How to Continue Your AD Migration When Everyone is at Home

Active Directory (AD) migrations are just one of the many IT projects impacted by this pandemic crisis. Resources and priorities are in a fluid state right now as organizations work to minimize the operational risks related to a workforce suddenly forced to work from home.

In this post, I will outline how those AD migrations are being impacted, which ones are likely to continue during this crisis, and how you can continue moving your migration forward when so many users are remote.

Why AD migrations are impacted

If you are reading this, that means you have an AD migration in the planning or execution stage; both critical stages of what’s usually a large and complex project. But the sudden upheaval of business as usual has thrown those plans into chaos because:

  • Resources are re-assigned to get users working remotely: Instead of working on your AD migration, IT is scrambling to get their hands on laptops with as much vigor as finding toilet paper; and on top of that, they’re busy imaging those as quickly as possible and setting up Azure AD and SSO for Office 365.
  • Resources are not on site: Both IT personnel and users with their machines are no longer on site. The user machines that would have normally been in the office, inside the enterprise, are now in user’s homes; this has broken the ability to do a migration because all these machines are no longer on a LAN.

Which AD migrations should continue during COVID-19?

A complete stop on an AD migration may not be a good idea – or even possible for certain projects – even during these uncertain times.  Let’s talk about which projects make the most sense to continue:

  • You’re legally compelled to meet a deadline: If you’re going through a separation, you’re organization is still required to meet the drop-dead date or face large fines as outlined in the Transition Service Agreement. Now you have to do with one hand tied behind your back.
  • You’ve got momentum: The worst thing you can do during an AD migration is stopping momentum because getting all the approvals and signoffs and timelines aligned may not happen for a long time.
  • You don’t want to spend time and resources supporting coexistence: If you’re already strapped for resources, imagine how much more strapped you’ll be supporting two domains. You need to seriously consider if the additional strain of an extended co-existence is worth the short-term crunch of completing the migration.
  • It’s a security risk: A stalled AD migration brings security risks related to managing coexistence, patching across AD servers, and opening yourself up to SID History Injection attacks.

How your AD migration can continue with remote users

With user laptops and machines at home connecting over VPN, the traditional migration process must be adjusted. The biggest challenge in an AD migration with remote users (apart from those listed as a result of this crisis) is the ability to update and change domain membership while maintaining access to the local machine.

Natively, there is no way to do this.

However, with Quest Migration Manager for Active Directory you can migrate users while they are at home connected to a VPN with the Cached Credential Utility.

The biggest impact in an AD migration is when you disjoin the source domain and join the target domain; the first time you login that domain controller (DC) has to be available for you to even login to your machine. That’s a challenge at home because when you reboot the machine there is no DC; you can’t login to your Windows desktop.

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

The Cached Credential Utility solves this problem by asking for your password to the target environment (which is synchronized) and caching those credentials on your machine in your new profile. It will resource process like normal. Then you move the machine like normal and reboot.

When the machine comes back up for the first time, it uses the cached credentials while joined to the target domain, allowing the user to login even though the machine isn’t connected to a network.  The final step requires one last additional VPN connection to the network to make the handshake with the DC and complete the migration.

Migration Manager for Active Directory

If you are using Quest Migration Manager for Active Directory now, talk to your sales rep about Cached Credential Utility, included in the product already. He or she can set up you with the right Quest Professional Services resources to talk you through the process.

If you are planning an Active Directory migration and must continue with the process, then learn more about this solution as well as lessons learned from your peers who have performed their own AD migrations in this E-book:  Active Directory migration: 7  lessons learned.

AD migration: 7 lessons learned

Since Active Directory (AD) is the center of your Windows environment, providing authorization and authentication services, we know an AD migration can be very complex. Learn lessons shared from customer's own migration experiences.

Download the Guide

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles