Jul 07 2009

Active Directory Migration

Try these tricks for clear-cutting forests to support e-mail consolidation.

Undertaking an Active Directory migration is a big task, regardless of an organization’s size and structure. In the state of Missouri, we consolidated 14 agencies into a single forest, migrating approximately 38,000 accounts and 45,000 workstations in 18 months. Based on our experience, here are four tips for a successful migration.

1. Think Twice About a Multidomain Forest

There are few benefits or technical reasons for configuring a multi-domain forest. In fact, the potential problems far outweigh any benefits. The biggest issue, though not the only concern, is the complexity that is added to Domain Name System in this type of forest structure.

2. Keep the Trust

The trust needed for migration from one forest to another must remain in place until the old forest is shut down, and the names of the old and new forests must be different for the trust to work.

It’s important to determine if users need access to resources in the old forest before migrating their accounts. If they do, the trust will need to be created to allow Security Identifiers (SIDS, a unique value of variable length used by Microsoft to identify a security principal or group) to transverse the trust.

Ensuring unique user IDs, computers or groups between forests will also save time and headaches.

3. Turn to Time-Savers

Create a Group Policy Object to turn off Windows Firewall during migrations, because leaving it on can lead to troubleshooting difficulties. Create the GPO in the Organizational Unit where the workstations reside in both forests. It can be removed once Active Directory migrations are complete.

Consider investing in a third-party remote-control tool other than Remote Desktop Protocol. RDP will sometimes fail during migrations because of the state of the machine, making it difficult to fix issues. We also utilized a freeware tool called PsExec, which proved invaluable to our success.

4. Be Aware of These Issues

If you migrate over slow wide-area network links, start the Active Directory Migration Tool pre-check several hours before the scheduled migration times for workstations. This will allow the ADMT agent to be pushed in advance and not delay migration efforts. We also suggest:

  • Developing a migration schedule;
  • Writing scripts to run on the machines being migrated in advance of the scheduled migration to ensure the machine can be pinged;
  • Ensuring the ADMIN$ share is enabled and a common administrator user ID and password is present on each machine; and
  • Cleaning up old user profiles and deleting temp and history files from the machines being migrated.

After the machines have migrated, depending on network structures and speeds, you may experience problems with group policies and Kerberos. If so, check to ensure firewall ports are open (if present) and that virtual private network tunnels aren’t blocking large Internet Control Message Protocol traffic. Look at these Windows registry keys for Group Policy issues:





There are many issues to consider before migrating between Active Directory forests. Those listed above are only a few of the tips and tricks we picked up along the way to speed efforts or solve problems we encountered. Our migration won Missouri national recognition and has provided a foundation for future projects for years to come.