The Importance of Undo in Active Directory Migrations

When you are migrating something as complex as Active Directory, the risk of something going awry can never be totally eliminated. An Active Directory migration has many points of possible failure. Objects may fail to migrate.  SID history may fail to migrate.  Passwords could fail to sync. ADPrep could encounter an LDAP error.  Incorrect DNS name resolution settings or old device drivers could cause errors.  

Active Directory migration errors and failures can have an immediate impact on your users.  Most of your IT infrastructure, including email, servers and applications, is dependent upon Active Directory. If the migration does fail or experience errors, chances are your IT help desk will get a number of frantic phone calls.

Undo Button in Microsoft WindowsObviously, properly analyzing your current environment, planning the target environment, and testing the migration in a lab setting will help to minimize the risk of migration failures, but you also need to have a plan and method for the rollback of Active Directory to a previous state just in case an error or failure does occur.  

And the real challenge is to be able to reverse the steps in your Active Directory migration safely and easily. So what are your options?

If you are planning to use Microsoft’s Active Directory Migration Tool (ADMT) for your migration project, you should be aware that your options for rollback will be limited.  When using ADMT for a migration between forests (Inter-forest), accounts and resources are copied to the target forest but are also still retained in a disabled state in the source target. In these instances, ADMT has a limited ability to undo some of the directory migration steps but they are limited to the last session only and it cannot reverse resource-updating tasks or merged accounts.
When using ADMT for a migration between domains within the same forest (Intra-forest), the source accounts and their tombstones are deleted and this action cannot be reversed.  Microsoft’s prescribed resolution is to re-migrate the accounts and resources in the opposite direction, from the target domain back to the source domain, which can be quite complex and will definitely extend your project timeline.
Binary Tree provides an alternative to ADMT. Binary Tree’s SMART Active Directory Migrator can enable you to safely and reliably restore Active Directory to its prior state by being able to reverse any step in a migration. And there is no need to restore from a backup.  Inter-forest and Intra-forest migrations of Active Directory are non-destructive with SMART Active Directory Migrator. To understand how this works, lets take a very high-level look at the AD migration process with SMART Active Directory Migrator.

SMART Active Directory Migrator starts a project by collecting the source domain objects.  In essence, it makes copies of the objects in the source domain and stores them within the product’s console.  After you have collected all of the objects to be migrated, SMART Active Directory Migrator will recreate copies of the objects in the target domain with all user objects being temporarily disabled.  

Once the objects exist in the target domain, the resource permissions that the objects in the source domain have are appended to the objects in the target domain, which allows full access to resources for both sets of accounts.  Up to this point in the migration process, the objects in the source domain have remained as they were in their original format allowing users to continue working without disruption.  Nothing has been deleted and each step is reversible.

Lastly, SMART Active Directory Migrator enables the accounts in the target domain and disables the accounts in the source domain.  Once again the source accounts still exist.  No accounts have been deleted and the ability to reverse steps in not limited in any way.  In order to return to the original state, you simply re-enable the source accounts and disable the target accounts, granularly or completely.

By using a completely non-destructive process, SMART Active Directory Migrator maintains reversibility and minimizes the risks of end user disruption throughout the entire migration project.

For more information on SMART Active Directory Migrator, If you would like to see a demo of the product, to see our schedule of upcoming webinars.