Active Directory Migration

We asked our Active Directory (AD) migration customers to share what they learned through their own migration experiences. Here are the top seven lessons learned that might help you as you plan your own AD migration.

LESSON 1. "Know your data prior to starting the migration."

Many AD infrastructures are 10–15 years old and have grown significantly over time. As a result, there's a good chance you don't know exactly what data you have, or what you do and don't want to migrate. By cleaning up and consolidating your source environment before you start your AD migration, you can make the project faster and less complex, and also reduce the security and compliance risks.

In fact, proper planning and preparation is worth every minute it takes. Identify what resources you have, decide which ones to migrate and which to leave behind, and determine the ideal configuration settings for your particular migration. As tedious as this assessment task might seem, you'll be happy you did it. Waiting to uncover issues during your migration could add months to the project and cause problems for the business along the way; discovering and resolving them ahead of time will save you time and headaches down the road.

Fortunately, there are Active Directory migration tools that automate and streamline both the pre-migration and post-migration analysis tasks. They will help you understand the current state of your environment, identify and address potential conflicts prior to the migration, and better manage and secure the environment after the migration is complete. As a result, you can create a sound Active Directory migration project plan, ensure your project proceeds smoothly on schedule and verify that it was completed as planned.

LESSON 2. "test, test, test…"

There's no room for error in an Active Directory migration. You can't afford to have people locked out of their accounts because it would hurt productivity and slow your organization down. Therefore, it's essential to test your AD migration thoroughly before you start any live migrations.

You can mirror your AD production environment to a test environment to test the impact of your manual and automated migration processes. If the test migration is a success, then you know the live ones will be successful also. If you encounter problems during testing, you can develop a process to work around them or recover from them should they occur during the real migration.

Testing can also provide insight into how long your AD migration might take, providing a reality check about whether it's a 6-month project or a 16-month project. Be sure to also test your contingency or recovery plan to ensure that it works and will provide the expected outcome.

An Active Directory migration tool with a flexible test mode can help you conduct effective, comprehensive testing with far less effort, increasing the security and reliability of your project while saving valuable IT time.

LESSON 3. "Legacy applications require significant time and planning to be moved across ADs."

Moving commercial applications such as Microsoft Exchange to a new forest is more complex than it might seem. In particular, to ensure that users don't lose access to the resources they need to be productive or gain access to resources they shouldn't use, you need to examine the permissions and other setting currently in place and ensure they are replicated to the target forest.

Migrating home-grown applications presents even more challenges. The first task is to identify all of the custom applications in your environment. Tools that monitor the authentication requests in Active Directory can help find those applications that are AD dependent. Once you have a comprehensive list, you need to develop a mitigation plan for each application. For example, if the application is hard-coded for your current domain, then a code change will be needed; if not, then it may be that you only need to update permissions for the application.

Taking the time to plan your application migration carefully will pay off handsomely. Users will be able to be productive immediately in the new domain so they'll consider the project a success, and preserving proper access rights will maintain security.

LESSON 4. "Always be ready for the unexpected."

An Active Directory migration is complicated. Even for those who have done it before, it doesn't take much for things to go wrong. For example, you might have overlooked critical resources that need to be migrated, moved a group of users before they are ready, or missed an important dependency during your planning and testing.

Therefore, you want to be sure you are armed with the right AD migration tools to recover and get back on track in case something goes wrong. Look for an AD migration tool with a robust project management interface, numerous reporting options, granular undo functionality, full rollback, and automatic permissions updating, so you can respond quickly and effectively to the unexpected.

LESSON 5. "It is key to keep users productive all the time."

Migrations take time — often weeks or months. Therefore, every user migration comes with the risk of disrupting the productivity of the people whose accounts are being migrated. If users can't access the resources they need to do their jobs, schedule or reschedule meetings, or view an accurate directory, the resulting disruption can hurt your business and result in an onslaught of calls to the help desk.

Ideally, you want employees to not even be aware there was a migration until they receive an email from the IT team letting them know it happened. To achieve this goal, you need to ensure proper coexistence of the source and target environment throughout the migration process. Coexistence ensures users maintain seamless access to servers, printers and other network resources — the things that keep people productive but everyone takes for granted — regardless of the user's migration status.

Software solutions can keep the source and target directories in sync throughout the migration project by maintaining things like security identifier (SID) history for user accounts and updating access control lists (ACLs) on file resources. As a result, users will be able to access the resources they need throughout the project, and may not even know they are being migrated.

LESSON 6. "Security."

Managing security across multiple separate AD forest environments is an IT nightmare. In fact, a primary goal of an AD consolidation project is often to bring all users into one centralized domain so IT can establish and maintain one set of security policies for the entire organization. That enables stronger protection of sensitive data, and also addresses important systems management and compliance challenges.

In addition to ensuring security after the migration, you need to worry about security during the migration. As noted earlier, careful testing will help you verify the accuracy and security of your migration processes. It's also wise to consider a tool that can audit your Active Directory environment, spot any configuration changes made during the migration, and report all the critical who, what, where and when details you need to quickly investigate each event and remediate any improper changes.

LESSON 7. "It is worth it to pay for dedicated tools!"

A migration is a complex process that typically takes weeks or months. Moreover, migrations are relatively rare in the course of an IT pro's career, so your team likely has little experience with them. But the stakes are very high, since AD migrations affect critical business resources and can dramatically impact user productivity.

Therefore, it's wise to carefully consider which tools you'll use for your AD migration or consolidation project. While native tools are free, they have limited functionality and simply can't scale to the size and complexity of most AD migrations. Moreover, they don't come with access to experts who have performed thousands of migrations, so you and your inexperienced team could very well find yourselves on your own in the middle of a complex migration — putting security, compliance and productivity across the organization at risk. Just see what some of your peers have had to say about their experience using native tools for AD migration.

Look for a tool specifically designed for migrations, backed by a support team with a strong track record of success. Be sure it delivers the functionality you need through all stages of the migration project: comprehensive source environment inventory and cleanup, migration planning, thorough testing, seamless coexistence, flexible project management, easy rollback, automated permissions updates, and secure execution.

Remember, in migration as in other areas, the right tool often pays for itself in the end.