For anything but the smallest of networks, migrating to a new Active Directory (AD) domain can be a complex affair. You need to move users and network
resources and modify desktop profiles to work with the new domain while simultaneously ensuring that users have seamless access to resources in both
the old and new domains. Although it's possible to use Microsoft's free Active Directory Migration Tool (ADMT) to carry out complex migration projects,
you'll find that for all but the simplest scenarios, it lacks some important features, such as the ability to migrate Security Descriptors (SDs) on
organizational units (OUs), and has limited rollback capabilities. When undertaking an AD migration, it's all about planning and trying to minimize
risk.
Once you get to the point where there are so many objects to migrate that it's not possible to move everything in one operation, having source and
target domains co-exist for a period of time allows for a phased migration. Migrating users based on how they work with each other and migrating
resources based on how they're used often makes more sense than planning a migration around the physical location of objects. For these complex
migration projects, you might consider using an AD migration tool, such as NetIQ Domain Migration Administrator or Quest Migration Manager for Active
Directory. I recently evaluated these two products on the basis of how easy they are to install and use, their features, and their documentation.
NetIQ Domain Migration Administrator
NetIQ Domain Migration Administrator is easy to install, although a SQL Server 2008 Enterprise, Standard, or Express database must be installed
separately. You can install Domain Migration Administrator on any Windows server or client OS starting with Windows 2000 (Win2K) SP1. Agents can be
deployed to any version of Windows starting with Win2K.
Figure 1 shows Domain Migration Administrator's GUI. Like ADMT, Domain Migration Administrator requires that you meet various prerequisites before an
AD migration, such as creating secondary DNS zones so that source and target domains can be discovered, creating a trust between the two domains, and
establishing the necessary cross-domain administrator permissions. Domain Migration Administrator doesn't walk you through these steps, but all the
necessary information can be found in the documentation. Failure to meet the prerequisites results in basic operations failing, with cryptic, unhelpful
error messages. Assuming the basic requirements have been met, Domain Migration Administrator offers to complete some other necessities on your behalf,
such as creating AD$$$ groups and configuring auditing in each domain.
Figure 1: Domain Migration Administrator GUI
AD objects can be renamed in the target domain if required, and you can specify how Domain Migration Administrator should deal with naming conflicts.
Objects in the source domain can also be set to auto-expire. After the user accounts are migrated, Domain Migration Administrator can either create new
passwords or copy users' existing passwords to a password server in the target domain.
Domain Migration Administrator includes database modeling, which lets you perform a trial migration to see what the potential results will be in the
target domain. You'll be able to see what problems there might be and eliminate them from the actual migration. You can also use the database to clean
up object information before importing it into the target domain, as Domain Migration Administrator pulls data from the source domain and uses the
database as a temporary repository. Agents are dispatched to workstations to deal with migrating desktop profiles to work with the source domain.
|
NetIQ Domain Migration Administrator
PROS: Easy to set up; includes database modeling
CONS: Support for migrating application servers must be purchased separately; one-way directory synchronization
RATING: 4 out of 5
PRICE: $1,000 per 100-user license pack
RECOMMENDATION: A good choice for projects in which the requirements are clear and AD data needs to be cleaned up before migrating to a new domain.
CONTACT: NetIQ • 888-323-6768 or 713-548-1700 • www.webactivedirectory.com
|
Quest Migration Manager for Active Directory
Quest Migration Manager for Active Directory has a slightly different architecture than Domain Migration Administrator. Migration Manager uses Active
Directory Application Mode (ADAM) to store migration information, which enables directory synchronization between the source and target domains. The
Migration Manager installer package automatically installs ADAM if you choose the express install. The express install will also install SQL Server
2005 Express, which is needed if you intend to migrate Microsoft Exchange objects. However, there is one caveat: Even if you don't intend to migrate
Microsoft Exchange objects, the installation will fail if the Microsoft Exchange Server Messaging API (MAPI) client and Collaboration Data Objects
(CDO) 1.2.1 aren't present. Migration Manager requires that source and target domains be Win2K SP2 or higher. Agents can be deployed to Windows Server
or client OSs starting with Win2K.