Mastering Active Directory Migrations
Mastering ActiveDirectory MigrationsWritten byDerek MelberMCSE, MVP, PresidentBrainCore.Net AZ, Inc.WHITE PAPER
2011 Quest Software, Inc.ALL RIGHTS RESERVED.This document contains proprietary information protected by copyright. No part of this document may bereproduced or transmitted in any form or by any means, electronic or mechanical, including photocopyingand recording for any purpose without the written permission of Quest Software, Inc. (―Quest‖).The information in this document is provided in connection with Quest products. No license, express orimplied, by estoppel or otherwise, to any intellectual property right is granted by this document or inconnection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS ANDCONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUESTASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED ORSTATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IFQUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes norepresentations or warranties with respect to the accuracy or completeness of the contents of thisdocument and reserves the right to make changes to specifications and product descriptions at any timewithout notice. Quest does not make any commitment to update the information contained in thisdocument.If you have any questions regarding your potential use of this material, contact:Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comEmail: legal@quest.comRefer to our Web site for regional and international office information.TrademarksQuest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix,AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch,BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, DesktopAuthority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin,Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool,NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, QuestCentral, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security LifecycleMap, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab,Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator,vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, VizioncorevAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, VizioncorevReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks ofQuest Software, Inc in the United States of America and other countries. Other trademarks and registeredtrademarks used in this guide are property of their respective owners.White Paper: Mastering Active Directory Migrations1
ContentsAbstract . 3Introduction. 4Assessing the Source Environment . 5Managing the Migration. 6Active Directory Migration Requirements . 6Re-permissioning of Resources . 6SIDHistory Migration . 6Co-existence . 6Reporting . 6Cleanup . 6Rollback . 7Choosing the Right Tool . 7Active Directory Migration Scenarios . 8Intra-forest Migration . 8Inter-forest Migration . 8Site Topology Migration . 8Non-trusted Domain Migration . 8Advanced User and Group Object Property Migration . 9Migrated Object Property Customization . 9Active Directory Delegation Migration . 9Resource Migration . 10Resource Permissions . 10Service Accounts . 10Desktops . 10Laptops . 10Servers . 11Cleanup . 11Conclusion. 12About the Author . 13White Paper: Mastering Active Directory Migrations2
AbstractThis white paper details the major challenges of Active Directory migrations and explains how choosingthe right migration tools can help speed your migration and help ensure its success.White Paper: Mastering Active Directory Migrations3
IntroductionAn Active Directory migration can be complex and difficult. The goal for most organizations is to provideseamless access to data and services for all users during and after the migration and minimize the impactof the migration on the production environment.To begin your migration, you need to understand your source environment at both the domain level andthe object level so you can make good decisions about your migration process and minimize the data youhave to migrate. Then you need to migrate your servers, resources, and permissions from source domainto the target domain. This process usually takes weeks or months, during which you must keep thesource and target environments in sync. Some migration scenarios—such as migrating multiple domainsinto a single domain, migrating complex site topology structures, or migrating domains that can’t havetrusts established—add even more complexity to the migration project.This white paper details the major challenges of Active Directory migrations, including complex migrationscenarios, and explains how choosing the right migration tools can help speed your migration and helpensure its success.White Paper: Mastering Active Directory Migrations4
Assessing the Source EnvironmentThe first step in a migration is assessing the current environment to determine the scope of your projectand properly plan for resources required in the target environment. Most organizations will want to gatherthe following information:Accounts that have never logged on and inactive accounts – These accounts may not need to bemigrated.Computer account status – Organizations often discover ―dead‖ computer accounts that do notneed to be migrated.Duplicate users and groups – If you identify duplicate users between domains, you might want tomerge or rename some of these objects during the migration.File shares by computer – Some shared file resources might require a permissions update as partof the migration process.Account policies, audit policies, and password policies – You should assess the level ofconsistency between the source and target environments for each type of policy. Assessingpassword policies for domains, for instance, is important because when user accounts with weakpasswords are migrated into a domain with a stronger password policy, those user accounts areautomatically disabled by the operating system and the ―must change password at next logon‖flag is set.Unfortunately, collecting this information and developing appropriate reports manually can be difficult andis prone to error. Many organizations find they do not have the time to assess their source environmentproperly, and they often face migration issues later that could have been avoided. Consider investing in athird-party tool, such as Reporter from Quest Software, to automate the assessment process and helpensure you have a complete and accurate picture of your source environment.White Paper: Mastering Active Directory Migrations5
Managing the MigrationActive Directory Migration RequirementsMost organizations have two important requirements for their Active Directory migration projects. The firstis to minimize disruption for users, both during and after the migration, and the second is to minimize theimpact to the production environment, also both during and after the migration. Although we all want themigration process to take a day, most migrations take weeks or even months to complete. During thistime, users must be able to access the data and applications they need; servers must be available; anddomain membership and resource permissions must be correct. If any of these fail during the migration,the ramifications can be staggering. Millions of dollars can be lost with a single resource or server failingto migrate successfully.Therefore, organizations need a management system that can track each migration step, ensure thatnothing is missed, and provide a way to recover back to the original environment if a serious issue arises.The following aspects of migration require particular attention:Re-permissioning of ResourcesRe-permissioning of resources needs to be tracked, and verified during the migration process. Repermissioning must take into consideration the domain structure of all domains being migrated. Old userand group accounts and new user and group accounts need to be rationalized.SIDHistory MigrationSIDHistory for migrated users needs to be understood, managed, and tracked to ensure seamless accessto resources during and after the migration.Co-existenceMost migrations are done in waves or phases; this is called a rolling migration. Ensuring that everything iskept in sync during these phases is critical to keeping business operations up and running. Some of thekey synchronization efforts include:Continuous synching of user passwords from the originating domain and the target domainContinuous updating of group membership from the original domain to the target domainEnsuring proper access to resources in both the original domain and the target domainReportingAdministrators need regular statistics and reports so they can always know the status of the migration.Reports should indicate the percentage of the migration completed and detailed statistics on the numberof successful and failed migrations of users, groups, servers, resources, permissions, etc.CleanupAfter migration, you need to update permissions and resources, including Active Directory,SharePoint, Exchange, IIS, File and Print, SQL Server, cluster servers, Microsoft System ManagementCenter (SMS), and Microsoft System Center Configuration Manager.White Paper: Mastering Active Directory Migrations6
RollbackA final key aspect of any migration is dealing with errors and failures. Rollback in case of error is complexand confusing because so many aspects of the environment need to be considered. Attempting toperform a rollback manually is just begging for something to go wrong.Choosing the Right ToolManaging a migration manually is usually not practical, and it introduces considerable risk of mistakesand omissions. Investing in a migration management tool can save you time and money and reduce therisk of a failed migration. Look for a tool that:Enables you to control all migration processes from a single management console.Automates the migration of servers and resources.Provides up-to-the-minute statistics to ensure you always know the current status of the migrationproject.Ensures true coexistence between migrated and unmigrated users, so users cano continueworking totally unaware of the migration project. The tool should be able to synchronize allchanges made during the coexistence period in both directions (from source to target and fromtarget to source), including changes to passwords, group membership, and resource permissions.Automatically updates permissions and resources after migration.Detects errors during migration and provides automated rollback. The tool should be able topinpoint which users are causing the issues and roll back only those users.White Paper: Mastering Active Directory Migrations7
Active Directory Migration ScenariosIf your migration involves migrating only users, groups, and computers from one domain to another,the process will not be that complicated. However, most Active Directory migrations are complex, andhaving the right tools to manage the migration is critical. If your migration involves scenarios like thefollowing, consider investing in a quality migration management tool such as Quest Migration Managerfor Active Directory.Intra-forest MigrationAn intra-forest migration is typically done to reduce the number of domains. This can help relieve thestress of managing the overall Active Directory environment and deliver cost savings, since you’ll needfewer operating system server licenses and less hardware. The biggest stumbling block with an intraforest migration is ensuring that the users have continuous access to their resources; users will want dailynetwork activity to function as normal.Inter-forest MigrationAn inter-forest migration is typical when one company purchases another and wants a centralizedActive Directory environment rather than forest trusts. In an intra-forest migration, permissions are akey concern. First, the existing forest domain administrators must have permission to migrate the users,groups, and computers from the external domain. Second, users being migrated to the new domain willlikely need access to resources in their old external domain for some period of time, and this requiresthat the external domain provide appropriate permissions.Managing this access manually is time-consuming and prone to error. A migration tool like MigrationManager for Active Directory can help ensure that all required access is available throughoutthe migration.Site Topology MigrationMigrations that involve migrating and collapsing Active Directory domains and forests into one anotherare also complex. At the top level, considerations for network IP ranges will need to be solved, includingany VLAN configurations. Next, the site topology for replication will need to be analyzed and potentiallyupdated. If one of the domains currently fits into a hub-spoke site topology and the other domain fits into acomplete-mesh, the migration of the one domain into the other will need some attention to ensure that thedomain controllers, DNS servers, DFS servers and resources, and desktops are migrated from oneenvironment to another.A tool such as Migration Manager for Active Directory will help you successfully execute a site topologymigration by providing the detailed information you need.Non-trusted Domain MigrationWhen an external domain must be migrated into an existing domain in an Active Directory forest, trustrelationships are normally established to facilitate the migration. In some instances, however, securityrestrictions prevent creation of this trust relationship, making the migration more difficult.White Paper: Mastering Active Directory Migrations8
Some third-party tools, including Migration Manager for Active Directory, can handle this migrationscenario, allowing all of the objects from the external domain to be migrated into the Active Directorydomain without the establishment of a trust.Advanced User and Group Object Property MigrationYou can simplify and speed up your migration—and ensure a cleaner target environment—by migratingonly the accounts that are needed in the target domain. A tool like Migration Manager for Active Directorycan identify expired, disabled, and system accounts and omit those accounts from the migration. You willhave more time to verify that the accounts you need were properly migrated because you won’t bewasting time trying to clean up accounts that were unnecessarily migrated from the source domain.Migrated Object Property CustomizationIn most migration scenarios, the source domain and target domain have different philosophies,management styles, user property requirements, and databases that help manage user accountproperties. Manually updating the migrated user properties would take more time than the migration itself,so having a tool to automate the process is invaluable.If the source domain does not have the same user properties as the target domain, but there is anexternal database or configuration file that lists the desired properties, Migration Manager for ActiveDirectory can import these additional user properties into the migrated user property details during themigration, saving you considerable time and effort.Active Directory Delegation MigrationPowerful delegations can be granted in Active Directory in order for different users or administrators tocontrol different AD accounts. Delegation typically occurs at an organizational unit (OU) level, whichgrants control over the objects contained within the OU. In most cases, groups are granted delegatedcontrol of functions such as resetting passwords, user management, group membership management,and overall group management. Since these delegations occur at the OU level and are configured forgroups, these delegations must be documented, tracked, and validated during and after the migration.Trying to manage the migration of delegation manually is a daunting task. Instead, consider using a toolsuch as Migration Manager for Active Directory, which provides seamless control and management of thislevel of detail to help you successfully migrate the delegation of control over accounts in OUs.White Paper: Mastering Active Directory Migrations9
Resource MigrationThe migration of resources from one domain to another, or from multiple domains into a single domainpresents some of the most challenging issues in a migration, including migration of the following:Resource PermissionsIn Active Directory, permissions are assigned to users via Access Control Lists (ACLs). Each list containsreferences to security identifiers (SIDs) of the accounts to which the permissions are granted. To ensurethat all resources are still available after the migration, these ACLs need to be updated with the new SIDsfor the target domain. This is not a easy task, considering the volume of users and groups that need toaccess a single resource in one domain, with potentially hundreds of groups listed on a single ACL,containing potentially tens of thousands of users. A tool like Migration Manager for Active Directoryautomatically provides these updates.Service AccountsService accounts and the accounts used to run scheduled tasks must also be migrated to thecorresponding target accounts to ensure that services and scheduled tasks will run correctly after theircorresponding service accounts have been migrated. A tool such as Migration Manager for ActiveDirectory can automatically update service accounts.DesktopsMigrating desktops from one domain to another has always been a pain point because of the work thatmust be done to each desktop. The migration of the computer account in Active Directory is relativelyeasy; the difficult part is changing the domain membership on the desktop itself so that the user can logon as a user in the target domain. This has historically required configuring the desktop to change thedomain membership and then rebooting the desktop.The right tool can greatly simplify desktop migration. With Migration Manager for Active Directory, forinstance, users needs only to log off and then log back on to see the new domain and log on with theirnewly migrated user accounts. Migration Manager handles all of the domain configurations on thedesktop, including the new domain being listed on the logon prompt for the user.LaptopsLaptops are a stumbling block in most migrations because they are not normally connected to thecorporate network. In most cases, the laptop is not migrated until it can successfully connect back to thephysical network, which might be months for some mobile users and their laptops.Migration Manager Active Directory addresses this issue by providing logon scripts that alter the laptopdomain configuration to make the user—even when he or she is still remote—part of the target domainand no longer associated with the source domain.White Paper: Mastering Active Directory Migrations10
ServersIn addition to desktops and laptops, servers also need to be migrated. This includes not just resourceservers, which were addressed above, but servers running Windows services that are Active Directorydomain aware and specific. Services like Exchange, SQL, SharePoint, IIS, SMS, SCCM, and evenNAS/SAN devices need to be updated to be migrated to the new domain. Migration Manager for ActiveDirectory automates all of these processes to simplify your migration.CleanupAs part of the post-migration cleanup, the source domain SID (which became the SIDHistory on the targetdomain user account) needs to be deleted. Although this is not a highly complex task, it is necessary Inorder to ensure the security of the new domain. A tool like Migration Manager for Active Directory canautomatically clean up this property for all migrated users, eliminating human errors that could introducesecurity risks.White Paper: Mastering Active Directory Migrations11
ConclusionActive Directory migrations can be challenging, complex, and time-consuming, but having the right toolscan speed your migration and help ensure its success. Begin your migration with a careful inventory ofyour current environment. Collecting this information and developing appropriate reports manually can bedifficult and is prone to error, so consider using a third-party tool such as Quest Reporter to automate theprocess and ensure you have an accurate picture of your source environment.Once the migration begins, there are many moving parts that need to be managed, in order to minimizeinterruption to business operations. All migrated accounts should constantly be updated and verified sothat access is not restricted or denied during the migration; this means that all servers, resources, andpermissions need to be fully tracked and migrated. Every file and folder must be examined, and thegroups associated with the old ACL must be updated to represent the new groups that exist in the targetdomain. In addition, all of the servers that run Exchange, SharePoint, IIS, SMS, SCCM, etc. must also bemigrated from the source domain to the target domain in order to ensure seamless access to resources.Migration is even more complex if you are migrating multiple domains into a single domain, migratingcomplex site topology structures, or migrating domains that can’t have trusts established.Investing in tools like Quest Reporter and Quest Migration Manager for Active Directory can save youtime and money and reduce migration risk by automating migration tasks and providing detailed migrationreporting and centralized management.White Paper: Mastering Active Directory Migrations12
About the AuthorDerek Melber, MCSE and MVP, is president of BrainCore.Net AZ, Inc., an independent consultant andspeaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology,focusing on Active Directory, Group Policy, security, and desktop management. As one of only eightMVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-endsolutions regarding Group Policy for companies. Derek is the author of the ―The Windows Group PolicyResource Kit‖ by Microsoft Press, which is the authoritative book on the subject. Derek is also author ofthe ―Group Policy Video Mentor‖ (Pearson), the perfect resource for learning Group Policy basics. Youcan hire Derek to perform Windows security audits and also train your team on the finer points ofWindows security. You can reach Derek at derekm@braincore.net.White Paper: Mastering Active Directory Migrations13
WHITE PAPERAbout Quest Software, Inc.Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for morethan 100,000 customers worldwide. Our innovative solutions make solving the toughest ITmanagement problems easier, enabling customers to save time and money across physical,virtual and cloud environments. For more information about Quest solutions for applicationmanagement, database management, Windows management, virtualization managementand IT management, go to www.quest.com.Contacting Quest SoftwarePHONE800.306.9329 (United States and Canada)If you are located outside North America, you can find yourlocal office information on our Web site.EMAILsales@quest.comMAILQuest Software, Inc.World Headquarters5 Polaris WayAliso Viejo, CA 92656USAContacting Quest SupportQuest Support is available to customers who have a trial version of a Quest product or whohave purchased a commercial version and have a valid maintenance contract.Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.Visit SupportLink at https://support.quest.com.SupportLink gives users of Quest Software products the ability to: Search Quest’s online Knowledgebase Download the latest releases, documentation, and patches for Quest products Log support cases Manage existing support casesView the Global Support Guide for a detailed explanation of support programs, online services,contact information, and policies and procedures.5 Polaris Way, Aliso Viejo, CA 92656 PHONE 800.306.9329 WEB www.quest.com E-MAIL sales@quest.comIf you are located outside North America, you can find local office information on our Web site. 2011 Quest Software, Inc.ALL RIGHTS RESERVED.Quest, Quest Software, the Quest Software logo are registered trademarks of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respectiveowners. WPW MasterADMigrations US EC 20110221
Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com Email: legal@quest.com Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest So
DNS is a requirement for Active Directory. Active Directory clients such as users computers) use DNS to find each other and locate services advertised in Active Directory by the Active Directory domain controllers. You must decide whether DNS will be integrated with Active Directory or not. It is easier to get Active Directory up and
An Active Directory forest is a collection of one or more Active Directory domains that share a common Active Directory schema . Most Active Directory environments exist with one Active Directory domain in its own Active Directory forest .
3. Mastering Tips 3.1 what is mastering? 3.2 typical mastering tools and effects 3.3 what can (and should) be fixed/adjusted 3.4 mastering EQ tips 3.5 mastering compressor tips 3.6 multi-band compressor / dynamic EQ 3.7 brickwall limiter 3.8 no problem, the mastering engineer will fix that!
Active Directory Recovery Planning Chewy Chong Senior Consultant Systems Engineering Practice Avanade Australia SVR302 . Key Takeaways . Backup utility, DNS Manager, Active Directory Domains and Trusts Microsoft Management Console snap-in, Active Directory Installation Wizard, Active Directory Schema snap-in, Active Directory Sites and .
Module 4: Principles of Active Directory Integration This module explains how Active Directory can be integrated and used with other Active Directory Forests, X.500 Realms, LDAP services and Cloud services. Lessons Active Directory and The loud _ User Principle Names, Authentication and Active Directory Federated Services
Mastering Intellectual Property George W. Kuney, Donna C. Looper Mastering Labor Law Paul M. Secunda, Anne Marie Lofaso, Joseph E. Slater, Jeffrey M. Hirsch Mastering Legal Analysis and Communication David T. Ritchie Mastering Legal Analysis and Drafting George W. Kuney, Donna C. Looper Mastering Negotiable Instruments (UCC Articles 3 and 4)
Mastering Adjusting Entries 2007 Mastering Internal Controls & Fraud Prevention 2007 Mastering Inventory 2007 Mastering Correction of Accounting Errors 2007 Mastering Depreciation 2016 Mastering Payroll 2017 AH134 online F/S/SU Medical Disorders McDaniel, K
contemporary mastering techniques. The following section, "A Guide to Common Practices in Mastering," lays the groundwork for this studies' investigation of the audio mastering process. A Guide to Common Practices in Mastering To reiterate, mastering is the most misunderstood step in the recording process.
