Evaluating Technology Options for Automating an Active Directory Migration

In my last two posts, we evaluated two specific limitations of using Microsoft’s Active Directory Migration Toolkit (ADMT) to perform enterprise-scale Active Directory migration projects.  If you have been following along, by now you may be wondering how feasible it might be to use ADMT for a migration of any decent size. Automating directory migration
 
While ADMT is a free download from Microsoft, it’s important to realize that ADMT is just a toolkit, not a true migration product.  In order to use ADMT for an Active Directory migration project, you need to use the provided user interface, which is very limited in its functionality, or create scripts.  If you go the scripting route, which most of its users do, you will find yourself performing a very lengthy and manual process.  And while some of the scripts will be simple to write, some can get quite complex.  
 
And no matter which route you go with ADMT, you will find it is missing some key capabilities to successfully do the migration.  In an article from Windows IT Pro, the writer stated that “Although it's possible to use Microsoft's free Active Directory Migration Tool (ADMT) to carry out complex migration projects, you'll find that for all but the simplest scenarios, it lacks some important features, such as the ability to migrate Security Descriptors (SDs) on organizational units (OUs), and has limited rollback capabilities.”
 
Attempting to use ADMT for an enterprise-scale AD migration requires the brazen mindset of Gimli from the last Lord of the Rings movie right before the final battle…”Certainty of death, small chance of success... What are we waiting for?”  
 
So is there is an alternative to fighting an over-whelming army of objects by yourself with just a Hobbit-sized sword named ADMT?
 

Again, if you have been following along with my previous two posts, you know that Binary Tree provides an alternative to ADMT, the SMART Active Directory Migrator.  In the previous two posts, we covered the differences between how ADMT and SMART Active Directory handle migrations without trusts and migration rollbacks.  This post will provide a high-level overview of all of the primary differences between ADMT and SMART Active Directory Migrator.  So let’s take a look …

 
Rollback Capabilities
SMART Active Directory Migrator has the ability to roll back a migration to the original state at any time without restoring data from backup while the roll back capability in ADMT is limited:
  • ADMT cannot roll back resource updating because the undo feature is restricted to the last
  • In Interforest migrations, ADMT cannot roll back resource updating tasks again and the undo feature is restricted to the last session only
  • In Intraforest migrations, ADMT deletes the source account after moving it to the target domain — the functionality to roll back is not provided
Read my prior post “The Importance of Undo in Active Directory Migrations” for more information on the rollback capabilities of ADMT and SMART Active Directory Migrator.
 
Migrating without Trust Relationships
SMART Active Directory Migrator has the ability to perform a migration even if a trust relationship cannot be created for Business reasons or security reasons, while ADMT cannot support migrations without trust.
  • If trusts between source and target domains cannot be established, ADMT cannot perform the migration, because it relies totally on SIDHistory
Read my prior post “Performing an Active Directory Migration without Trust Relationships” for more information on this topic.
 
Migrating Standard and Extended AD Properties
SMART Active Directory Migrator can migrate standard and extended properties for AD objects, while ADMT only supports standard properties:
  • ADMT uses a standard “users and groups” dialog for object attribute selection. It doesn’t allow filtering or modification for custom attributes to be migrated.
  • ADMT does not allow you to modify all object properties.
Password Synchronization
SMART Active Directory Migrator supports on-going password synchronization, while ADMT only supports a one-time password copy.
 
Clean Up of Security ACL Entries
SMART Active Directory Migrator has the ability to clean up security ACL entries on computers in a source AD domain, while ADMT does not have this capability.
 
Migration Setup and Processing
  • ADMT limits you when selecting objects to a simple list for selecting users and groups. It doesn’t allow for the customization or granular selection of object attributes that SMART Active Directory Migrator enables.
  • When migrating multiple domains, all user resources need to be updated within those domains. ADMT requires you to separately update each source-target domain pair, which results in updating the same resources over and over again. With SMART Active Directory Migrator multiple projects may be merged together for the re-ACLing processes.
Updates to User Workstations and Resources
  • SMART Active Directory Migrator performs a complete update of the user workstation. You can have SMART Active Directory MIgrator automatically change the workstations’ logon prompt to have a new default domain name, making the switch invisible to users. SMART Active Directory Migrator also resets DHCP with a temporary over-ride for the Target DNS server and DNS suffixes list order during the workstation cutover stage.
  • Updating laptops can be challenging, as they are not always connected to the corporate network. SMART Active Directory Migrator can update laptops from a network share without any interaction with the users.
  • ADMT has limited capabilities for updating resources. All permissions require a manual update, significantly adding to the administrative workload.
Preserving Network Security 
  • SMART Active Directory Migrator enables you to clean up the SID History attribute of objects after a migration to preserve the security of your network. ADMT does not have the capability to clean up SID History.
For more information on SMART Active Directory Migrator, visitwww.binarytree.com/ad. If you would like to see a demo of the product, visitwww.binarytree.com/webinars to see our schedule of upcoming webinars.