Migrate Users and Computers From One Forest to Another In 3 Separate Ways
Active Directory is a core service that organizations all over the world use on a daily basis. Thus whenever a situation arises where we have to migrate users and computers from one forest to another it cannot be taken lightly. Especially when we consider the roles and responsibilities tied to the AD. Not only does it house the majority of the objects on the network but is also a key player in security management. To make sure this complicated architecture gets replicated on the destination users must follow a guided tutorial. Therefore in order to fulfill this need we prepared this writeup which contains three separate methods along with the Active Directory migration considerations. However, before we can discuss the methods it is better to analyze why AD migration is so difficult. The majority of it is due to the structure let’s find out how.
Table of Contents
Why Does the AD Structure Become a Hurdle in Migration?
- AD is not a single service but rather a web of various interdependent objects each with its own specific roles.
- Out of all data points users and computers stand apart. As they are the ones used on a daily basis by multiple personalities. So one problem that is highly likely to occur is the sheer number of components that are to be migrated.
- AD structures can quickly swell up and become unmanageable by a single admin to combat this organizations appoint many admins in charge of specific domains. So during a migration, these admins must coordinate with each other to make sure all systems are aligned toward a single task.
- This large structure makes the migration slow and error-prone a way to avoid it is to use an automated utility. Otherwise, there is a chance that the migration can fail in its entirety.
- Some organizations may fail to keep their ADs at par with the current standards. Moreover, as the manual migration methods are optimized towards the latest version their use might be out of contention.
- Data itself does not contribute towards the complexity but the amount of attributes, permissions, passwords, and other metadata is the real reason for the difficulty.
Active Directory Migration Considerations And Scenarios
While planning for an AD migration of Users and Computers make sure the following are not missed:
- Make an AD Migration checklist to tally all the items that you are about to move.
- Have an idea about the domain structure in your particular case (during inter-forest domains have a chance to vary).
- Consider that the AD and the Windows server versions do not mismatch. Although both are Microsoft products they still need to be in working condition.
- During migration, we have to shut down the firewall and antivirus so make sure that the migration environment is in quarantine. Isolate it from external threats via airgap or other physical data security means.
- When organizations decide to migrate users and computers from one forest to another
- They need to make sure that no unnecessary data is included. In other words, they need to perform data cleanup prior to the migration.
- Starting the migration straightaway might lead to issues. One way is to first set up a primary test migration. Followed by the full and final one.
- Every stakeholder needs to be informed about the timeline of migration to prevent any issues.
- Now that all the major AD migration considerations are complete we can start with the data transfer methods.
Using PowerShell to Migrate Users/Computers from One Domain to Another
Prerequisites
Stage -1 Obtain the AD PowerShell module:
- Log in to the member server with domain admin account
- Open a new PowerShell console.
- Enter the following command:
Add-WindowsFeature RSAT-AD-PowerShell
- Hit Enter and let the module installation finish.
Stage-2 Verify Trust with the New Domain
As the new domain belongs to another forest the default domain trust is absent and the user has to manually establish the trust. Use the following command:
netdom trust <DNSNameofForest-1> /Domain:<DNSNameofForest-2> /Twoway /Transitive /ADD[RETURN] [/UserD:<AdminUserofForest-1> /PasswordD:*][RETURN] [/UserO:<AdminUserofForest-2> /PasswordO:*]
Stage-3 Document Permissions and Accounts linked to the Computer:
Collect information on the present settings to ease the verification into the new domain. The command to do this is:
Get-ADComputerServiceAccount -Identity UsrCmptrAcc1
Stage-4 Create a Backup of Current Settings:
PowerShell has a command to make a backup it is given below. Checkpoint -Computer -Description "ForestDomainChange" -RestorePointType MODIFY_SETTINGS
Method
Next, we move on to migrate users and computers from one domain to another via PowerShell
You must have the domains of both endpoints at the ready which have a pre-established trust. Moreover, the DC of both requires the owner role of RID and Master FSMO. Once all is done use the command line below:
Get-ADComputer -Identity UserPC | ` Move-ADObject ` -TargetPath "OU=Users, Computers, DC=TargetDomain, DC=tld" ` -TargetServer "TargetDomCtrl.TargetDomain.tld " ` -Server "SourceDomCtrl.SourceDomain.tld"
Limitations
While using PowerShell admins may encounter the following difficulties:
- Slower performance compared to compiled languages.
- Complex syntax and learning curve.
- Incomplete ecosystem for some tasks.
- Security risks if not properly secured.
- Version compatibility issues.
- Limited GUI development capabilities.
- Error handling challenges.
- Resource-intensive for large datasets.
- Loosely typed, leading to unexpected behavior.
How to Use ADMT and Perform the Active Directory Domain Migration Steps
Prerequisites
- On the “target-domain.com” make a Conditional Forwarder that is integrated with the AD itself.
- Make sure any upcoming queries on the source domain redirect towards the DNS of the source instead.
- Like wise same is true for the target domain while the migration is being performed.
- Make sure that the NSlookup gives a green signal for connectivity.
- Don’t forget to establish trust between the domains (as they are in different forests).
Also Read: Strategies to Import EML to Office 365 Environment Easily
Method
- Launch and open the tool via the admin credentials.
- Click on Action, then User Account, Migration Wizard & hit the Next button.
- Select the source and target domains and press next.
- Among all click on “Select Users from the Domain”
- On the window that appears click Add & choose users to be migrated after that hit Ok.
- Once users are available on the main screen click next.
- Pick the destination and click next.
- Make one final check for all the selections, and once confirmed hit finish.
Limitations
- No support during installation or migration
- Can’t function without trust
- Fails if read-only permission is not removed
- Endpoints must exist on the supported Windows server version.
- SID history needs to be exposed.
- Requires the installation of an SQL Server instance.
- Can’t provide real-time updates in GUI.
- Needs native permission delegation to function properly.
- Might get trapped in the “Unable to establish a session with the password export server. Access Denied” error.
Prerequisites for Automated Solution of AD User Migration
The only way to overcome the complexity of manual methods is to use a professional utility like the SysTools Active Directory Migration Software. It has groundbreaking functionality and an easy-to-navigate interface. To top all that it is available in a single package with no hidden charges.
Before installing the tool on your system make sure the following checks out
- Get the Microsoft .Net framework v4.6.1 or above on your machine.
- Update the DNS settings on every domain controller.
- Establish a Trust relationship between endpoints.
- Build the Search list for all DNS suffixes as well.
- Join the admin account with the corresponding administrator group.
- Make sure that AD and the Server are on the same network
- Replicate the source structure (i.e. Classes / Custom/standard / In-Built) as it is.
- The source user must have unrestricted availability in the AD throughout the transfer.
- Temporarily switch the Firewall and disable the Antivirus during migration.
Also Read: Explanation for HCW8078 Migration Endpoint Could Not be Created Error
Once the above-mentioned conditions are fulfilled follow the steps mentioned ahead.
Automated Steps for an Error-Free AD Migration
Step 1. Download and Launch the Tool.
Step 2. On the login screen type the User ID and Password.
Step 3. After the login, you find an option to Register Domain Controller press it.
Step 4. In the window that pops up fill in the source “Domain Friendly Name, IP Address”, then press “Save & Continue”.
Step 5. Repeat the previous step for the Destination Domain.
Step 6. Hit the Source domain and within the “Info” subsection type in the appropriate credentials then hit “Save & Continue”.
Step 7. Navigate towards the AD subsection and press the Fetch Active Directory Objects button to bring all users and computers for migration.
Step 8. In the Destination Domain Page repeat the proceeding as done in the Source domain.
Step 9. Visit the AD tab there you have to hit Fetch Active Directory Objects only then will find the Object list to choose from.
Step 10. Hop on to the Migration section and hit Create Migration Scenario to move users from one domain to another domain in a different forest.
Step 11. Fill in the name, From the drop-down list pick both the Source as well as the Destination domain. Then hit Save & Continue.
Step 12. At the time of task creation only choose to migrate users and computers from one forest to another and mark the box next to them.
Step 13. Here you will find the various AD objects currently present at the source. Pick out the three dots in front of Users and Computers to begin their mappings.
Step 14. Pick one option out of either Merge (if a pre-existing destination is already created) or Create (to build an entirely new space for the data). Then hit “Select”.
Step 15. Hit “Start” and let the tool handle the rest of the Active Directory migration considerations.
Next, we have the reasons for opting for the tool for the migration.
Reasons to Choose the Professional’s Way to Move AD Users from One Server to Another
The following features are the reasons that experts recommend this tool in all AD migration scenarios:
- Simple and simultaneous migration of data from one AD to another.
- Move Shared folders and entire OUs among different AD domains.
- Inter-domain AD transfer of all user profiles with their computers.
- The CSV file mapping method to link AD endpoints is available in the tool.
- Either merge existing accounts or create brand new ones with just a click.
- Include newly added properties of AD users and computers within the migration.
- Provide support for co-existing source and destination domains.
- Facilitate the migration of access controls, including SID history.
- Automated computer linking at the destination AD domain.
- There is no need to change passwords post-migration as the tool moves them with the users.
- Eliminate manual computer migration using VPN for network connectivity checks.
- Next-level compatibility with Windows Server 2012 R2 to 2019 versions.
Conclusion
In this article, we gave users a complete tutorial on how to migrate users and computers from one forest to another easily. Not only that but the most important Active Directory migration considerations were also covered in great detail. Moreover, we saw that the only way to avoid the highly complicated and confusing manual methods is to use the automated utility instead. So follow the guidelines mentioned here and bring all the AD data to the new domain in an error-free manner.