Over 90% of the global Fortune 1000 use Microsoft Active Directory (AD) for environment organization and authentication. This makes AD migration success vital to keeping these organizations running daily.
SMEs and global enterprises have thousands of objects, policies, dependencies, devices, and applications in a constant state of change. The result is a major challenge in gaining an accurate picture of AD to ensure a successful migration. By understanding the process and challenges of active directory migration, organizations can see how infrastructure mapping plays a crucial role in the migration process. (For more information, see The Complete Guide to Application Mapping.)
AD allows users access to IT resources and is thus the gatekeeper for ensuring each user’s identity and access permissions. It further routes all the activity on the organization’s network and provides permissions security as established by the admin.
The Primary Reasons for Active Directory Migration
Organizations undergo AD migrations for a variety of reasons that can include a website domain migration or merging two AD environments into one during an M&A process; there are also domain controller server upgrades. Any one of these three reasons or others can have an on-premises focus or involve migration from an on-premises Microsoft Active Directory environment to a cloud-based Azure Active Directory environment. Organizations can choose to undergo a migration for one of these scenarios or multiple in combination.
The general process of AD migration seems simple on the surface with the right automated Active Directory migration tool. However, things get much more complex when factoring in the constantly changing devices, databases, applications, and user permissions. There are additional challenges due to shadow IT. AD has historically made it easier for end users to bypass IT for the introduction of new applications. Devices can be undiscovered or have outdated permissions in a remote workforce and bring-your-own-device (BYOD) work environment.
Since Active Directory migrations are critical to business operations, the migration process cannot introduce flaws. These could interrupt business operations and lead to major productivity and business process losses. But to understand why mapping is so important to a successful AD migration requires a review of Active Directory and its use across the organization.
The Importance of Active Directory Domain Services
The actual power of AD’s access and permissions lies in Active Directory Domain Services (AD DS). On-premises environments like data centers use these, whereas cloud-based Windows environments use Microsoft Azure AD DS. But organizations can use both in hybrid cloud environments.
AD DS and Azure AD DS provide a wealth of benefits that enable smooth business operations. The top benefits include having a centralized location for the administration of security and resources, global single sign-on (SSO) capabilities for all resources, and easy resource identification.
A Single Source of Environmental Control
AD DS gives administrators the management and information storage capabilities for network resources, application data, and databases. AD DS plays a major role in security via login authentication and access control to directory resources. This enables the admin to create a hierarchical structure for the management of elements on the network such as computing devices and end users.
This hierarchical structure includes domains housing user and device groups that share databases and units that organize those objects. Active Directory trees link groups of domains together, and the AD forest gathers multiple tree groups together. Trusts that enable sharing of directory schemas and configuration specifications govern these tree and forest groups.
Important Domain Services
AD DS provides a range of services including domain services for user and domain communication. Lightweight Directory Services (LDS) is a similar service to AD DS but has fewer restrictions while providing capabilities across platforms, such as enabling Linux-based computers to function on the network.
Active Directory Federation Services (AD FS) delivers SSO, authentication, and access rights management, as well as the control of data-access policies. Active Directory Certificate Services (AD CS) meanwhile handles the creation and management of digital certificates, signatures, and public key cryptography for the domain controllers.
Physical servers called domain controllers host AD DS and also process verification and authentication requests. The domain controllers internally replicate the AD DS database and replicate directory changes across every controller. A single domain controller is designated as the Global Catalog server to store directory object copies of every domain and respective forest. Its primary purpose is to enable users and applications to find objects in their related forest.
This overview of AD DS is the foundation of understanding Active Directory migration.
What Is Active Directory Migration?
As discussed earlier, there are many reasons for Active Directory migration, such as moving from on-premises to cloud, M&A consolidation, server upgrades, or website domain migration among others. Regardless of the reasons for an AD migration, they all fall under consolidation and restructuring. The migration process is essentially splitting part of the AD into a new domain.
Moving users, computers, and applications to a new domain makes for a complex process. This is because AD migration is a process of migrating a complex AD DS environment that can have thousands of objects and countless attributes and dependencies. Because domain names and directory schemas are the foundation of an organization’s directory, they are difficult to change.
Document the Organization’s Desired End State
Carefully plan the migration and define your use cases to determine which departments are most resilient to possible disruptions. The organization must start with a clear blueprint for its post-migration end state. Group policies, group policy objects, forest, domain-level configuration, applications, and scripts connected to AD may require changes, so current directory configuration analysis is imperative. IT leaders may also need to consider other business and legal requirements that may come into play in M&A.
Clean the Current AD Environment
Mapping of the current IT infrastructure and AD environment will inform the desired state of post-migration AD. This will reveal any areas that need cleanup or right-sizing such as permissions, inactive accounts, etc. It’s important to involve department heads in this process for granular insight that admins can merge into their view.
Have a Rollback and Recovery Plan
It’s imperative to develop a backup, rollback, and recovery plan to move past any problems that occur during the migration process. The process itself should start with a test environment if workable to mirror the production environment before the cutover.
Use an Active Directory Migration Tool
An Active Directory migration tool is an essential part of a successful migration by eliminating potential errors, manual processes, and security gaps while also simplifying the process. There are many tools for AD migration, starting with Microsoft Active Directory Migration Tool (ADMT) and Azure AD Connect.
Countless organizations use Quest Migration Manager for Active Directory along with BitTitan, AvePoint, CodeTwo, Transcend, SysTools, or Proventeq. Others include SkySync, Tervela, CloudM, SkyKick, Dell SecureCopy, Sys-Manage CopyRight2, NetIQ Domain Migration Administrator, and Binary Tree Migrator Pro. All available tools bring unique features, pros, and cons that depend on each organization’s needs.
Communication across the organization is key to a successful migration to gain support and input from end users and stakeholders. Like every migration, risk is always a factor, so organizations should look for ways to reduce that risk, such as via phased migrations. Skipping ahead to the post-migration phase, organizations will need to validate and clean up the new environment where needed to make sure all data and workloads are present and operating as expected.
Make Sure the Discovery Phase is Comprehensive
It’s vital to perform a thorough discovery that includes group policy reviews, device deployment, user/group changes, mailbox provisioning, HR onboarding and offboarding applications, and IT scripts for AD object cleanups. Also, check device registration and management parameters such as encryption settings and VPN certificates.
Organizations should check for SSO, identity access management (IAM), and multi-factor authentication for possible upgrade needs. They should also look for shadow IT and any non-Windows systems that may rely on AD.
Develop an Active Directory Checklist
As part of your Active Directory migration strategy, every organization should develop an AD migration checklist. This provides an ongoing guide to ensure that the organization doesn’t overlook any aspects of the process.
The following checklist, as recommended by Microsoft, is a good start when planning your Active Directory migration:
- List of requirements to migrate
- Existing AD health check
- Migration plan
- Check of all physical and virtual resources for the domain controller
- Windows Server 2022 Standard installed
- Windows update patches applied
- Dedicated domain controller IP address
- AD DS role installed
- Application and server roles migrated from existing domain controllers
- FSMO roles migrated to new domain controllers
- New domain controllers added to monitoring system and DR solution
- All old domain controllers decommissioned
- Functionality of domains and forests optimized
- Maintenance schedule for review of group policy, new features, and AD infra fixes
This checklist is a reminder of each primary step in the Active Directory migration, which should be backed by detailed processes in the full plan and strategy. While each step in the checklist and the plan is crucial, their success and that of the overall migration hinges on the comprehensive discovery and mapping of the objects and dependencies in the IT infrastructure.
Why IT Infrastructure Mapping Is Important to Active Directory Migration
This post summarizes the AD migration process and the reasons an organization would undergo one. It also clarifies that the complexity of discovery is a primary factor that can make or break the migration’s success. Enterprises undergoing M&A double their chances of missing devices, applications, workloads, and even databases.
The same holds true for website domain migrations and Windows server upgrades. Many organizations find that the evolution of their AD environment has made it inefficient, unmanageable, and unresponsive for end users while being difficult for IT and admins to manage, update, and provision.
Active Directory Migration Tools Are Not Enough
Even the most comprehensive migration tool cannot ensure the discovery of all aspects of the environment as part of the migration process. Therefore, mapping IT infrastructure is paramount to success with an automated mapping and discovery tool. Devices may not be visible when they are using an old or incorrect domain controller, but the right network mapping tool and IT infrastructure mapping tool can reveal them.
The evolution of business operations, devices, users, applications, and access permissions is an ongoing part of every organization. This makes having a standalone, cloud-based discovery and mapping solution necessary to help the organization and IT stay one step ahead of changes.
Lack of Visibility and Historical System Knowledge
Mapping the organization’s many AD DS forests is a must since the structure changes and there may be no one currently on staff with a complete understanding of that structure. That can mean not knowing where all domain controllers are located and not having a clear map of the forest and each domain. Mapping is an essential part of the pre-migration process, as it can provide direction on how the organization can optimize the structure of the new domain.
The right tool can inform service mapping and discovery to help with the most crucial parts of AD DS, which are SSO, IAM, and permissions. The goal is to make sure that applications dependent on security management from Active Directory are visible, accurate, and in place, so users have the right post-migration access.
Applications may rely on service accounts like SQL servers for database access, so the apps must be able to see these changes. Other applications like OKTA have standalone ecosystems that link to Active Directory, so manual changes to maintain access may be necessary.\
Having the right agentless IT infrastructure discovery and mapping solution such as Faddom can make sure that every device, object, and dependency is visible before Active Directory migrations. This will set up the organization to have a smooth migration and ongoing visibility as it develops on-premise and in the cloud.