An Active Directory migration is a major undertaking, regardless of an organization’s size and structure.
In the state of Missouri, we consolidated 14 agencies into a single forest, migrating approximately 38,000 accounts and 45,000 systems in 18 months. Based on that experience, here are four tips for a successful migration:
1. Think twice about a multidomain forest.
There are few benefits or technical reasons for configuring a multidomain forest. The potential problems far outweigh any benefits. The biggest issue, though not the only concern, is the complexity that is added to the Domain Name System in this type of forest structure.
2. Keep the trust.
The trust needed for migration from one forest to another must remain in place until the old forest is shut down, and the names of the old and new forests must be different for the trust to work.
It’s important to determine if users need access to resources in the old forest before migrating their accounts. If they do, the trust will need to be created to allow Security Identifiers (SIDS, a unique value of variable length used by Microsoft to identify a security principal or group) to transverse the trust.
Ensuring unique user IDs, computers or groups between forests will also save time and headaches.
3. Turn to time-savers.
Create a Group Policy Object to turn off Windows Firewall during migrations, because leaving it on can lead to troubleshooting difficulties. Create the GPO in the Organizational Unit where the systems reside in both forests. It can be removed once Active Directory migrations are complete.
Consider investing in a third-party remote-control tool other than Remote Desktop Protocol. RDP will sometimes fail during migrations because of the state of a machine, making it difficult to fix issues. One possibility is a freeware tool called PsExec.
4. Be aware of a few other issues.
If you migrate over slow backbone links, start the Active Directory Migration Tool pre-check several hours before the scheduled migration times for your systems. This will ensure the ADMT agent goes out in advance and doesn’t delay migration efforts. We also suggest:
- developing a migration schedule;
- writing scripts to run on the machines being migrated in advance of the scheduled migration to ensure each machine can be pinged;
- ensuring the ADMIN$ share is enabled and a common administrator user ID and password is present on each machine;
- cleaning up old user profiles and deleting temp and history files from the machines being migrated.
After all machines have migrated, depending on network structures and speeds, you may experience problems with group policies and Kerberos. If so, check to ensure firewall ports are open (if present) and that virtual private network tunnels aren’t blocking large Internet Control Message Protocol traffic.
Look at these Windows registry keys for Group Policy issues:
There are many items to review before migrating between Active Directory forests. Those listed here are only a few of the tips and tricks we picked up along the way to speed our efforts and resolve problems.