of the forest root domain
 Place RID Master on PDCe in the same domain
 Infrastructure Master on a non-global catalog
 Or
 Infrastructure Master on a global catalog when all DCs are GCs
o Health Checks
 Run diagnostics to ensure health
 Check event logs
o Time sync
 Set PDCe to synchronization with reliable internal or external time source
 GPO to WMI filter time synchronization to PDCe
 or
 Set time settings manually on PDCe
o Backup system state
 As built documentation draft
o Configure security
 DC Security
 Configuration
 BitLocker
 Security Baseline
 AppLocker
 Windows Defender
 Credential Guard
 Windows Firewall
 Block outbound internet
 Black hole proxy (proxy set to 127.0.0.1, allow internally)
 Redirect
 Computers Container
 Users Container
 Set OU Permissions
 Register Schema DLL
 Remove 2 groups - In schema
 Account Operators
 Print Operators
 Adjust Add Workstation to domain
 Remove "Authenticated Users" from being able to add
computers to domain
 Create group to add workstations to domain
 Drop Server Team group into "Add Workstations
to Domain" group
 Drop Desktop Team(s) group into "Add
Workstations to Domain" group
 Create and drop service accounts into "Add
Workstations to Domain" group
 Administrative workstations (PAWs)
 Configuration
 BitLocker
  Security Baseline
 AppLocker
 Windows Defender
 Credential Guard
 Windows Firewall
 Install LAPS
 Install ATA
 Enable DS auditing
 Set appropriate SACLs
 Develop and implement a least-privileged access delegation model
 Verify and audit all delegations and privileged access
 Identify and minimize the number of users who possess privileged access in AD
 Ensure only Domain Controllers have sufficient effective permissions to replicate
secrets in the domain 
 If modified AdminSDHolder, audit effective permissions to make sure you know what
access it is actually entitling
o Create Sites
 Site Mirroring of old/trusted domain (migration)
o DNS Configuration
 Forklift name space(s) (migration)
 Conditional Forwarders
 Secondary Zone
 Enable Scavenging
 On server
 On zone
o Install Central Store
o Install AD Recycle Bin
o Create base OU structure
o Create Trust (if needed)
o Extend Schema
 Exchange
 Gather requirements
 Implement change
 SCCM
 Gather requirements
 Implement change
 Other.
 Gather requirements
 Implement change
o Baseline
 Take a baseline snapshot of the new environment
 Packet capture baseline traffic
 Monitor incoming and outgoing TCP/IP traffic patterns
 Monitor current CPU and RAM utilization levels
 ATA learning burn-in
o Complete "As Built" documentation