In a Windows environment, it can safely be said that virtually everything relies on your Active Directory (AD). Every server is a member of AD. Every user stores their identity and credentials in AD. Nearly every group you create makes its home in your AD database. It's this near‐universal reliance on AD that makes a Windows environment so critical to your environment, and it's this near‐universal presence that makes merging and restructuring it such a pain in the neck.
The problem with AD's native resistance to major change is that businesses are dynamic. They grow, add divisions, merge with other businesses, and manipulate themselves time and time again to keep up with customer demand. As a result, many organizations find themselves merging and/or restructuring their AD infrastructures to follow the business. Microsoft provides a toolset that can handle some of these needs called the Active
The ADMT arrives as a set of scripts and installed code that manages the migration of objects from one domain or forest to another. Microsoft's ADMT toolkit can migrate user accounts, groups, and computers from a source to a trusted target domain. More complex objects such as Exchange attributes and mailboxes, clusters, application settings, and Group Policies cannot be migrated using this tool and must be copied over manually during the migration project.
To begin using the ADMT, download the tool and install it to a computer, which will become the host point for the migration. It is from this computer where all migration activities using the tool will take place. Either a two‐way trust between both domains or a one‐way trust from source to target domain must be created to provide the necessary authentication between the two domains.
Depending on the size of your domain, using the ADMT can take an extended period of time. Microsoft recommends that no more than 100 accounts are migrated at one time to keep the migration process manageable with this tool. To ensure that accounts can access resources that are in both domains—those that have and have not yet been migrated— Microsoft maintains historical security identifier (SIDhistory) information about each account throughout the course of the migration process.
Any domain merge or restructurting process will generally follow this list of steps:
admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath> /keypassword:{<password>|*}.
As you can see, Microsoft's ADMT solution provides a rudimentary mechanism for transferring many types of objects out of one domain and into another for a merge or restructuring activity. It can successfully transfer user and computer accounts as well as their privilege information between those domains.
Yet there are a number of problems inherent to the structure of the ADMT solution. It is designed to be a one‐time solution for a one‐time problem, enabling the migration of a source domain to a target domain. Merging or restructuring multiple domains requires multiple migration workspaces. If your organization is constantly restructuring itself due to acquisitions and mergers, there is no process for quickly completing the necessary activities. Each migration is a major project in and of itself, with little or no reuse of the effort from the previous project.
Making projects like these even more challenging are their potential for impact on your users. With each migration is also the virtual assurance that users will experience downtime associated with the move. During the migration, users can lose access to unmigrated resources, or even the use of their accounts entirely.
It is for these reasons and others that organizations considering complex migrations should look to outside tools for an added assurance of success. These tools exist to improve the process of completing large‐scale actions such as domain merges and restructures, in many of the following ways:
Most importantly, organizations must remain up and operational irrespective that largescale activities such as these are occurring in the background. As such, smart organizations demand tools that are seamless to the user and ensure a zero‐impact result to their users and their business.