question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked GaryReynolds edited

Best Practice and Pitfalls to avoid in consolidating and migrating multiple AD domains into single forest domain AD ?

People,

ParentCompany.com has recently bought Child1.co.uk, Child2.net, Child3.org, etc...

I need to perform Multiple AD Domain object migrations from multiple separate non-trusted AD domains to ParentCompany.com AD Domain.

 Group Policy Object
 Computers
 Users
 Groups

What are the steps/procedure to migrate and the pitfalls when migrating those objects into a single AD Domain?

The Software I will be using is: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/support-for-admt-and-pes

I assume there will be twice rebooted for each of the servers to exit the old AD Domain, and then Join the new AD domain.

windows-serverazure-active-directorywindows-active-directoryazure-ad-hybrid-identity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @EnterpriseArchitect

Since this question is related to Active Directory, I have removed the tag “office-exchange-hybrid-itpro”.
Thanks for your understanding.

1 Vote 1 ·
GaryReynolds avatar image
1 Vote"
GaryReynolds answered GaryReynolds edited

The ADMT docs provides some of the details on the migration approach but there are loads of other content including videos on ADMT. For large migrations I've always used Quest tools. I would recommend not using sidhistory, as most projects fail to remove it once the migration is complete and can lead to problems years after the migration, I.e. token bloat. Use dual permission workstations and servers before moving domains.

Gary.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GaryReynolds " dual permission " how to create that dual permission object?

0 Votes 0 ·
GaryReynolds avatar image GaryReynolds EnterpriseArchitect ·

I was referring to permissions of the member servers, i.e. file shares, etc. this will allow the user accounts in the source and target domains to access the resources. I think the default method with ADMT is to use SIDHistory, but you might be able to do migrations without SID history, without SID history you will need to dual permission resources.

If its necessary to adding dual permissions to AD objects will depend on what services are connecting to the AD and the migration approach. I would always try to keep management\access to AD object using target credentials, so it limits what permissions you need to add.

Gary.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

I would recommend you to set up a trust between the forests and use the Active Directory Migration Tool (ADMT) to migrate users (including service accounts), groups, and computers (including member servers). To copy the organizational unit structure you can use PowerShell or LDIFDE.

We can use ADMT and FSMT for the migration to the parent domain. I recommend you to test migrate a few users with ADMT and see the result.

Some useful article links that might help you in getting some insights are listed below.
Consolidating 7 different AD forests to single forest with multiple AD trees https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/consolidating-7-different-ad-forests-to-single-forest-with/m-p/281737

Deployment and operation of Active Directory domains that are configured by using single-label DNS names https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/deployment-operation-ad-domains

Moving all objects in AD across domains in separate forests https://social.technet.microsoft.com/Forums/en-US/b3d163d0-7a1c-4e44-b2f1-43a311559b46/moving-all-objects-in-ad-across-domains-in-separate-forests?forum=winserverDS



--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.