How to Migrate AD Objects from One Domain to Another – A Quick Guide
Whenever admins start searching for questions like what is Active Directory migration it’s not long before they also want a method for it. In other words, they wish to learn how to migrate AD objects from one domain to another for an upcoming business requirement. This requirement may come up all of a sudden or build up after months of prior planning.
However, the problem is Microsoft’s traditional method falls short of what organizations require. Not to worry as in this tutorial admin will find everything there is to know about the AD domain change. Including what to do when the native method fails to deliver. Let’s start by looking at the scenarios that trigger such an event in the first place.
Why Migrate Active Directory to New Domain at All?
Admins should not confuse the AD DS functional level shift with a migration as in the latter there is almost always restructuring involved. Admins look to migrate every time they want to make the AD management simple. This is done by combining multiple domains into one. Other than that organizations get to this question any time they face one of the following scenarios.
- Part of a recent merger or acquisition – If you have joined forces with another organization or bought out a competitor, then there is a chance that you have to move Active Directory from one domain to another.
- Splitting a department into a separate entity – Sometimes organizations may have to undergo a divesture. So after that, it is the admin’s responsibility that the user and computers are transferred into a separate forest.
- The organization decides on a makeover – There have been cases where companies renamed themselves to better represent themselves. After this formality admins have to carry out the background tasks to reflect the change on the official AD DS forest.
- Get rid of an old Active Directory Domain Services forest – The highly robust nature of AD meant many organizations continued with the same setup for longer than they were supposed to. As the aging configuration no longer works as it used to admins have no other choice than to get rid of imperfectly documented delegations. Moreover, this also opens up a path to a completely new AD setup from scratch.
- Move away from an unsecured AD – Another more concerning reason is when an AD gets compromised. So organizations must schedule a transfer ASAP to avoid any data loss.
Now we are ready to put our sights on a summarised edition of what an admin needs to do.
Overview of How to Migrate AD Objects from One Domain to Another Manually
It is time to start with the first part of our task.
Plan & Prep:
- See what your organization hopes to get out of moving to a new AD.
- Scan through the current system and do a health check.
- Be sure that all hardware additions are done and VMs are functional.
Setup a New AD:
- Install the Windows domain version(we recommend version 2022) you are looking to upgrade to.
- Ensure that the new security patches are downloaded on the machine.
- Put a new network address on each machine
- Install AD
Send the Data:
- Start with the apps and domain roles
- Then Migrate FSMO roles to new machines.
- Monitor the process and set up a duster recovery protocol.
Wrap up:
- Retire the source
- Raise domain level if applicable.
Stage 1: Pre-Migration Processes to Transfer AD
Here is a list of things that admins need to complete before they deploy either ADMT or use PowerShell Commands.
- Visit targetdomain.com and build a Conditional Forwarder right inside the AD.
- Shift all email/contact requests coming towards the source domain towards its DNS and do the same for the target domain. Enable the
- NSlookup facility to ensure connection doesn’t drop during migration.
- Add a SQL domain instance if not done previously
- Build a new trust request between the domains.
For PowerShell, some prerequisites vary
- Open a new Active Directory PowerShell Module and not your Windows PowerShell.
- Use the permission category of domain admin or above and log in to the domain member.
- Start a PowerShell instance and enter. Add-WindowsFeature RSAT-AD-PowerShell
- After the modules are on your workstation go and complete the user CSV list.
- Use this time to find disabled computers in Active Directory and delete them.
Stage 2: Migration of Active Directory Via Manual Means
- Step 1. Install the ADMT and proceed by typing in the admin credentials.
- Step 2. Press Action, choose User Account Migration Wizard, and hit Next.
- Step 3. Pick source and target Active Directory domains, then click Next.
- Step 4. Mark “Select Users” from the Domain.
- Step 5. Add and pick the users to be migrated, and click OK.
- Step 6. Mark chosen user accounts and press Next.
- Step 7. Pick the destination Organizational Unit (OU) and proceed.
- Step 8. Check details and press Finish. Let the migration complete on its own.
- Step 9. Go to the destination domain and manually perform the checks.
PowerShell Script
# Import new user data from the pre-made CSV file $importedUserData = Import-Csv "C:\scripts\ad-users-new.csv" foreach ($userData in $importedUserData) { # Get all user properties from CSV file $userName = $userData.userName $userPassword = $userData.password $userFirstName = $userData.firstName $userLastName = $userData.lastName $userDepartment = $userData.department $userOU = $userData.ou $userSid = $userData.sid $userPrincipalName = $userData.userPrincipalName $userDistinguishedName = $userData.distinguishedName # See if there is an existing user in Active Directory if (Get-ADUser -Filter {SamAccountName -eq $userName}) { # Warn if user already exists Write-Warning "A user account '$userName' already exists in Active Directory." } else { # Build new user account New-ADUser ` -SamAccountName $userName ` -UserPrincipalName $userPrincipalName ` -Name "$userFirstName $userLastName" ` -GivenName $userFirstName ` -Surname $userLast Name ` -Enabled $true ` -ChangePasswordAtLogon $true ` -DisplayName "$userLastName, $userFirstName" ` -Department $userDepartment ` -DistinguishedName $userDistinguishedName ` -SID $userSid ` -Path $userOU ` -AccountPassword (ConvertTo-SecureString $userPassword -AsPlainText -Force) } }
Seeing this multi-stage process, admins might wonder if is there no other easier alternative. The good news is there is let’s see what it is.
Also Read: Microsoft Office 365 Pre & Post Migration Checklist Plan to Follow
Bypass Manual Migration Migraines with A Professional Utility
For all administrators and their organizations, the best option is to choose the SysTools Active Directory Migration Tool as their solution. With its latest version, admins get access to never-before-seen features in password management and device readiness.
Other than that, the GUI-based dashboard of this tool makes it a lot easier for newly appointed admins to carry out this AD migration.
Go through the instructions outlined here to use the tool yourself.
How to Migrate AD Objects from One Domain to Another Step by Step?
Step 1. Launch the tool on your workstation and get to the dashboard by typing “administrator” in the free space under username and password.
Step 2. Click on the “REGISTER DOMAIN CONTROLLER” button if you are adding a domain for the first time, next time, use the icon to the top right. On the next screen, register the source and target domain controllers.
Step 3. Type the Domain Friendly Name and the IP address in the Popup window and press Save & Continue.
Step 4. Click on the domain you registered to go to the domain details page. Under the Info section, fill in admin-level credentials. Then press Save & continue.
Step 5. Toggle the Active Directory tab and fetch all objects residing in the source AD.
Step 6. Repeat the tasks done from Step 2 – Step 5 for the other (target) Active Directory domain.
Step 7. Open the Migration Screen and click on “create migration scenario” Set a name for this migration and put the registered domains as the appropriate endpoints.
Step 8. Next, go to the Task subsection and hit the Create Task button. Pick the items you want for the destination from here.
Step 9. After completing the selections, hit the Create button and move AD from the old to a new domain.
Step 10. Start the mapping when objects are viewable, hit the start task button, and confirm on the popup window by hitting Start.
Why use the Tool to Migrate the Active Directory to a New domain?
Here is a list of reasons to prove that this tool is your one and only ADMT alternative
- Shift all users, computers, groups, printers, shared folders, and OUs from one AD to the next.
- Keep user profile data as it is when you move them across computers.
- Use premade CSV templates to map users between source and target accurately.
- The CSV file mapping method to link AD endpoints is available in the tool.
- Get the option to create new accounts or merge the ones already present.
- Maintain properties of AD users and Computers during the migration.
- Maintain SID history even after the migration which allows domain co-existence.
- Multiple options to manage user-level passwords while migrating AD objects from one domain to another including:
-
- Set Default Password: Choose a temporary default password.
- Bidirectional Password Sync: Link passwords between the endpoints
- Set Existing Password: Keep all passwords intact
- Password Sync: Put custom passwords in the destination
- No Password Handling: Ignore the passwords altogether
- Apply VPN for conducting network connectivity checks and do away with manual computer migration.
- Enjoy near-native compatibility in various operating systems from Windows 10, and 11 to every Windows domain edition 2012 R2 onwards.
- Provision to restart the computers right after migration is done.
Must Read: How to Copy OneDrive Files to Another OneDrive Account – A Step-by-Step Guide
Conclusion
In this blog post, users got a sure shot at learning how to migrate AD objects from one domain to another with minimum disruption. We started by highlighting the instances that trigger the movement of AD. Then covered the traditional approach and revealed the problem it poses. All our findings culminated in a single point that it’s in the best interest of admins to select the professional alternative for migrating Active Directory to a new domain