Active Directory Forest Restructuring :: Part 2

Go to Part 1
Prepare source domain for migration

One of the most important and foremost task part of AD migration is preparing our source domain. Preparing source domain including proper cleanup of source domain avoid any unwanted resource moved over to new forest and fix any outstanding administrative or security models. Prepare POC environment and freeze any changes on Sources until we are done with transition.

Below can be the brief steps based on the pre-migration infrastructure analyze report.

  • Audit and cleanup all inactive and unused user accounts and empty groups – It is always advisable to leave the bad behind while transition to a fresh environment. Cleanup the source system or exclude the inactive, unused AD and network object from source domain while planning the migration
  • Cleanup all inactive desktop and server computer accounts – Same applies to the computer and network peripheral object registered on to your Source forest.
  • Prepare a POC environment – Create a replica environment of source forest, if possible, with sample application and services targeted to migrated to new forest along with user and computer object. This will be a proof of Concept environment maintained until we are done with complete transition. Call it as test bed or POC on our interest.
  • Select Pilot user/computer account – These are the collection of users and computer objects which we are doing piloting of the migration and doing extensive testing. These samples are selected users and computers from different segment can be based on location, department, criticality.
  • Identify the known compatibilities issues as part of address potential risk – Fix any application dependency issue with target Active Directory versions or authentication requirement using the help of internal application support or vendors (refer for changes in authentication mechanism)
  • Resolve/Mitigate compatibilities issues for the clients – Address any endpoint client compatibility issues like minimum required client version of moving the end points to new forest.
  • Freeze new additions or modification – Need to identify and communicate a point where we need to freeze any changes or addition to source infrastructure. It is better to have this done at the early stage of AD forest transition
  • Work on HR AD integration tool – One of the pain point for the organization during the AD forest transition is employee onboarding system, on most organization this will be taken care by HR team or they work with IT operations. Either the case all onboarding should be aware of the change phases and take necessary action to take care on onboarding diligently.
  • Service Account creation for AD migration – Since we were using ADMT for inter forest migration, need to create all required Service accounts for ADMT migration on Source Domain.
  • Delegated Permission – Which ever account is using or migrating AD object from source domain to target, need to add delegated permission on the user OU or the group OU, with extended permission to “migrate SID history”
  • Configure the source domain security identifier history migration –       An empty local group in the source domain must be created with three $$$ followed by its netbios name. For eg: Empty group named “SourceDomain$$$” if the source domain is “”

Most these task can be achieved using the PowerShell script. I will share few script that can be used for finding inactive users, group, computer account.

Refer for SID history migration known issues and fixes

Refer for Application compatibility and Known issues

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s