How to manage Active Directory Migration Tools: A Comprehensive Guide

In this article, we will discuss some of the best tips and advice on how you can manage migration tools. We will begin the article with an introduction on what these tools are, as well as what makes for a successful migration.

What Are Active Directory Migration Tools?

The Active Directory Migration Tool (often shortened to ADMT) is a free utility that facilitates the migration process. This involves migrating users, computers and groups between two Active Directory domains (known as AD domains). This is irrespective of whether they are in the same or different AD forests.

What is an AD forest?

We’re not talking about trees here, believe it or not! An AD forest is the highest-level logical container in an Active Directory configuration that contains users, computers, domains, and group policies. There are three main types of AD forests, and these will be discussed in further detail below.

Organisational Forest Model

This provides autonomy to users and resources in the forest. It isolates services and data from anyone outside the forest. Additionally, trust relationships between forests can allow access to some resources that live in outside forests.

Resource Forest Model

Users live in the organisational forest, but resources live in one (or more) additional forests. Only alternative administrative user accounts live in the resource forests. Trusts enable resource sharing with the users.

A key differential between the organisational forest and the resource forest model is that the resource forest model provides service isolation. This means that if one forest goes down, the other forests will continue to operate.

Restricted Access Forest Model

As the name suggests, no trust exists to other forests, and as a result, users are unable to access resources. 

If users wish to access the resources, they will need a second computer to access the restricted forest. This can be held on a completely separate network if necessary.

Before You Install the ADMT

There are a few requirements which are worth knowing about before you install the ADMT. First of all, it will need to be installed on a computer with an operating system of Windows 2008 or later.

It is also worth noting that it does not work on read-only domain controllers, and that both source and target domains need to be running supported Windows Server versions. It also requires an SQL server to store data.

Downloading the ADMT

The next step is arguably the most important step, and that is to download the ADMT. Firstly, you will need to download the installer from Microsoft.

Following the installer’s downloader, you will have to run the installer, click next, agree to the Terms and Conditions.

Click next again, enter the SQL server that you are going to use for active directory migration tools in the next section which will be automatically prompted, and finally click finish. It really is that simple!

Pre-Migration Checklist

Before you begin a migration project, there are plenty of things to consider beforehand. This is similar to the pre-installation checklist for the ADMT, and needs to be seriously taken into account before a migration is started.

Step 1: Create a Spreadsheet of the Migration

Making sure that everything is recorded is critical to a successful migration of objects. Creating a spreadsheet (either on Google Sheets or Microsoft Excel) is a good way to do this.

The objective of this spreadsheet is to track the source objects and their target locations.

Step 2: Test, Test, Test!

As with any successful experiment, you should always test before committing to any migration operations.

This is where you can see if anything will go wrong, and can rectify any outstanding issues before the migration is undertaken.

Step 3: Inform User Groups of Impending Changes

Follow the change management process, and most importantly, keep people in the loop. Let them know what is going to happen, and any changes that will happen that they need to be made aware of.

AD Security

Another important element to focus on during active directory migration tools is AD security – it simply has to be a top priority.

Firstly, you should analyse the state of your current environment in order to identify any gaps in security. A couple of examples of this can be unsecured systems or weak passwords.

By default, active directory is not secure, so it is a good idea to design the destination environment with best security practices in mind.

Some examples of this includes configuring firewalls and intrusion detection systems, as well as implementing secure password policies.

Migrate Users and Groups Together

A migration which has been a success can often be put down to a couple of factors – one of which is a complete migration of users and groups.

Rather than separating the two, it is more beneficial to migrate active users and groups together. This is because it causes as little disruption as possible, which we all want, right?

However, this process is not just as easy as “copy and paste”. Preserving all permissions and access rights during the migration process is essential to a successful migration.

As part of this process, you will need to add the user and group SIDs (security identifiers) from the source forest users and groups into the SID history attribute of the new, migrated object in the destination AD forest.

The reason for this is because now both new users and groups are able to access the original resources in the source forest because they contain the SIDs of the original object.

However, if this is not a feasible option, do not worry! You can always add new Access Control Entries (ACEs) for the new users and groups to the original resources.

What is Involved in an AD Migration Project?

A question that may have come into your mind a few times is what is actually involved in an AD migration project? We will break it down into a few simple steps below.

Step 1: Careful Planning

To really break it down into the simplest of terms, we can literally go from point A to point B. Point A is your current environment, and point B is your desired environment.

You need to know exactly what both points A and B look like, before laying out the processes to migrate from point A to point B.

Next, as mentioned earlier, test your plan in great detail (and test again, and again if necessary) so that you can figure out any issues or anything that you might have missed.

Identifying any issues at this stage in the migration process can save you a lot of time and trouble later on in the project, which is why careful planning and rigorous testing are so important at this stage.

Step 2: Clean Up Your Active Directory

Cleaning up your current AD as best as you possibly can is another crucial step which cannot be ignored.

We will discuss the ways you can do this in greater detail further on in the article.

Step 3: Backup

Making sure that everything can be backed up is another key element of an AD migration project.

Establishing that you have a recovery pla
n is also essential too, just in case the worst happens. After all, to fail to prepare is to prepare to fail.

Step 4: Run Migration Jobs

This is when, and only after you have completed all of the above steps, you can finally start to think about running any migration jobs.

Because migration jobs can take a lot of time, it is essential to plan them by order of priorities. This means ensuring that you have a coexistence strategy in place which enables users to stay productive, regardless of which accounts and resources have been migrated, and which ones have not yet been migrated.

Tips for Cleaning Up Your Active Directory

As was mentioned in the previous section, cleaning up is an essential part of managing your active directory migration tools.

There are many ways in which you can do this, and a few tips will be listed below.

Delete Unused Accounts

Neglected and unused accounts are literally a waste of space and time, because they can not only slow down your Active Directory system, but they can also put your company, business or organisation as risk of data breaches.

Admins who are responsible for cleaning up the AD can run scripts to search for accounts with either no logins, or with logins that have been unused for a long period. Many of these will be duplicate accounts which users have made and simply forgotten about, so can be safely removed without the risk of a user losing any data.

Manage Accounts With Expired Passwords

Similarly to unused accounts, accounts with passwords which are no longer valid because they have expired are also at risk of causing a data breach, and must be dealt with.

Typically, accounts whose passwords have expired are usually an indicator of an inactive account, but this is not necessarily always the case.

Sometimes, passwords can expire without the administrators being notified about it, so they must then need to be cleaned up as a result.

However, it is important to note that inactive accounts and those with passwords that have expired are different. It is very possible that the account with the expired password might still be in use, so greater care needs to be taken around this before deleting the account.

Admins should run separate checks to ensure that accounts with expired passwords have not been in use before deleting. It is also worth backing up any data before deleting an account, just to play it safe.

Remove Disabled Accounts

This is imperative for administrators to keep on top of this, and not just during an Active Directory migration project.

Accounts are generally disabled by company admins when an employee goes on a period of extended leave, such as maternity leave, or when they completely leave the organisation. Obviously depending on the nature of their leave, and whether or not the employee will be making a return, administrators sometimes choose to keep their credentials and information on file for a certain period of time.

The reason that it is so important to keep on top of disabled accounts is because hackers can easily exploit the employee’s credentials, send phishing requests to the IT department, and even create a security breach, which can not only be dangerous, but incredibly costly to resolve, too.

Similarly to unused accounts, disabled accounts can also slow down the Active Directory migration process, as well as causing compliance problems, because they can still show up on audit reports.

A good way to resolve any issues around disabled accounts is for administrators to grant a grace period in order to accommodate any employees who are on a period of extended leave. After the grace period comes to an end, the firm date – which has been outlined to the employee and organisation – will see the deletion of the account.

Once again though, administrators should carefully back up any organisational information which may be of use in the future before completely deleting the account.

Find and Remove Inactive Accounts

Similarly to unused accounts, inactive accounts can also pose a security risk, as well as slowing down any AD migration jobs.

As a general rule, an inactive account is an account which has not attempted to access any data in 90 days or longer. However, this is at the discretion of the company or organisation: some companies will have a short policy, for others it could go up to six months, a year, or even longer.

Either way, after this period of inactivity, however short or long it might be, the account will be classed as inactive.

The simplest way to discover if an account is inactive or not is filtering though accounts via their last login date. Administrators can also check how much time has passed since a user last attempted to access any data or information through their account.

Because some accounts could potentially still be in use, rather than unused, it is important to take care when removing inactive accounts. Admins should never remove inactive accounts in bulk, in case the user still uses the account, just not as often as they may have done previously. Instead, admins should move the accounts which they have identified as inactive to to a separate OU (organisational unit) if they are uncertain. That way, the accounts can be easily recovered if necessary.

Why Perform a Phased Migration

Although we discussed earlier about migrating users and groups together, should you migrate everything at once, or perform a phased migration, bit by bit?

Clearly, there are advantages and disadvantages to both, but performing a phased migration is usually the safest method to take, as there are less risks associated with it.

For instance, even with thorough testing, pilot tests, planning and more, there is still an enormous risk if moving everything over at once, even from a productivity point of view.
This is because the employees involved in this can also be under a huge amount of pressure and stress by working to a tight deadline, and people cannot perform at their very best under these circumstances.

Aside from that, the migration still may be incomplete before the next business day, meaning that people are either unable to work, business cannot be undertaken, and the organisation can be losing money rapidly as a result.

Unless you are performing the smallest of Active Directory migrations, a phased migration is a much better and safer option to perform.

The best practices to adopt are (thankfully) quite logical – for instance, moving groups of workloads, devices and users in logical chunks – such as moving the entire IT department over together, or the marketing department and so on.

The reason behind this is so that the migration team can dedicate their full time and support to smaller, more manageable chunks of people. In turn, this means fewer support tickets, and less stress for those involved.

Final Thoughts

While active directory management tools might seem daunting at first, the tasks can be easily split up into much more workable and manageable chunks.

By taking a few steps prior to undertaking an AD migration, including successful planning, testing and more, you can simplify the process and make it much smoother for all involved.
It is also worth being careful about unused, disabled and inactive accounts, and removing these properly can not only increase your security, but also lead to a much quicker migration, meaning people can be back at work and ready to go again straight away.

Hopefully by follow
ing some of the tips and advice in this article, you will able to perform a successful AD migration solution and be ready and renewed to undertake business again as soon as possible.