Active Directory Cross Forest Migration Made Easy & Error-Free
Active Directory cross forest migration is one of the most important tasks in the AD lifecycle. Anytime there is a restructuring, be it mergers, acquisitions, or divestitures, this is a task that cannot be skipped. Moreover, AD is at the forefront of maintaining the interrelationships between domains, users, computers, and their data. Therefore, attempting a migration without prior knowledge is not recommended.
That’s why we have made this guide for everyone who needs it, no matter whether you are an IT veteran or a new admin handling your first migration project. First, we have an overview of the migration procedure itself.
Overview of Cross Forest Migration in Active Directory
Here we are going to discuss the user requirements and the procedure to opt for thereafter. Like any major project, AD data transfer between forests is also a nuanced subject with many variables. The administrator who is appointed for the task must have a proper plan in place. Not following the procedure can lead to disastrous consequences, including data loss, inaccessible domains, etc.
Moreover, AD migration between two different domains needs thorough preparation from users and administrators. So here are some best practices to keep in mind, regardless of the procedure you opt for.
- First and foremost, prepare an AD migration checklist for your organization.
- Inventory your entire data set to identify redundant data, it helps to conserve critical migration resources.
- Inform the key stakeholders about the changes and make sure no protocols are broken during Active Directory cross forest migration(like accessing the source during migration). Also, see that compliance requirements are met.
- Perform a trial migration first to identify any underlying issues. Resolve them, and then proceed with the actual migration.
- Don’t attempt to migrate the entire data at once. Break down the migration into phases to reduce the chances of errors.
Prerequisites for Active Directory Cross Forest Migration
ADMT
- Go to “target-domain.com” and create a Conditional Forwarder within AD itself.
- Redirect all requests on the source domain towards its DNS repeat for target as well.
- NSlookup must be enabled for connectivity.
- Install the SQL server
- Don’t forget to establish trust between the domains (as they are in different forests).
PowerShell
- Get the AD PowerShell module:
- sign in to the member server using the domain admin or higher permission.
- Launch a new PowerShell console.
- Type the following command:
Add-WindowsFeature RSAT-AD-PowerShell
- Press Enter and wait till the module installs.
- Create a user csv file
Automated Utility
- Install Microsoft .Net framework v4.6.1 or above on your machine.
- Realign the DNS settings on your domain controllers.
- Create a Trust relationship between endpoints.
- Make a DNS suffix search list.
- Join the admin account with the corresponding administrator group.
- Make sure that AD and the Server are on the same network
- Replicate the source structure (i.e. Classes / Custom/standard / In Built) as it is.
- Source user must have unrestricted availability in the AD throughout the transfer.
- Temporarily switch the Firewall and disable the Antivirus during migration.
Manual Steps for Active Directory Cross Forest Migration
There are two approaches that administrators can follow according to their level of expertise. Let’s start with the GUI-based one:
ADMT
It’s Microsoft’s own tool for the task
- Step 1. Install the ADMT and proceed by typing in the admin credentials.
- Step 2. Press Action, choose User Account Migration Wizard and hit Next.
- Step 3. Pick source and target Active Directory domains, then click Next.
- Step 4. Mark “Select Users” from the Domain.
- Step 5. Add and pick the users to be migrated, and click OK.
- Step 6. Mark chosen user accounts and press Next.
- Step 7. Pick the destination Organizational Unit (OU) and proceed.
- Step 8. Check details and press Finish. Let the migration complete on its own.
- Step 9. Go to the destination domain and manually perform the checks.
PowerShell
The following is the PowerShell script for the cross forest migration of AD users:
#Import new user data via the source path of the premade CSV file $NewADUsers = Import-csv C:\scripts\newadusers.csv foreach ($User in $NewADUsers) { $NewUsername = $User.username $NewPassword = $User.password $NewFirstname = $User.firstname $NewLastname = $User.lastname $NewDepartment = $User.department $NewOU = $User.ou $Newsid = $User.sid $NewUserPrincipalName = $User.UserPrincipalName $NewDistinguishedName = $User.DistinguishedName #Scan the AD for Preexisting Users if (Get-ADUser -F {SamAccountName -eq $NewUsername}) { #In case a user is present Write-Warning “A user account $NewUsername already exists in Active Directory.” } else { #For all new users, you have to create an account before proceeding #Account will be created in the OU listed in the $NewOU variable in the CSV file; ensure to modify the domain name in the”-UserPrincipalName” variable New-ADUser -SamAccountName $NewUsername -UserPrincipalName $NewUserPrincipalName -Name “$NewFirstname $NewLastname” -GivenName $NewFirstname -Surname $NewLastname -Enabled $True -ChangePasswordAtLogon $True -DisplayName “$NewLastname, $NewFirstname” -Department $NewDepartment -DistinguishedName $NewDistinguishedName -SID $Newsid -Path $NewOU -AccountPassword (convertto-securestring $Password -AsPlainText -Force) } }
Automated Tool for AD Migration in A Step by Step Manner
When we introduce you to the professional AD migration software, it has the best-in-class features and an interactive interface to make the migration as easy as possible. With a robust set of filters to trim down the data at the source itself, the tool helps administrators cut down on migration time. Not to mention the way it completely eliminates the need to memorize scripts and protocols, thereby reducing the technical proficiency required. This is the best tool to migrate users and computers from one forest to another in a few steps.
Steps to use the tool for Active Directory cross forest migration are given below
Step 1. Open the tool by typing default credentials (administrator) in place of username and password.
Step 2. On the next screen, register the source and target domain controllers.
Step 3. Click the source domain, go to “Info” and type the admin credentials for validation.
Step 4. Then go to the Active Directory section and fetch all source objects.
Step 5. Perform the same steps for the target domain as well.
Step 6. In the Migration section, hit “create migration scenario,” type the migration name, and select the endpoints from the dropdown list.
Step 7. In the “Task” section, click on the “Create Task” option. Select the options you want at the destination domain.
Step 8. Once object selection is complete, select the create option and proceed with the Active Directory cross forest migration.
Step 9. When objects appear on the preview dashboard, map them and click on start task, on the window that pops up hit Start.
Conclusion
After the discussion of all available active directory cross forest migration methods, there is no doubt that selecting the tool is the best option. Moreover, compared to its counterparts, like ADMT or PowerShell, it clearly outperforms them in all parameters. Whether we talk about the migration speed, efforts required from the user end, or minimizing errors. Therefore, it is in the best interest of the admin to go for the automated solution in any scenario.
FAQs
Q. What is cross forest migration in AD?
Active directory, at its core, has a forest-like structure in which different objects like users, computers, groups, folders, etc. exist. Every forest has its own unique domain. Whenever there are mergers, acquisitions, or restructuring, companies have to migrate their data from one domain to another. When it also involves all items of an AD, this is termed a cross forest migration.
Q. What are the minimum requirements for a system to run the ADMT?
If an admin wants to access the ADMT, they must be working on a machine with Windows Server 2008 or higher. They also need to ensure that the server is not in read-only mode.
Q. A recent batch of new mailbox data arrived during the migration is there a way to move it without restarting the migration?
Yes, the automated tool has a delta migration feature which is solely designed for these scenarios. Using it the tool can identify what all data has already been moved and thus only moves the data which is new.