Module 13: Designing Active Directory

Migrations in Windows Server 2008

Module Overview

• Choosing an Active Directory Migration Strategy

• Designing a Domain Upgrade Strategy

• Designing a Domain Restructure Strategy

Lesson 1: Choosing an Active Directory Migration Strategy

• AD DS Migration Strategies

• Criteria for Choosing a Migration Strategy

• Guidelines for Choosing the Domain Upgrade Strategy

• Guidelines for Choosing the Domain Restructure Strategy

• Guidelines for Choosing the Domain Upgrade and Restructure Strategy

AD DS Migration Strategies

Active Directory migration strategies include:

• Domain upgrade strategy

• Domain restructure strategy

• Domain upgrade and restructure strategy

Additionally, when choosing a migration strategy, consider:

• Current domain structure

• Amount of acceptable downtime

• Time and budget constraints

Criteria for Choosing a Migration Strategy

Strategy Considerations

Domain Upgrade

• No impetus for major change• No domain hierarchy to restructure (such as a single

domain forest)• Restructuring is too complex and expensive

Domain Restructure

• Current structure is too complicated• Current structure no longer satisfies the business

requirements• Will achieve cost savings over time• Business can accept risk of restructure

Domain Upgrade and Restructure

• Most likely route in a restructuring• Some domains will be untouched• Other domains will be collapsed• Current structure is too complicated• Current structure no longer satisfies the business

requirements• Will achieve cost savings over time• Business can accept risk of restructure

Guidelines for Choosing the Domain Upgrade Strategy

Choose the domain upgrade strategy when:

• The existing domain structure and the target domain structure are the same

• The existing domain structure meets the business and technical needs of the organization

• The domain names must remain the same

• The organization requires the migration path with the lowest risk

• The migration must be completed in the least amount of time possible

Guidelines for Choosing the Domain Restructure Strategy

Choose the domain restructure strategy when:

• The existing domain structure does not meet the business and migration goals of the organization

• The organization cannot tolerate any downtime to the production directory services environment

• The organization can incur some degree of risk to achieve an optimum domain structure

• There is enough time to complete the additional tasks involved with a restructure

• There is additional hardware available

Guidelines for Choosing the Domain Upgrade and Restructure Strategy

Choose the domain upgrade and restructure strategy when:

• The existing domain structure is similar to the proposed Active Directory domain structure

• The organization wants to use certain Active Directory features early because of the benefits that they provide

• The organization wants to lower short-term hardware and administrative costs

• The organization is averse to risk but does not want to keep its existing domain model long-term

Lesson 3: Designing a Domain Restructure Strategy

• SID History

• Active Directory Migration Tool

• ADMT Scenarios

• Preparing a Domain to Run ADMT

• Guidelines for Restructuring Domains

SID History

Domain A Domain B

User migrates from Domain A to Domain BUser migrates from Domain A to Domain B

11

SID History attribute allows user to access resources in Domain A

SID History attribute allows user to access resources in Domain A

22

SID history provides a migrated user with continuity of access to resourcesSID history provides a migrated user with continuity of access to resources

Active Directory Migration Tool

ADMT v3 supports the following tasks for completing domain migration:

• Security translation on migrated computer accounts

• Reporting to view the results of the migration events

• Functionality to undo the last migration and retry the last migration

• User account migration • Group account migration

• Computer account migration • Service account migration

• Trust migration • Exchange directory migration

ADMT Scenarios

You can use ADMT v3 to migrate users, groups, and computers in following scenarios:

• From Windows NT 4.0 domains to Active Directory domains

• Between Active Directory domains in different forests

• Between Active Directory domains in the same forest

Preparing a Domain to Run ADMT

To prepare a domain to run ADMT, you must:

Establish required trusts

Configure the source and target domains to migrate SID history before you begin an interforest migration

Establish migration accounts

Configure the target domain OU structure

Install ADMT in the target domain

Install high-encryption software