Performing an Active Directory Migration without Trust Relationships

Active Directory (AD) migrations are complex and challenging IT projects. And some AD migration scenarios can compound the complexity of these projects. For instance, in order to facilitate an AD migration between two companies going through a merger, trust relationships are usually set up between the AD domains of each organization.  
No trust relationship diagram

But when one company is acquiring only a portion of another company, like a subsidiary or division, the company that is selling off the business unit typically will not enable trust relationships to be set up between their AD infrastructure and the infrastructure of the acquiring organization. Their security policies likely prohibit them from doing so due to how they manage risk and govern regulatory compliance.
So how can you overcome this challenge to successfully migrate AD without having trust relationships in place?

If you are accustomed to using Microsoft’s Active Directory Migration Tool (ADMT), having a trust relationship between the domains is required to perform the migration. ADMT does enable you to reduce your security exposure some by configuring it for selective authentication, which limits the access to your forest to a limited set of users in the other organization’s forest. However, if your security and governance policies disallow you from all trust relationships with outside organizations, then you will need to find an alternative to ADMT. AD Migrator Suite

Binary Tree's SMART Active Directory Migratorsoftware can help you traverse this challenging migration scenario. SMART Active Directory Migrator can automate an Active Directory (AD) migration with or without trust relationships being in place. The software does not rely on SID history alone. If a trust cannot be established, the software console is installed in both the source and target domains and the migration is performed in the required domain independently of each domain.

Once the AD accounts (users, groups, workstations and servers) are collected and recreated in the target domain, the source domain workstations and servers are re-ACLed to support the newly created accounts of the target domain.  At this point, the workstations and servers are migrated to the target domain. When the users log in to their workstations in the new AD forest, they find that their profiles, settings, and access to resources on the servers are all as they were in the source domain.

For more information on SMART Active Directory Migrator, If you would like to see a demo of the product, to see our schedule of upcoming webinars.