Active Directory Migration Considerations (Part 8)

By /

If you would like to read the other parts in this article series please go to:

ADMT wrap-up

Before looking at some alternatives to using ADMT for performing a forest or domain migration or consolidation, several readers have asked me if I could provide a high-level overview of the steps involved in using ADMT for performing a migration. They indicated that the reason they asked this is because the ADMT documentation itself can seem quite daunting to the beginner.

Here then is how I understand the typical ADMT migration process from a bird’s-eye perspective, assuming that you’re dealing with a fairly simple and straightforward migration that doesn’t involve heavy lifting like migrating Exchange Server or SharePoint:

  1. Identify all service accounts in your environment.
  2. Migrate global groups before you migrate users (in order to preserve group membership).
  3. Migrate user accounts to create SIDs for these accounts in the destination forest or domain, but don’t enable the newly created accounts yet.
  4. Translate any local user profiles that might need to be migrated.
  5. Migrate computer accounts for client computers, generally performing this one batch at a time followed by testing.
  6. Re-migrate user accounts, grouping them together in batches corresponding to those of the client computers you’re migrating.
  7. Re-migrate groups in case any changes to group membership have occurred during your migration process.
  8. Now migrate any member servers in your environment such as file servers and print servers.
  9. Last of all, migrate any domain controllers if this step is required (it usually isn’t).

Of course for authoritative guidance on using ADMT for performing a forest or domain migration or consolidation you should follow the Active Directory Migration Tool (ADMT) Guide which can be downloaded here.

Third-party migration solutions

I mentioned earlier in this series that ADMT has some limitations that might make you want to check out some of the third-party Active Directory migration offerings available from vendors. Here is a brief low-down on what’s currently available, or at least what’s available that I’m somewhat familiar with.

Dell

Two years ago Dell acquired Quest Software together with their line of IT migration and consolidation solutions. The result is Dell Migration Manager for Active Directory (MMAD) which I’m told by colleagues is a very powerful product whose capabilities and ease of use transcend ADMT in many ways. They also say it isn’t cheap, which of course is to be expected with a powerful product. I couldn’t find a price tag for the product on the Dell website, but I did find a Request Quote button on the product page on Dell’s website and there’s also a Download Free Trial button you can use to get a fully functioning 30-day evaluation version of the product.

Why is there no price tag for MMAD? I’ve been told by colleagues that it’s basically because there are different licensing options for MMAD depending on the scope of the migration project you are planning. For example, the more users you will need to migrate, the greater the licensing cost for using MMAD. If you will need to migrate Exchange Server mailboxes for users, that’s another licensing cost. Plus Dell probably wants not just to sell you their product but also their consulting and support services along with their product. Either way, you’ll need to contact Dell to get a quote if you’re interested in using MMAD for performing your forest or domain migration or consolidation.

How does MMAD actually compare with ADMT? Here are some of the features that MMAD provides that are either missing or limited in functionality with ADMT:

  • Non-destructive migration (ADMT is destructive when you perform an intra-forest migration)
  • Undo functionality (ADMT is only limited in this area)
  • Trust dependency (MMAD can perform migrations even without trusts being present)
  • Security descriptor migration (MMAD can migrate security descriptors, which means for example that it can preserve administrative rights delegated at the OU level)
  • Continuous synchronization (with ADMT you typically need to perform several re-migrations during your migration process in order to ensure migrated data is fully up to date; MMAD by contrast synchronizes migration data in real-time, so you don’t need to schedule re-migrations)
  • Statistics (MMAD gives you detailed info on what’s happening with your migration project)
  • Server applications (migrating server applications like SharePoint or SQL Server can be painful with ADMT; by contrast, MMAD makes such tasks relatively straightforward)

For a slightly dated but good review of MMAD when it was formerly known as Quest Migration Manager for Active Directory, see this article by Russell Smith on the WindowsITPro site.

BinaryTree

While Dell is probably the leader now with regard to third-party Active Directory migration products, there are several other products out there you might want to take a look at during the planning stage of your forest or domain migration or consolidation project. One of these products is SMART Active Directory Migrator from BinaryTree, which claims to be able to allow you “to automate the migration and restructuring of the Active Directory environment while ensuring full coexistence between migrated and un-migrated users” on their product overview page. I don’t have any firsthand experience with this product, and none of my colleagues do either, but from the information on the BinaryTree website and blog it sounds like a pretty good product. This blog post in particular is worth reading as it highlights some of the advantages SMART Active Directory Migrator has over ADMT. BinaryTree also has solutions for migrating Exchange Server and Windows Server and some non-Microsoft products, see here for more info.

StealthBits Technologies

Another third-party product that can help you with your forest or domain migration or consolidation project and may be worth checking out is the solution offered by STEALTHbits. Neither I nor my colleagues have tried their products or solutions, but if you’re doing research on what’s available for your migration project then visiting their site is probably worth doing.

Active Directory Migration Service

Finally, overworked IT departments might want to take note of Microsoft Active Directory Migration Service (ADMS), an offering from Microsoft Consulting Services (MCS) that helps organizations restructure their Active Directory infrastructure to address business challenges like mergers, acquisitions, divestitures, and other consolidation needs. ADMS makes use of Microsoft Azure cloud services and provides a safe and secure approach to migration that pre-provisions user identities, supports staged migrations, and enables proof-of-concept testing to ensure success. ADMS provides a flexible and highly agile approach to Active Directory migration that eliminates the needs of building migration services and dealing with directory synchronization issues. ADMS includes a web-based self-service portal that allows users to share the load of the migration effort, and this can be a significant advantage for busy resource-constrained IT departments. MCS also provides incident support throughout the migration to help resolve problems when they occur.

For more information on ADMS you can download the datasheet from the Microsoft Download Center.

For more information about MCS and its various service offerings including ADMS, see this link.

For an example of a case study where a company used ADMS to migrate their Active Directory infrastructure, see this link.

Conclusion

Active Directory migration and consolidation projects aren’t trivial. ADMT is a free tool from Microsoft you can use to migrate or consolidate your forests or domains, but like most free tools you’ll have to do some heavy lifting to make good use of it as you can see from the various issues that have been discussed in this series of articles. Third-party products like Dell Migration Manager for Active Directory are much more powerful and easier to use than ADMT, but they can also be expensive due to licensing costs, especially for very large migration projects. Then there are the experts–if you don’t think your IT team can handle the project in-house, you can always call in Microsoft Consulting Services to utilize their Active Directory Migration Service offering.

The decision is yours, so be cautious and wise. After all, maybe you don’t really need to consolidate those domains. Why not leave them as they are?

If you would like to read the other parts in this article series please go to:

About The Author

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top