The five key tips:
- Active Directory Management Tool v3.1 runs on Windows Server 2008 -- but not R2. You can set it up on a member server for a domain running Windows Server 2008 R2 domain controllers, but don't try installing it on an Windows Server R2 server. You'll just be told that Active Directory Management Tool must be installed on a Windows Server 2008. Microsoft is working on a fix with v3.2.
- You must create a trust relationship between the forests. A two-way trust works best, although a one-way trust is supported. If you're going to keep SIDs through the migration, keep in mind that you should turn off SID Filtering on the trust. That's easier said than done. The commands
netdom trust <trusted domain> /domain:<trusting doamin> /quarantine:noand
netdom trust <trusted domain> /domain:<trusting doamin> /enablesidhistory:yesneed to be run by a person with the right permissions on both sides of the forest.
- Getting the right permissions to perform all migration tasks isn't easy. You should create a single ADMT Admin (call it what you like) with the highest level of permissions (domain and enterprise admins), and make sure that account is placed in the built-in Administrator's group of the source and target domains. It may be a bit like overkill, but make sure that account has as much permission as possible to do everything. A cross-forest migration is riddled with failures due to permissions not matching up.
- If you want passwords to match up for migrated users, you should download the Password Migration Tool (PMT) v3.1 on the source domain. This tool is not required to migrate users; the wizard lets you create new random passwords when you move the users. If you do use the Password Migration Tool to maintain passwords, note this undocumented requirement: You have to create a .pes file on the target domain, then import that .pes file on the target as well. It seems redundant, but it is a necessary step to getting the Password Migration Tool to work.
- To move over the workstations, you need to ensure the ADMT Admin account (or whatever you called it) is given permissions on workstations as well. You may want to temporarily disable the firewall to ensure the agent can install and flip the workstation into the new domain.
The biggest key of all to getting this to work right -- c'mon, you all know this -- is practice, document, and test. PDT. Perform your tasks in a lab environment that mimics your real-world environment. Document every single failure, then fix and develop a step-by-step process that works for your organization specifically. Test every kind of move you require, not only in a lab but -- this is critical -- in your real environment.
You can set up the Active Directory Management Tool and -- especially -- perform tests of every move before you begin. One of the positive things about this tool is that you can run both forests in tandem until you are ready to make the final move; take all the time you need to test and test again before diving in and migrating.
Do I give the Active Directory Management Tool tool a thumbs-up? I do. It works, it's free, and once you get past the nasty documentation and see it all come together, you'll be pleased at the results and the savings.
I suggest that Microsoft's Active Directory Management Tool team take a look at the newly released Exchange Deployment Assistant. It's an awesome online tool that asks a few questions about what you are looking to do and provides just those steps, in order, that you should perform. It makes deployments so much easier. The Active Directory Management Tool could use that kind of assistant.
What's your experience with migrations? Have you worked with third-party tools or are you an Active Directory Management Tool veteran? If so, share your war stories and victories in the comments section below.
By the way, both Greg Shields and myself will be speaking at Techmentor next week in sunny Orlando, Fla. If you haven't had a chance to see me speak and desire warmer weather, my primary topics will relate to Exchange 2007/2010, virtualization, Windows 7 VDI, and SharePoint backup/recovery -- all the fun stuff I talk about in my columns here on InfoWorld.com.
This article, "5 tips for a cheaper, leaner Active Directory environment," was originally published at InfoWorld.com. Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at InfoWorld.com.