Active Directory migration is the merging of two domains into one. Splitting and transferring part of your Active Directory to a new domain (branch) is also an Active Directory migration. Active Directory migrations involve moving users, computers, and associated applications to a new domain.
The Active Directory Migration Tool is a software that helps you migrate eligible objects.
Why does a business need an Active Directory migration?
The most common use case for Active Directory migration is for companies going through a merger, acquisition, or sale.
When one company buys another, the cost of maintaining two separate ADs can be high. Active Directory migration helps in this case to optimize the costs of maintaining the IT infrastructure.
In addition, sometimes a company may sell part of the business so that it becomes an independent entity. This is where Active Directory migration can be used to split a single AD into two independent parts.
Main security issues during migration
Two major challenges that Active Directory administrators face today during Active Directory domain consolidation and domain splitting projects.
- With the rise of hybrid Active Directory in enterprise environments, AD migration projects have become much more difficult to plan and execute, meaning IT needs to adjust strategy, select new tools and techniques, and adjust stakeholder expectations.
- AD security is critical when planning AD consolidation or decoupling.
According to experts, an M&A project is a great opportunity to improve an organization's security posture by carefully analyzing and planning for each area affected by migration, such as groups, GPOs, accounts, and applications. Making the right decisions before the migration begins means that the target domain will be even more secure once the migration is complete.
Security basics
Here is a list of items to consider to secure and simplify your AD migration process:
- Clear SID history after migration is complete. If you decide to migrate the SID to the target, remember that this is a temporary solution and is not always required, so set up a project milestone or checkpoint to close this possible vulnerability. Once you reach this milestone, you can delete your existing SID history using PowerShell.
- Avoid or limit synchronization of security groups and distributions. Instead of simply moving a group, you can analyze what the group is used for and whether the current membership of that group matches the users who should have access to that resource. Directly moving all groups can open the door to attacks because these groups may be nested within other groups that may allow their members access to sensitive data.
- Access control. Some modern third-party migration tools provide options where additional access is no longer required for many aspects of the AD migration process. Minimize the risk of unauthorized access during migration to avoid further exposure.
- Analysis. Evaluate what worked in the old environment to determine what to include when planning structures and processes in the new environment, while avoiding carrying over existing security gaps.
- Create a group of critical assets before migration. Create an Active Directory (AD) level model to outline the security boundaries to protect your most critical assets before, during, and after migration.
- Update password policies before migration. As with Group Policy Objects, password policies should be reviewed before implementing any new or updated standards in a new environment.
- Avoid legacy AD migration methods. You must evolve your migration practice to meet the demands of a hybrid approach to AD.
- Review your group object policy. A policy used in the current environment should not be automatically transferred to the target environment. This may lead to security vulnerabilities.
- Work with passwords. Always use strong passwords. Use a privileged access management solution to create strong passphrases so employees don't have to.
- History of SID. Remember that without SID history, the worst case scenario is that the end user will have to re-authenticate. It is a small challenge to ensure that the organization is not open to possible cyber attacks.
- Do not migrate existing SID history. The stale SID history should be cleared, but if it isn't, don't expose yourself to potential security holes that could be exploited by an attacker.
- Accounts. Monitor the accounts to which you decide to transfer the latest SID to ensure that no malicious activity is targeting these accounts. Each organization will have its own set of criteria for identifying these accounts, such as by organizational unit, group membership, or manually through a knowledge list. However, one possible way is to create a list using PowerShell.
Keep your Active Directory secure.
Make privileged access and Active Directory security your top priority during your migration. Attackers can take advantage of the slightest loophole to gain access to domain administrator accounts.
If you still have questions and would like to involve Fanetech experts in your AD migration process, just contact us.