What is Active Directory? Part 4: Active Directory Migration

So far in this “What is Active Directory?” series, we have explored what Active Directory is, , the essential tasks in effective Active Directory management, and the key things to know about Active Directory security. You might be thinking, aren’t we done?

No such luck! As your business needs change, your Active Directory environment needs to keep up. Moreover, Microsoft regularly updates Active Directory with new features and enhancements that you will likely want to take advantage of. Therefore, we need to explore the ins and outs of Active Directory migration, consolidation and restructuring.

What is an Active Directory migration?

Often, an IT migration is essentially an upgrade — a move to a newer version of a product. For example, you might have upgraded your home PC from Windows 7 or 8 to Windows 10, or upgraded to a new release of your favorite applications to get the latest and greatest features.

Active Directory migrations are different, and more complex, for several reasons. First Active Directory is not a standalone product. Rather, as we learned in the first blog post, its core service, AD DS, is included in the Windows Server operating system. Therefore, you don’t upgrade AD directly; rather, by upgrading your Window servers, you’re migrating Active Directory.

Second, “Active Directory” refers not just to the code that Microsoft delivers as part of Window Server, but the complex ecosystem that organizations have built using it. Often, they have created thousands or even hundreds of thousands of AD objects, each with a complex set of attributes. They have lovingly crafted and honed their Group Policy. They have established their forests, trees and domains, and set up AD security groups and OUs.  As a result, an Active Directory migration is a complex undertaking with many moving parts.

So, why undertake an Active Directory migration at all? For some of the same reasons you upgrade your own operating system: to get new features and functionality, and because Microsoft eventually stops supporting older versions of its products, leaving organizations that use them at increased risk of downtime and security issues.

What are consolidation and restructuring?

As you recall from the post on Active Directory management, when you set up your Active Directory, you make some important decisions about its structure. Some of them, like what security groups and OUs to have, are fairly easy to change over time as your business requirements evolve, but others — such as what domains you have and what your directory schema looks like — are less easy to modify on the fly because they affect the very foundation of your directory. Instead, you need to carefully plan out your changes and implement them carefully as part of a consolidation or restructuring project.

Major changes to the business, such as a merger, acquisition or divestiture, are common drivers for an Active Directory consolidation or restructuring. Similarly, organic growth of the organization can require an Active Directory restructure or redesign. And sometimes, organizations simply find that their original AD design simply hasn’t worked out well, or that the environment has become disorganized and hard to manage over time.

How do migrations, consolidations and restructuring fit together?

While it’s possible to do any one of these projects without the others, the reality is that they’re all about taking your Active Directory from point A to point B. That’s a big job, so it makes sense to get the point B that you truly want by combining the Active Directory migration, consolidation and restructuring efforts into a single project. In other words, if you’re looking to get the new features and support offered by the AD on the latest version of Windows Server, it’s smart to seize the opportunity to also clean up, consolidate and restructure your AD while you’re at it. Similarly, if you’re putting in the effort to consolidate or restructure, you might as well migrate and get all the benefits that entails as well.

What’s involved in an Active Directory migration project?

Completing your Active Directory migration correctly and on schedule is essential for user productivity, business continuity and security, but migrations are notoriously complex and risky projects. The first step is careful planning: You need to know exactly what point A (your current environment) and point B (your desired environment) look like. Then you need to clean up your current AD as much as possible by right-sizing permissions, purging inactive accounts and so forth. You also need to tease out constraints about scheduling and priorities, and get buy-in from all stakeholders. And you should make sure you have a current backup, rollback capabilities and a recovery plan in case you run into serious problems.

Only then should you even think about running any actual migration jobs. If possible, start with a test environment that mirrors your production environment as closely as possible, and then move on to pilot tests in the production environment. Since migrations take time, be sure you have a coexistence strategy that enables users to remain productive no matter which accounts and resources have been migrated and which have not.

Where can I get the right tools to help?

Choosing the right Active Directory migration tools and an experienced partner can dramatically simplify the work and minimize the risk involved in Active Directory migration. With Migration Manager for Active Directory and Secure Copy, you can develop a comprehensive plan and execute a successful Active Directory migration, consolidation and restructuring project on time and on budget, while ensuring that users maintain secure access to workstations, resources and email throughout the entire project.

Migration Manager for Active Directory handles the heavy lifting of the Active Directory migration. You can develop a comprehensive plan and prepare by staging users, scheduling workstation moves, updating permissions, and mirroring your production environment to a test lab to work out any bugs in your processes. You can move all types of objects including users, groups, computers, volumes, printers, OUs, and permissions, and maintain seamless user access to all network resources throughout the project. You also get a robust project management interface, advanced delegation capabilities, numerous reporting options, granular undo functionality, full rollback and more.

While Migration Manager can change the domain membership of your file servers to the new AD domain in the new forest, it does not actually move the data on those servers. That’s where Secure Copy comes in: It enables you to easily copy files and folders, NTFS security, file shares, local users and groups, and compression settings, while keeping all security intact.

Moving on

That’s it for migration! Just one more post in this “What is Active Directory?” series:

Active Directory reporting underlies all the tasks we’ve discussed so far — management, security and migration — so you won’t want to miss this final post in the series!

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles