Comparative Review: AD Migration Tools

For anything but the smallest of networks, migrating to a new Active Directory (AD) domain can be a complex affair. You need to move users and networkresources and modify desktop profiles to work with the new domain while simultaneously ensuring that users have seamless access to resources in boththe old and new domains. Although it's possible to use Microsoft's free Active Directory Migration Tool (ADMT) to carry out complex migration projects,you'll find that for all but the simplest scenarios, it lacks some important features, such as the ability to migrate Security Descriptors (SDs) onorganizational units (OUs), and has limited rollback capabilities. When undertaking an AD migration, it's all about planning and trying to minimizerisk.

Once you get to the point where there are so many objects to migrate that it's not possible to move everything in one operation, having source andtarget domains co-exist for a period of time allows for a phased migration. Migrating users based on how they work with each other and migratingresources based on how they're used often makes more sense than planning a migration around the physical location of objects. For these complexmigration projects, you might consider using an AD migration tool, such as NetIQ Domain Migration Administrator or Quest Migration Manager for ActiveDirectory. I recently evaluated these two products on the basis of how easy they are to install and use, their features, and their documentation.

NetIQ Domain Migration Administrator

NetIQ Domain Migration Administrator is easy to install, although a SQL Server 2008 Enterprise, Standard, or Express database must be installedseparately. You can install Domain Migration Administrator on any Windows server or client OS starting with Windows 2000 (Win2K) SP1. Agents can bedeployed to any version of Windows starting with Win2K.

Figure 1 shows Domain Migration Administrator's GUI. Like ADMT, Domain Migration Administrator requires that you meet various prerequisites before anAD migration, such as creating secondary DNS zones so that source and target domains can be discovered, creating a trust between the two domains, andestablishing the necessary cross-domain administrator permissions. Domain Migration Administrator doesn't walk you through these steps, but all thenecessary information can be found in the documentation. Failure to meet the prerequisites results in basic operations failing, with cryptic, unhelpfulerror messages. Assuming the basic requirements have been met, Domain Migration Administrator offers to complete some other necessities on your behalf,such as creating AD$$$ groups and configuring auditing in each domain.

 
Figure 1: Domain Migration Administrator GUI

AD objects can be renamed in the target domain if required, and you can specify how Domain Migration Administrator should deal with naming conflicts.Objects in the source domain can also be set to auto-expire. After the user accounts are migrated, Domain Migration Administrator can either create newpasswords or copy users' existing passwords to a password server in the target domain.

Domain Migration Administrator includes database modeling, which lets you perform a trial migration to see what the potential results will be in thetarget domain. You'll be able to see what problems there might be and eliminate them from the actual migration. You can also use the database to cleanup object information before importing it into the target domain, as Domain Migration Administrator pulls data from the source domain and uses thedatabase as a temporary repository. Agents are dispatched to workstations to deal with migrating desktop profiles to work with the source domain.

Quest Migration Manager for Active Directory

Quest Migration Manager for Active Directory has a slightly different architecture than Domain Migration Administrator. Migration Manager uses ActiveDirectory Application Mode (ADAM) to store migration information, which enables directory synchronization between the source and target domains. TheMigration Manager installer package automatically installs ADAM if you choose the express install. The express install will also install SQL Server2005 Express, which is needed if you intend to migrate Microsoft Exchange objects. However, there is one caveat: Even if you don't intend to migrateMicrosoft Exchange objects, the installation will fail if the Microsoft Exchange Server Messaging API (MAPI) client and Collaboration Data Objects(CDO) 1.2.1 aren't present. Migration Manager requires that source and target domains be Win2K SP2 or higher. Agents can be deployed to Windows Serveror client OSs starting with Win2K.

I found Migration Manager's documentation to be comprehensive, although some topics weren't in a logical location. The Help files also include examplesof commands that can be run to configure some of the prerequisites, such as disabling SID filtering and configuring the Windows Server firewall. Questalso includes a tips and tricks document, which is a vital read if you've never migrated AD to a new domain before. All the requirements are neatlylisted, so it's clear exactly what's required before you start your migration project.

Migration Manager's GUI (see Figure 2) is more streamlined than that in Domain Migration Administrator. However, the Migration Manager GUI can be alittle fussy in how it accepts certain information. For example, when trying to create a new domain migration pair, you have to enter the source domaininformation in a specific format before the wizard allows you to continue. The Browse buttons in the wizard don't work, forcing you to enter theinformation manually and in the correct format, which isn't very user friendly.

 
Figure 2: Migration Manager GUI

Although Migration Manager doesn't have a test database, there's a test mode in which no changes are made in the target domain. Instead, a report isgenerated to indicate whether the migration would be successful. While it's likely you'll only need to set up one migration project, multiple migrationsessions can be configured to facilitate a phased migration. Migration sessions can't be copied in the GUI, but you can import or export objects formigration, which makes it much faster to create new migration sessions.

Migration Manager can migrate user passwords to the target domain. In addition, it can automatically synchronize AD objects, such as user accounts andgroups. This greatly simplifies administration when source and target domains need to coexist for a period of time in order to migrate everything.Domain Migration Administrator also has sync capabilities, but they're one-way only.

Migration Manager has built-in support for migrating resources, including Microsoft System Center Configuration Manager (SCCM) and SQL Server. Thisfunctionality must be purchased separately with Domain Migration Administrator. Scheduled tasks can also be migrated, which isn't possible with DomainMigration Administrator.

Editor's Choice

Both products take a project-based approach to AD migration and have comprehensive reporting. I preferred Migration Manager's simpler GUI and slightlyeasier setup. Plus, it has superior synchronization features that give more flexibility for larger migrations that require a long coexistence period.

Domain Migration Administrator has less support for migrating certain resources (e.g., SCCM), but it's a little more user friendly. For example, it hasa friendly interface for tidying up objects and associated attribute information before being imported into the target domain. To achieve similarresults in Migration Manager, you have to create text files with the necessary mapping information.

Although both products received the same rating, only one can be named as the Editor's Choice. I've chosen Migration Manager as the Editor's Choicebecause its comprehensive feature set will help administrators manage a wider range of migration scenarios. Although it's slightly more expensive thanDomain Migration Administrator, with the exception of Exchange, there's basic support for migrating some common network applications built into theproduct.