Managing Active Directory Migration

Undertaking an Active Directory migration is a big task, regardless of an organization’s size and structure. Here are four suggestions for a successful migration:

Carefully Consider a Multidomain Forest

There are few benefits or technical reasons for configuring a multidomain forest. In fact, the potential problems far outweigh any benefits. The biggest issue, though not the only concern, is the complexity that is added to Domain Name System in this type of forest structure. 

Keep the Trust

The trust needed for migration from one forest to another must remain in place until the old forest is shut down, and the names of the old and new forest must be different for the trust to work.

It’s important to determine if users need access to resources in the old forest before migrating their accounts. If they do, the trust will need to be created to allow Security Identifiers (SIDS, a unique value of variable length used by Microsoft to identify a security principal or group) to transverse the trust. Ensuring unduplicated user IDs, computers or groups between forests will also save time and headaches.

Turn to Time-Savers

Create a Group Policy Object to turn off Windows Firewall during migrations, because leaving it on can lead to troubleshooting difficulties. Create the GPO in the Organizational Unit where the workstations reside in both forests. It can be removed once migrations are complete.
Consider investing in a third-party remote-control tool outside of Remote Desktop Protocol. RDP will sometimes fail during migrations because of the state of the machine, making it difficult to fix issues. We also utilized a freeware tool called PsExec, which proved invaluable to our success.

Be Aware of These Issues

If you migrate over slow wide-area network links, start the Active Directory Migration Tool pre-check several hours before the scheduled migration times for workstations. This will allow the ADMT agent to be pushed in advance and not delay migration efforts. 

• Develop a migration schedule
• Write scripts to run on the machines being migrated in advance of the scheduled migration to ensure the machine can be pinged;
• Ensure the ADMIN$ share is enabled and a common administrator user ID and password is present on each machine; and
• Clean up old user profiles and delete temp and history files from the machines being migrated.

After the machines have migrated, depending on network structures and speeds, you may experience problems with group policies and Kerberos. If so, check to ensure firewall ports are open (if present) and that virtual private network tunnels aren’t blocking large Internet Control Message Protocol (ICMP) traffic. Look at these Windows registry keys for group policies issues:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000

and

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000

There are many issues to consider before migrating between Active Directory forests. Those listed above are only a few of the tips and tricks we picked up along the way to speed efforts or solve problems we encountered. Our migration won my group national recognition and is the foundation of future projects for years to come.