Active Directory Users Migration with SID History
Main Steps: Active Directory domain setup, configuration, user migration preparation
AD User Migration with SID History from a source domain to a destination domain
This project doesn’t cover the movement of resources (such as File Shares).
There are many cases when user migrations are needed from one Active Directory to another Active Directory, such as company acquisition or company split, users are to be moved to a separate organization.
For detailing this project, we take the example of a company acquisition or split; the users in Domain A will be moved to users in Domain B. During the project, the users that are to be planned for migration are using Domain A as the primary domain and will have to use the Domain B at the FMO (Final Mode of Operation) stage. This project defines the user migration part without moving resources (File Share, Data, Systems, Application servers) to the other domain. The overall scope will be assessed based on our roadmap development process and incorporated into a wider program.
To ensure uninterrupted business continuity while the whole process is underway, the users must access resources from the other domain while authenticating and using the other domain. Users who migrated to Domain B are still accessing resources from Domain A. To provide this feature, we will migrate the users with SID History to certify that access to resources is still in place until the resources are moved/split.
The SID History is needed to keep the accesses and permissions in different systems, application services, backends, or other systems that are using the Active Directory as an authorization directory.
Depending on how the overall program is planned, users and resources can’t be migrated simultaneously during a cut-over. Also, business continuity is to be secured. All scenarios are to be assessed and considered during the roadmap creation.
During this example, we consider the following two cases:
a. Depending on how the program roadmap plans the cut-overs (both users and resources migration), there are always cases when users are authenticating to Domain A and have to access resources from Domain B.
b. Or the users are migrated to Domain B while they still have to access resources from Domain A
Active Directory User Migration with SID History is a migration activity of user accounts from an Active Directory Forest to another Active Directory Forest while keeping the SID history of each user.
The main benefit of migrating users with SID History is that users can access resources in both source and target domains during and after migration, reducing disruption and preserving the old domain’s permissions. The migration of the users with SID history ensures that migrated user accounts retain access to the resources in the source domain.
When to use AD User migration with SID History: organizations undergo mergers, acquisitions, or restructuring, leading to the need to consolidate or migrate user accounts across different AD forests
Also, it happens that companies want to change to resource and user forest or need to consolidate the Active Directory.
The proposed tools can migrate passwords and synchronize passwords between the domains. Synchronizing user passwords across the domains automatically will reduce bad user experience and additional times when users can’t use different resources.
Main steps:
• Preparation: Assess the source and target Active Directory Forest and Domains, configure trust relationships, and permissions set up for the migration process (based on the documentation that will be used for the migration). Follow migration tool documentation for additional preparation activities
Ensure that source and target domains’ operating systems and domain functional levels are compatible with the chosen migration tools.
Policies: Review and update group policies ensuring compatibility – for example, the source domain and target domain have the same password policy
• SID History Configuration: Enable SID History on the target domain and configure it to accept SID information during the migration
• User Account Migration: Using the chosen migration tool, migrate user accounts from the source domain to the target domain.
• Verification: User accounts in the target domain have the expected attributes, including SID History; try authentication in the case the chosen migration tool synchronized the password, try a password change, and check if the password is synchronized
• Clean-Up: Once the migration is successful and verified, clean up any residual objects or configurations in the source domain.