Friends don’t let friends migrate Active Directory alone

One aspect of the IT world I truly appreciate is the community’s generosity with their knowledge and time. This past week, I would have been in some serious trouble with an Active Directory migration had it not been for people’s willingness to share their experiences and fixes online. It’s not the first time I’ve benefited, nor will it be the last.

With more organizations upgrading their legacy Active Directories, as well as merging or simply changing domain names, IT admins have to figure out how to restructure. For some, the domain rename process using the Rendom utility may be the way to go. But for anyone who’s worked through the process with legacy servers like Windows Server 2003, you’ll agree with Microsoft’s warning that “the domain rename process is complex and it requires a great deal of care in planning and execution.”

[ 5 free Windows Server tools you should know about. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

On the plus side, you could upgrade your servers to Windows Server 2012, but that may require a couple of upgrades from one OS version to the next because you cannot leap directly to Windows Server 2012 if you are running anything older than Windows Server 2008 R2. From there, you could then work through the rename process. The renaming is much more straightforward in Windows Server 2012 than in any version, as this simple guide from certified trainer Mohd Hamizi shows.

This past week, I faced an Active Directory forest with a single domain that needed to have its named changed. It was running on Windows Server 2008. I thought of upgrading first to Windows Server 2008 R2, then to Windows Server 2012, but the domain also needed some serious cleanup. I decided to use the Active Directory Migration Tool (ADMT) 3.2 to move to the new forest and clean up the Active Directory as a result — a fresh start.

This wasn’t my first rodeo with ADMT; you might recall that I used Version 3.1 back in 2010 to migrate a 50,000-user environment spread over 60 domains into a single domain. The process has changed little in Version 3.2, though the documentation has become an even bigger beast of 250-plus pages. It was so monstrous that I couldn’t face reading the manual again. Thankfully, I didn’t have to. Through the TechNet wiki site, I found a three-part guide called “Interforest Migration with ADMT 3.2” that had step-by-step screenshots to walk through the entire process. What a life-saver!

I followed the steps and wrapped up the whole process in a couple of hours. Most amazing about this “living” guide is that there have been 24 revisions, some done by the original poster and some done by others, including Microsoft employees who’ve pitched in.

During my deployment, the password tool wouldn’t install on the source server at one point, telling me the passwords didn’t match for the key file I created. I knew the passwords in fact matched. A quick search led me to Exchange MVP Clint Boessen’s site, which explained the problem and gave a one-second solution.

I was almost done; all groups and user accounts were migrated. Then I did something stupid: I had only one member server to migrate, and I decided to change the name of the server before the migration. I didn’t think doing so would break anything, but when I went to log back in after the rename, I got an ominous message: “The security database on the server does not have a computer account for this workstation trust relationship.” Uh oh!

A quick search for that error yielded some advice but nothing that helped me because I couldn’t even log into the system. Once again, the online community came to my aid, thanks to Curtis Salina, who had the exact fix I needed, one that would have taken hours of tinkering to stumble on myself.

I thought I had it all worked out, so I went to migrate the last piece of the puzzle: the member server itself (now that I could log in). It failed — and I had no idea why. ADMT reported, “Completed with Errors” but didn’t identify the error. I checked logs but found nothing. Another quick search led me to a helpful migration checklist by MVP Santhosh Sivarajan that recommended restarting the computer before migration to ensure the profiles are not locked. I didn’t think that was my issue, but I gave it a shot, redid the migration, and, voilà! it worked.

Did I perform an Active Directory migration using ADMT 3.2? Technically I did, but not without the help of the IT community whose members took the time to put their own experiences and knowledge out there for others to use — free of charge. (I’ve contacted each person who helped to say thanks.)

Keep the community in mind the next time you are in a jam and can’t find the answer from the vendor’s documentation or website. And if you find the answer from people who took the time to share what they learned, don’t forget to drop them a line or toss a note in the comments section thanking them for their help. Also, consider sharing what you’ve learned as well, such as through your own blog. Pay it forward.

This story, “Friends don’t let friends migrate Active Directory alone,” was originally published at InfoWorld.com. Read more of J. Peter Bruzzese’s Enterprise Windows blog and follow the latest developments in Windows at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.