Binary Tree

25 Million Moves Over 6000 Customers

GSX Solutions

Leading provider of monitoring, reporting and management solutions


Automated Cloud
Management Platform


MailAdviser™ A Companion to Microsoft Outlook.

Sherpa Software

Cloud On-Premises Software & Services

Evaluating Technology Options for Automating an Active Directory Migration

Monday, February 17, 2014

Posted by Akos Sandor, Binary Tree Senior Solutions Architect

In previous posts, the BT team evaluated two specific limitations of using Microsoft’s Active Directory Migration Toolkit (ADMT) to perform enterprise-scale Active Directory migration projects.  If you have been following their blog along, by now you may be wondering how feasible it might be to use ADMT for a migration of any decent size.


While ADMT is a free download from Microsoft, it’s important to realise that ADMT is just a toolkit, not a true migration product.  In order to use ADMT for an Active Directory migration project, you need to use the provided user interface, which is very limited in its functionality, or create scripts.  If you go the scripting route, which most of its users do, you will find yourself performing a very lengthy and manual process. And while some of the scripts will be simple to write, some can get quite complex.


And no matter which route you go with ADMT, you will find it is missing some key capabilities to successfully do the migration.  In an article from Windows IT Pro, the writer stated that “Although it's possible to use Microsoft's free Active Directory Migration Tool (ADMT) to carry out complex migration projects, you'll find that for all but the simplest scenarios, it lacks some important features, such as the ability to migrate Security Descriptors (SDs) on organisational units (OUs), and has limited rollback capabilities.”


Attempting to use ADMT for an enterprise-scale AD migration requires the brazen mindset of Gimli from the last Lord of the Rings movie right before the final battle…”Certainty of death, small chance of success... What are we waiting for?” 


So is there is an alternative to fighting an over-whelming army of objects by yourself with just a Hobbit-sized sword named ADMT?


Binary Tree provides an alternative to ADMT, the SMART Active Directory Migrator.  


Rollback Capabilities

SMART Active Directory Migrator has the ability to roll back a migration to the original state at any time without restoring data from backup while the roll back capability in ADMT is limited:

  • ADMT cannot roll back resource updating because the undo feature is restricted to the last
  • In Interforest migrations, ADMT cannot roll back resource updating tasks again and the undo feature is restricted to the last session only
  • In Intraforest migrations, ADMT deletes the source account after moving it to the target domain — the functionality to roll back is not provided


Migrating without Trust Relationships

SMART Active Directory Migrator has the ability to perform a migration even if a trust relationship cannot be created for Business reasons or security reasons, while ADMT cannot support migrations without trust. If trusts between source and target domains cannot be established, ADMT cannot perform the migration, because it relies totally on SIDHistory


Migrating Standard and Extended AD Properties

SMART Active Directory Migrator can migrate standard and extended properties for AD objects, while ADMT only supports standard properties:

  • ADMT uses a standard “users and groups” dialog for object attribute selection. It doesn’t allow filtering or modification for custom attributes to be migrated.
  • ADMT does not allow you to modify all object properties.

Password Synchronisation

SMART Active Directory Migrator supports on-going password synchronisation, while ADMT only supports a one-time password copy.


Clean Up of Security ACL Entries

SMART Active Directory Migrator has the ability to clean up security ACL entries on computers in a source AD domain, while ADMT does not have this capability.


Migration Setup and Processing

ADMT limits you when selecting objects to a simple list for selecting users and groups. It doesn’t allow for the customisation or granular selection of object attributes that SMART Active Directory Migrator enables.

When migrating multiple domains, all user resources need to be updated within those domains. ADMT requires you to separately update each source-target domain pair, which results in updating the same resources over and over again. With SMART Active Directory Migrator multiple projects may be merged together for the re-ACLing processes.

Updates to User Workstations and Resources

  • SMART Active Directory Migrator performs a complete update of the user workstation. You can have SMART Active Directory Migrator automatically change the workstations’ logon prompt to have a new default domain name, making the switch invisible to users. SMART Active Directory Migrator also resets DHCP with a temporary over-ride for the Target DNS server and DNS suffixes list order during the workstation cutover stage.
  • Updating laptops can be challenging, as they are not always connected to the corporate network. SMART Active Directory Migrator can update laptops from a network share without any interaction with the users.
  • ADMT has limited capabilities for updating resources. All permissions require a manual update, significantly adding to the administrative workload.

Preserving Network Security

  • SMART Active Directory Migrator enables you to clean up the SID History attribute of objects after a migration to preserve the security of your network. ADMT does not have the capability to clean up SID History.

For more information on SMART Active Directory Migrator, visit If you would like to see a demo of the product, speak to one of our specialists at Go-it, BinaryTree's preferred partner in APAC.