Subscribe to Windows IT Pro
February 22, 2012 08:00 AM

Comparative Review: AD Migration Tools

NetIQ Domain Migration Administrator vs. Quest Migration Manager for Active Directory
Russell Smith
Windows IT Pro
InstantDoc ID #141928
Rating: (0)

For anything but the smallest of networks, migrating to a new Active Directory (AD) domain can be a complex affair. You need to move users and network resources and modify desktop profiles to work with the new domain while simultaneously ensuring that users have seamless access to resources in both the old and new domains. Although it's possible to use Microsoft's free Active Directory Migration Tool (ADMT) to carry out complex migration projects, you'll find that for all but the simplest scenarios, it lacks some important features, such as the ability to migrate Security Descriptors (SDs) on organizational units (OUs), and has limited rollback capabilities. When undertaking an AD migration, it's all about planning and trying to minimize risk.

Once you get to the point where there are so many objects to migrate that it's not possible to move everything in one operation, having source and target domains co-exist for a period of time allows for a phased migration. Migrating users based on how they work with each other and migrating resources based on how they're used often makes more sense than planning a migration around the physical location of objects. For these complex migration projects, you might consider using an AD migration tool, such as NetIQ Domain Migration Administrator or Quest Migration Manager for Active Directory. I recently evaluated these two products on the basis of how easy they are to install and use, their features, and their documentation.

NetIQ Domain Migration Administrator

NetIQ Domain Migration Administrator is easy to install, although a SQL Server 2008 Enterprise, Standard, or Express database must be installed separately. You can install Domain Migration Administrator on any Windows server or client OS starting with Windows 2000 (Win2K) SP1. Agents can be deployed to any version of Windows starting with Win2K.

Figure 1 shows Domain Migration Administrator's GUI. Like ADMT, Domain Migration Administrator requires that you meet various prerequisites before an AD migration, such as creating secondary DNS zones so that source and target domains can be discovered, creating a trust between the two domains, and establishing the necessary cross-domain administrator permissions. Domain Migration Administrator doesn't walk you through these steps, but all the necessary information can be found in the documentation. Failure to meet the prerequisites results in basic operations failing, with cryptic, unhelpful error messages. Assuming the basic requirements have been met, Domain Migration Administrator offers to complete some other necessities on your behalf, such as creating AD$$$ groups and configuring auditing in each domain.

 Figure 1: Domain Migration Administrator GUI
Figure 1: Domain Migration Administrator GUI

AD objects can be renamed in the target domain if required, and you can specify how Domain Migration Administrator should deal with naming conflicts. Objects in the source domain can also be set to auto-expire. After the user accounts are migrated, Domain Migration Administrator can either create new passwords or copy users' existing passwords to a password server in the target domain.

Domain Migration Administrator includes database modeling, which lets you perform a trial migration to see what the potential results will be in the target domain. You'll be able to see what problems there might be and eliminate them from the actual migration. You can also use the database to clean up object information before importing it into the target domain, as Domain Migration Administrator pulls data from the source domain and uses the database as a temporary repository. Agents are dispatched to workstations to deal with migrating desktop profiles to work with the source domain.

 

NetIQ Domain Migration Administrator
PROS: Easy to set up; includes database modeling
CONS: Support for migrating application servers must be purchased separately; one-way directory synchronization
RATING: 4 out of 5
PRICE: $1,000 per 100-user license pack
RECOMMENDATION: A good choice for projects in which the requirements are clear and AD data needs to be cleaned up before migrating to a new domain.
CONTACT: NetIQ • 888-323-6768 or 713-548-1700 • www.webactivedirectory.com

 

Quest Migration Manager for Active Directory

Quest Migration Manager for Active Directory has a slightly different architecture than Domain Migration Administrator. Migration Manager uses Active Directory Application Mode (ADAM) to store migration information, which enables directory synchronization between the source and target domains. The Migration Manager installer package automatically installs ADAM if you choose the express install. The express install will also install SQL Server 2005 Express, which is needed if you intend to migrate Microsoft Exchange objects. However, there is one caveat: Even if you don't intend to migrate Microsoft Exchange objects, the installation will fail if the Microsoft Exchange Server Messaging API (MAPI) client and Collaboration Data Objects (CDO) 1.2.1 aren't present. Migration Manager requires that source and target domains be Win2K SP2 or higher. Agents can be deployed to Windows Server or client OSs starting with Win2K.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Shepherd
    3 months ago
    Feb 23, 2012

    Another remark about QMM and about: However, the Migration Manager GUI can be a little fussy in how it accepts certain information. For example, when trying to create a new domain migration pair, you have to enter the source domain information in a specific format before the wizard allows you to continue. The Browse buttons in the wizard don't work, forcing you to enter the information manually and in the correct format, which isn't very user friendly.

    When creating a domain pair the wizard offers to specify the Domain or a Domain Controller name or offers to use the Browse button to select the domain or the DC. In a correctly configured environment the Browse button works nicely and shows all domains, and a double-click on a domain shows (expands) all available Domain Controllers. I agree, it is hard to figure out intuitively that eg. a DC should be specified in following format: \\\\DCNAME. And if name resolution is configured and working then the tool will accept any format, short names (NETBIOS) or FQDN. But using the browse button eliminates the need to type anything. I wish I was there and could assist Russel with some hints :)

  • Shepherd
    3 months ago
    Feb 23, 2012

    I just wanted to comment on this:
    Migration sessions can't be copied in the GUI, but you can import or export objects for migration, which makes it much faster to create new migration sessions.

    Actually they can be "copied". Any existing migration session can be used as template. By right-mouse clicking on an existing Migration Session you can start a new session, and all the settings from the old session will be retained, you need only to provide a new name for the session. The only caveat is - the previous user/group selection is being shown but is not retained, ideally you should remove the objects and select them again. The Quest KB has many articles describing all this in greater details.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.