James Thew - Fotolia


Make the right move with the Active Directory Migration Tool

Migrating Active Directory to a new version should go smoothly if you follow best practices and make sure you have a way to undo the procedure if things start to go wrong.

The Active Directory Migration Tool, a native Microsoft product, sits at the core of Active Directory migration...

projects without breaking an IT organization's budget.

The Active Directory Migration tool uses a set of wizards, including the User Account Migration Wizard, Group Account Migration Wizard and Computer Migration Wizard. In each wizard, the administrator selects the source, destination domain and domain controller. This process involves choosing the objects to migrate, deciding how to migrate passwords and then configuring other options like the Security IDentifier history. After choosing how to handle certain conflicts that may occur, such as don't migrate, or migrate and merge, then migrating Active Directory can proceed.

Best practices for migrating Active Directory

Backup and test the restore before a migration. Many organizations either do not back up at all or simply back up without doing a restore test. Before a migration of this magnitude, it is imperative to have a fresh copy of a known good directory in case things go wrong and you have to roll the system back.

Prestage the migration with test users and memberships. Once the backup is complete, create a test user and add that test user to some local groups. Then kick off a migration batch just with the test user and groups and allow the migration to complete and report successfully. Next, in the target domain, verify the test user came across and that its local group memberships are intact. The group memberships are the tricky part.

Use a measured approach. For the best results, migrate in batches of no more than 100 to 200 end users. It would cause problems if the internet connection was interrupted mid-migration and 3,200 users backed out or migrated in a semicomplete state. By controlling the migration in batches, it is simpler to roll back a few users if you encounter errors. This also allows staff to take breaks, make configuration changes and make the procedure less stressful.

Decrypt files within the Encrypting File System. Most enterprises using Encrypting File System (EFS) have the decryption keys tucked away within Active Directory to mitigate any lost key issues. However, the Active Directory Migration Tool does not migrate these keys to the target domain, so it's likely that EFS-encrypted files could be lost permanently upon decommissioning the source domain. Decrypt those files beforehand. You can re-encrypt the files once the migration is complete and the new key is stored in the target domain.

Time sync. The source and destination domains must be synced to an accurate time source. Time skew issues can cause problems with authentication and complicate migration efforts.

The Active Directory Migration Tool is currently at version 3.2; Microsoft no longer supports earlier versions. The tool works with Windows Server 2008 and higher, including Windows Server 2012 R2. Source and target domain functional levels can be at Windows Server 2003 and higher; however, you can't use read-only domain controllers or Server Core installations.

Understand how to handle changes in the source domain after migration begins. The easiest thing to do is rerun Active Directory Migration Tool wizards and allow the Conflict Management functionality to handle migrating and merging the changes across to the target domain. This technique keeps everything in sync, and using the Active Directory Migration Tool consistently avoids errors.

Use rules for group types and user and object memberships. Keep in mind the following rules when planning the Active Directory migration. Apply these rules to the directory in the new target domain. Use global groups to store users. Use local groups for resources such as printers, contacts and other nonhuman objects within the directory. To grant access to those resources to certain groups of users, those local groups (of resources) contain global groups (of users).

Ensure domain PCs restart after migrating Active Directory. Domain PCs need an official restart to update domain membership and refresh computer account access credentials. Use the existing management software to reboot those machines. The migration is not final until all domain member machines have restarted. Otherwise, the migration remains in an unfinished state, with machines still tied to the old source domain.

Have a rollback plan. The rollback for interdomain migrations involves using the old source domain and essentially pretending that nothing has happened. First, enable any migrated user and group accounts that were disabled in the source domain and ensure those accounts work as expected. Then roll back other resources by changing domain memberships and restarting those machines. For inter-forest migrations, however, move objects in the reverse direction using the Active Directory Migration Tool.

Next Steps

Determining how to work with the cloud and Active Directory

The ADSI Edit tool can clean up a messy Active Directory

Making backup and restoration of Active Directory painless

Dig Deeper on Windows systems and network management