5 tips for a cheaper, leaner Active Directory environment

Consolidating Active Directory domains saves money, time, and labor, but migration can require costly tools -- unless you follow this approach using ADMT

Chances are that your Active Directory implementation is a good decade old, done with a long-ago version of Active Directory with limitations that typically resulted in creating more domains than you would with today's version. Back then, you had to construct a forest, while today would need only a few -- or even just one -- "tree."

It makes sense to revisit your existing Active Directory structure and decide, "Hey, I really need to consolidate domains to save time, money, and precious IT staff hours for management and support." Though doing so probably means a serious migration effort of users, groups, computers, profiles, and more, the effort is worthwhile, and I've developed five tips to help ease the effort.

[ Get more tips and insights on managing Active Directory and Microsoft Exchange from InfoWorld. | Keep current on Windows news and developments with InfoWorld's Technology: Windows newsletter. ]

Recently, a very large organization (more than 50,000 users) asked me about the possibility of making such a move. The first question: Is this going to be an intraforest or an interforest move? The difference is significant because intra means within an existing forest, where you might be consolidating domains. Doing it interforest means establishing a brand-new forest, then moving accounts and such from the old one to the new one. An interforest migration is much more complex, but overall, it results in a cleaner final product because you are starting from scratch. Thus, I advised the client to do an interforest migration.

Then the question was how. My first response: Go with Quest migration tools. Often, when considering a migration (be it for Active Directory or Exchange), my first thought was Quest, especially for large and complex environments. Sure, with a small environment, you might try the free tools, but beyond a certain number of users or domains, you should start looking at third-party products, and Quest happens to be my personal go-to app for migrations. Unfortunately, Quest's tools are pricey (though worth the money, in my opinion), and this client's budget for third-party tools was zero dollars.

So I pulled in another Active Directory expert, Greg Shields, an MVP and co-founder of ConcentratedTech.com, for his opinion. His first words were "Go with Quest!" When I informed him of the nonexistent tools budget and, thus, my hope of being able to use Microsoft's free Active Directory Migration Tool, I was met with a groan.

Let me give you some history on the Active Directory Migration Tool (ADMT): It has been less than reliable. I've never seen it work perfectly. But the latest version (3.1) looked promising, so I thought we might at least give it a try. It took a few days of testing and adjusting (and more testing), but it worked. I was able to take two separate forests and migrate user accounts (with SIDs and passwords), group accounts (with memberships retained), local profiles (my test, but it could have been roaming too), and computer accounts (systems rebooted and joined the domain with no issue). Users were able to login as if nothing had changed other than their domain name.

You must be asking yourself, "Did it really work right out of the box?" Absolutely not. At every step of the way, we encountered errors, and the documentation (a 232-page nightmare called "Active Directory Management Tool v3.1 Guide: Migrating and Restructuring Active Directory Domains") was one of the most difficult documents I've ever encountered. About a dozen administrators in a room all day couldn't make heads or tails of it. We had to plow through each step and kept flipping back and forth through the monolithic beast.

But it does work, and now that I've had to figure out how to make it work, let me share five key reminders and tricks to help you along the way. Don't be afraid to email me with questions or war stories about the Active Directory Management Tool. I believe I've become an expert on it over the past week.

1 2 Page 1
Page 1 of 2