Migrating an Active Directory domain
Step 1: Announcement—Breaking the News
Gather your sysadmins and announce, “We’re moving to a new forest!” Expect a mix of blank stares, groans, and someone frantically googling ‘forest migration five stages of grief.’
Step 2: Trust Falls—Literally!
Before there’s any migration magic, build a trust (two-way, please) between forests so the old and new can talk.
It’s like arranging peace talks between rival cities: “Please don’t block each other at the firewall.”
Step 3: Inventory—Marie Kondo Your Directory
List everything: users, groups, computers, OUs, GPOs, printers, your nephew’s abandoned account.
Does it spark joy? If not, leave it behind. If yes, document dependencies—you don’t want HR losing access to payroll by accident.
Step 4: DNS—the Cosmic Address Book
Fix DNS so that every DC in both forests can look up all the others—think of it as making sure all your moving trucks have the correct map. One wrong DNS address and half your migration ends up in Albuquerque.
Step 5: Pilot—Send a Scout Party
Don’t move everyone at once! Pick a brave few users (preferably people who still owe you coffee) and migrate them using ADMT (Active Directory Migration Tool) or a similar sidekick.
Did they lose files? Can they log in? Does Outlook still work, or do they cry on Teams? If all goes well, migrate more.
Step 6: Migrate Everything—Users, Groups, and Then Computers
With SIDHistory! (Otherwise, users call you screaming, “Why can’t I access the shared drive?!”)
- Users/Groups: shuffle them first, preserving access and group nesting.
- Computers: schedule reboots, especially for that crusty old server nobody dares touch.
- Service Accounts: don’t forget them, unless you want all your printers with personality disorders come Monday.
Step 7: GPOs—Manual Labor Required
GPOs don’t move smoothly. Back them up on the old side, restore on the new, relink, and cross fingers. WMI filters and security scopes may need to be rebuilt from scratch.
(Bring snacks for whoever gets this job.)
Step 8: The Big Cutover and Cleanup
When all’s ready, flip the switch. Monitor logins. Watch for mass panic or, more likely, silence because nobody noticed. Clean up leftover objects, test access, and grill anyone who still tries logging on to the old domain.
Step 9: Celebrate Success (or Improvise)
Hand out donuts. Throw confetti. Or bribe the helpdesk to say only nice things about the migration.
Step 10: The Inevitable Post-Mortem
Document what broke, what survived, and whether Carl from Accounting found his mailbox. Promise yourself: Next time, I'm charging double for cross-forest moves.
Final Pro Tips (So You Don’t End Up on Sysadmin Horror Stories):
- Always test in a lab first.
- Use SIDHistory (it’s like forwarding your mail).
- Backup, backup, backup (then backup again).
- Communicate real dates, and maybe give out “I Survived the Forest Move” t-shirts.