With the discontinuation of hotfix development and phasing out of support for Windows NT 4.0 and the release of Windows Server 2003 Service Pack 1 (SP1), now is a great time for those of you still running NT domains to consider switching to Active Directory (AD). To help you with the transition, Microsoft offers the free Active Directory Migration Tool (ADMT), which you can download from http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en. Third-party products from Quest Software, BindView, and NetIQ provide such features as project management, SID history clean-up, and more functional GUIs—all of which can make them worth the price.
Migration involves moving user and computer accounts from one or more source domains to a target domain. You might find yourself performing a migration to move away from NT or to consolidate two or more AD domains. Migrated accounts get a new SID in the target domain, so migration tools also provide a way to ensure that the new account inherits the same access to resources. All the tools I tried maintain SID history and repermission files, folders, and the registry, as well as provide common functionality to deal with other necessary migration tasks. All the reviewed products can migrate user accounts, passwords, local and global groups, computer accounts, and trusts; repermission the file system, registry, and Microsoft Exchange Server mailboxes; join workstations to a new domain; maintain SID history; and run scripted migration tasks. Table 1 sums up each product's features.
I tested each product by migrating a set of NT users and groups, a file share, and a workstation to a Windows 2003 AD domain. I evaluated each product according to its ease of use, its ability to help plan the migration (i.e., migration-project management), and whether the new accounts in the target domain could access the correct resources on both the file share and the workstation after the migration.
ADMT
ADMT supported all the basic functionality I needed to migrate users and computers between domains but provided only a minimal installation process and GUI. Most notably, the product lacks migration-project management, SID history cleanup, and robust reporting. ADMT is probably suitable for smaller migrations, but if you need to keep track of hundreds of users, the tool will require extra work—both in troubleshooting and project management.
Installing ADMT wasn't as simple as you might think. At first glance, I thought the process just involved deploying a Windows Installer package. However, a thorough read of the accompanying documentation revealed that I also needed to configure a slew of permissions and registry settings, designate and configure a Password Export Server in the source domain, and reboot a domain controller (DC) in both the source and target domains. In retrospect, the ease of configuring the other tools made ADMT's setup seem complex and error prone.
As Figure 1 shows, ADMT consists of a set of wizards that let you test or perform each migration task. However, the tool didn't provide a way to save my test settings, so I had to rerun the wizards and recreate the options I'd chosen during my tests. When I tested the process of migrating small batches of users, this lack of project management also made it difficult to plan which users I wanted to migrate in each batch.
ADMT has a minimal but useful set of reports. The Account Name Conflicts report helped me predict some of the errors I ran into and the Migrated User and Groups and Migrated Computer Accounts reports helped me figure out which users I'd already migrated. I would have liked to see reports that compared source and target domains (e.g., something that showed me which users hadn't been migrated yet).
I spent a lot of time troubleshooting ADMT. When a migration task encounters errors, ADMT provides only a text-based log file of the actions it performed. Among the errors I encountered were problems with the configuration of the Password Export Server and SID History permissions. ADMT has a Retry Task Wizard, but the Wizard didn't let me modify a failed task's settings before retrying the task. Also, the Wizard let me retry only distributed tasks, such as computer migrations; I couldn't use the Wizard to retry user migrations that had encountered errors or successful test migrations. Furthermore, ADMT supports undo only for the most recent migration task. Once I got everything working, however, ADMT successfully migrated users, without any permissions problems on the file share or local profiles.
| Microsoft Active Directory Migration Tool 2.0 |
|
Contact: Microsoft Web: http://www.microsoft.com Price: Free Summary Pros: Performs most necessary migration tasks; free Cons: Setup can be complex; doesn't offer project-management capabilities; can undo only the most recent migration task; doesn't clean up SID history Rating: 2 out of 5 Recommendation: Suitable only for small organizations or those that have the time and talent to script larger migrations. |
BindView bv-Admin for Windows Migration
bv-Admin for Windows Migration is a project-based migration tool that offers good migration planning, great translation of source-account properties, and complex mapping of migrated objects into organizational units (OUs). This product was the most flexible of those I tested, in terms of organizing accounts in the target AD structure and standardizing account names and properties, but its trial migrations didn't catch errors that occurred during the actual migration. Though troubleshooting wasn't difficult, I was disappointed that it was necessary during my actual migration rather than during the trial migration. This problem, along with its higher price, kept bv-Admin out of the top spot in this review.
The bv-Admin console consists of a set of projects that are organized according to the type of object being migrated. Each project I created represented a set of users, groups, computers, and migration settings. As Figure 2 shows, I could choose a separate destination OU in the target domain for each object to be migrated, and I could set account properties—including the common name (CN), SAM, and user principal name (UPN)—by using an expression that included source-account properties. Additionally, bv-Admin automatically set the first name and last name fields in AD by breaking NT's Full Name field at spaces. None of the other products automatically populated these fields in AD.
After I'd created a project, I could use it to perform either a trial or a real migration. Though the trial migration succeeded, my first real migration produced two errors, one involving permissions for enabling SID history and the other because of the length of the CN field. bv-Admin offered useful error messages, so I was able to resolve both problems easily, but I was frustrated that the trial worked but the actual migration failed. After the real migration succeeded, I turned my project into a template that let me use the same settings for a new project involving different user accounts.
To migrate the file share and workstation, bv-Admin automatically installed agents to apply ACLs and join the workstation to the new domain. Rebooting after the migration was optional, and I didn't encounter any errors during this process.
The product's reporting capabilities impressed me. The reporting tool is called Action Reports and includes a useful set of customizable reports for both domain and migration projects. These reports included data about non-migrated objects, SID history, successfully executed projects, and resources that were skipped during project execution. I could also customize the reports to get data from multiple domains or projects. Furthermore, the reports were actionable when appropriate. For example, right-clicking the SID History report let me launch a SID History clean-up task.
| BindView bv-Admin for Windows Migration 7.2 |
|
Contact: BindView * 713-561-4000 * 800-813-5869 Web: http://www.bindview.com Price: $9.95 per user Summary Pros: Offers robust account-translation options Cons: Trial migrations don't accurately predict the success of actual migrations Rating: 3 out of 5 Recommendation: A robust migration tool with good project-management capabilities, but migration errors and inaccurate trial-migration functionality required some troubleshooting. Consider this product if renaming accounts during migration is a priority. |
NetIQ Migration Suite
Microsoft purchased the original version of ADMT from NetIQ, so ADMT and NetIQ Domain Migration Administrator, a component of NetIQ Migration Suite, have a shared heritage that's evident in the products' UIs. However, NetIQ Migration Suite offers some major improvements over ADMT, both in its functionality and its GUI. NetIQ Migration Suite is an enterprise-class tool that's suitable for planning and executing large migrations. Of all the tested products, this one offers the most robust migration-planning functionality, and performing a migration required only minor troubleshooting. These features and the product's affordable price of $6 per user make it my choice for best migration tool.
Like ADMT, NetIQ Migration Suite required some manual steps to configure my domains for migration. But as Figure 3 shows, the Domain Migration Administrator component provides excellent step-by-step documentation, and I completed my first migration attempt without error. After installation, NetIQ Migration Suite provided me with clearly labeled steps to run the necessary wizards in the appropriate order. During the first two steps, I created a Migration Project and selected objects to migrate. At any time, I could view the status of all the objects I'd selected and modify the properties to set during the migration. The main view of the project gave me a status report showing how many users, groups, and computers had been migrated and a log of each executed migration task, complete with an undo link when appropriate.
NetIQ Migration Suite's reporting capability was the most useful of all the products I reviewed. The reports were easy to use, specific to migration, and let me query the source and target domains for information such as necessary security translations and service accounts. Not only did the product report about SID history and non-migrated objects in the domains, it also compared multiple projects to find objects that were scheduled for migration multiple times. The product's excellent project management and detailed reporting gave it flexibility in creating migration projects on the fly and later modifying them to ensure that they captured all the necessary objects and steps.
NetIQ Migration Suite also offered additional migration options. I could specify a script to run before or after the user, computer, or group migration—a great compromise between a completely scripted migration and one that's limited to the GUI features. The one con was that migrating computer accounts forced a reboot.
NetIQ Migration Suite also includes Server Consolidator, a wizard-based tool that lets you move files, folders, printers, and shares—including all necessary permissions—between servers. This tool would be helpful in migrations that involve moving resources between computers in addition to just repermissioning files and folders.
| NetIQ Migration Suite 7.2 |
|
Contact: NetIQ * 408-856-3000 * 888-323-6768 Web: http://www.netiq.com Price: $6 per user Summary Pros: Provided excellent project-management and reporting features; combines easy-to-use GUI with scripting capabilities; affordable Cons: Computer migration requires a reboot; some installation steps are manual Rating: 4 out of 5 Recommendation: An enterprise-strength migration tool that supports the planning and management of complex migrations. |
Quest Migration Suite for Active Directory
Quest Migration Suite for Active Directory bundles Quest Domain Migration Wizard and Quest Reporter. The first of these tools is a functional and easy-to-use migration product; the second adds AD-reporting functionality. Of the products I tested, Quest Migration Suite for Active Directory was unparalleled in ease of use. Although its project-management and reporting capabilities aren't geared toward migration planning, the excellent scripting integration, hassle-free operation, and post-migration value of Quest Reporter make the suite a contender—if you're willing to pay a bit more.
Domain Migration Wizard, which Figure 4 shows, organizes migrations into projects and sessions. A project contains sessions and migrated users, groups, and computers. I could quit a session at any time and modify or complete it later. Domain Migration Wizard also provides reports that you can access from each step of the Wizard, but these reports provide information about only the current session. I would have liked the ability to view the objects I planned to migrate across multiple sessions and projects.
The most impressive part of Quest Migration Suite for Active Directory was its ease of use. Both the installation and my first migration were error free. Unlike the other products I tested, this product doesn't offer a trial-migration function, but since I didn't encounter any errors, I didn't miss the ability to preview anticipated errors. The product provides an Undo feature to roll back changes after each session. You don't need to reboot or have users log off of a computer to migrate it, and the product even sets migrated computers' last logged-on domain to the target domain, preventing users from having to select a new domain during their next logon. Migration was seamless and easier than with any other tested product.
Quest Reporter's reports aren't specific to domain migration, but some of them—such as duplicate users and effective NTFS permissions reports—were useful for planning migrations. Other reports included data about AD security and both Health Insurance Portability and Accountability Act (HIPPA) and Sarbanes-Oxley (SOX) Act compliance. Quest Reports is a valuable tool for a new AD infrastructure, and its inclusion in the suite makes the $14-per-user price tag more palatable.
| Quest Migration Suite for Active Directory 6.1 |
|
Contact: Quest Software * 949-754-8000 Web: http://www.quest.com Price: $14 per user Summary Pros: Easy to use; offers detailed reporting Cons: Migration-planning features are limited; expensive Rating: 3.5 out of 5 Recommendation: Fast, easy, and an excellent choice for all but the most complicated of migrations, despite being pricey. Consider this product if you want Quest Reporter to help manage AD after the migration. |
A Tough Choice
Choosing between the NetIQ Migration Suite's great migration-planning features and Quest Active Directory Migration Suite's ease of use was difficult. Although bv-Admin for Windows Migration shares NetIQ Migration Suite's ability to configure migrations in advance, the NetIQ product's price makes it the best deal. Of course, you might feel different, depending on your specific needs and environment.
