For anything but the smallest of networks, migrating to a new Active Directory (AD) domain can be a complex affair. You need to move users and network resources and modify desktop profiles to work with the new domain while simultaneously ensuring that users have seamless access to resources in both the old and new domains. Although it's possible to use Microsoft's free Active Directory Migration Tool (ADMT) to carry out complex migration projects, you'll find that for all but the simplest scenarios, it lacks some important features, such as the ability to migrate Security Descriptors (SDs) on organizational units (OUs), and has limited rollback capabilities. When undertaking an AD migration, it's all about planning and trying to minimize risk.
Once you get to the point where there are so many objects to migrate that it's not possible to move everything in one operation, having source and target domains co-exist for a period of time allows for a phased migration. Migrating users based on how they work with each other and migrating resources based on how they're used often makes more sense than planning a migration around the physical location of objects. For these complex migration projects, you might consider using an AD migration tool, such as NetIQ Domain Migration Administrator or Quest Migration Manager for Active Directory. I recently evaluated these two products on the basis of how easy they are to install and use, their features, and their documentation.
NetIQ Domain Migration Administrator
NetIQ Domain Migration Administrator is easy to install, although a SQL Server 2008 Enterprise, Standard, or Express database must be installed separately. You can install Domain Migration Administrator on any Windows server or client OS starting with Windows 2000 (Win2K) SP1. Agents can be deployed to any version of Windows starting with Win2K.
Figure 1 shows Domain Migration Administrator's GUI. Like ADMT, Domain Migration Administrator requires that you meet various prerequisites before an AD migration, such as creating secondary DNS zones so that source and target domains can be discovered, creating a trust between the two domains, and establishing the necessary cross-domain administrator permissions. Domain Migration Administrator doesn't walk you through these steps, but all the necessary information can be found in the documentation. Failure to meet the prerequisites results in basic operations failing, with cryptic, unhelpful error messages. Assuming the basic requirements have been met, Domain Migration Administrator offers to complete some other necessities on your behalf, such as creating AD$$$ groups and configuring auditing in each domain.
AD objects can be renamed in the target domain if required, and you can specify how Domain Migration Administrator should deal with naming conflicts. Objects in the source domain can also be set to auto-expire. After the user accounts are migrated, Domain Migration Administrator can either create new passwords or copy users' existing passwords to a password server in the target domain.
Domain Migration Administrator includes database modeling, which lets you perform a trial migration to see what the potential results will be in the target domain. You'll be able to see what problems there might be and eliminate them from the actual migration. You can also use the database to clean up object information before importing it into the target domain, as Domain Migration Administrator pulls data from the source domain and uses the database as a temporary repository. Agents are dispatched to workstations to deal with migrating desktop profiles to work with the source domain.
NetIQ Domain Migration Administrator
Quest Migration Manager for Active Directory
Quest Migration Manager for Active Directory has a slightly different architecture than Domain Migration Administrator. Migration Manager uses Active Directory Application Mode (ADAM) to store migration information, which enables directory synchronization between the source and target domains. The Migration Manager installer package automatically installs ADAM if you choose the express install. The express install will also install SQL Server 2005 Express, which is needed if you intend to migrate Microsoft Exchange objects. However, there is one caveat: Even if you don't intend to migrate Microsoft Exchange objects, the installation will fail if the Microsoft Exchange Server Messaging API (MAPI) client and Collaboration Data Objects (CDO) 1.2.1 aren't present. Migration Manager requires that source and target domains be Win2K SP2 or higher. Agents can be deployed to Windows Server or client OSs starting with Win2K.
I found Migration Manager's documentation to be comprehensive, although some topics weren't in a logical location. The Help files also include examples of commands that can be run to configure some of the prerequisites, such as disabling SID filtering and configuring the Windows Server firewall. Quest also includes a tips and tricks document, which is a vital read if you've never migrated AD to a new domain before. All the requirements are neatly listed, so it's clear exactly what's required before you start your migration project.
Migration Manager's GUI (see Figure 2) is more streamlined than that in Domain Migration Administrator. However, the Migration Manager GUI can be a little fussy in how it accepts certain information. For example, when trying to create a new domain migration pair, you have to enter the source domain information in a specific format before the wizard allows you to continue. The Browse buttons in the wizard don't work, forcing you to enter the information manually and in the correct format, which isn't very user friendly.
Although Migration Manager doesn't have a test database, there's a test mode in which no changes are made in the target domain. Instead, a report is generated to indicate whether the migration would be successful. While it's likely you'll only need to set up one migration project, multiple migration sessions can be configured to facilitate a phased migration. Migration sessions can't be copied in the GUI, but you can import or export objects for migration, which makes it much faster to create new migration sessions.
Migration Manager can migrate user passwords to the target domain. In addition, it can automatically synchronize AD objects, such as user accounts and groups. This greatly simplifies administration when source and target domains need to coexist for a period of time in order to migrate everything. Domain Migration Administrator also has sync capabilities, but they're one-way only.
Migration Manager has built-in support for migrating resources, including Microsoft System Center Configuration Manager (SCCM) and SQL Server. This functionality must be purchased separately with Domain Migration Administrator. Scheduled tasks can also be migrated, which isn't possible with Domain Migration Administrator.
Quest Migration Manager for Active Directory
Both products take a project-based approach to AD migration and have comprehensive reporting. I preferred Migration Manager's simpler GUI and slightly easier setup. Plus, it has superior synchronization features that give more flexibility for larger migrations that require a long coexistence period.
Domain Migration Administrator has less support for migrating certain resources (e.g., SCCM), but it's a little more user friendly. For example, it has a friendly interface for tidying up objects and associated attribute information before being imported into the target domain. To achieve similar results in Migration Manager, you have to create text files with the necessary mapping information.
Although both products received the same rating, only one can be named as the Editor's Choice. I've chosen Migration Manager as the Editor's Choice because its comprehensive feature set will help administrators manage a wider range of migration scenarios. Although it's slightly more expensive than Domain Migration Administrator, with the exception of Exchange, there's basic support for migrating some common network applications built into the product.