Active Directory Migration Without a Trust

Although migrating Active Directory with a trust is ideal, there are times where this is not possible.  Trusts make it possible to resolve objects’ security identifiers (SIDs), which in turn helps to distinguish objects and check that everything is going right. Trusts also help provide co-existence of two environments, including uninterrupted access to the resources for both switched users and users not yet switched.

If trusts are not established between Domains the following restrictions apply:

  1. A single Administrative Account cannot be used for migration.
  2. A Net Use connection will need to be established between the Console Computer where Migration Manager is installed and all of the Exchange Servers where the Synchronization Agents are installed, unless these servers are in the same Domain as the Console.
  3. If Migration Manager is installed on a machine located in the Target Domain, then the net use command should be performed for each Source Exchange Server; if Project Manager is installed in the Source Domain, then net use command should be performed for each Target Exchange Server.
  4. You will have to switch Users and Resources at the same time or perform QMM RUM resource Updating so that target SIDs are reflected in the resources. No SIDHistory is possible in such scenario. This means that when a user starts using its Target Account (for example, a user's workstation is moved to the Target Domain), all resources must be updated, so that the Target User has the same access to the resources as the corresponding Source User.
  5. The computer on which Migration Manager is installed must be a member of the Domain in which Target Exchange Cluster Servers reside. If you have Cluster Servers in both the Source and Target Domains, trusts need to be established between the Domains.
  6. If you migrate Exchange first and set the Source User's Account to be the Associated External Account for the corresponding Exchange 2003 Mailbox, users will not be able to log on to the Target Mailboxes with the Source Accounts.  Users will have to specify the Target Security Account when they are switched to the Target Exchange Server as there are no trusts, so their Source Accounts will not have permissions for the Target Mailboxes.

For a successful migration, the computer on which Migration Manager is installed must belong to the target domain.

You can check out this documentation for what steps are required for configuring Migration Manager for AD to a trustless migration

About the Author
Hi, I'm Chris Holley and I am the Social Media and Communities Advisor for Migration Manager for Active Directory & Exchange.