AD label Consolidation

and
Migration Procedure Guide

Bangalore, India

February 2020
V 1.0
 Domain Migration

Notice
© 2020 Tata Consultancy Services Limited
This is a controlled document. Unauthorized access, copying, replication or usage for
a purpose other than for which it is intended, are prohibited.
All trademarks that appear in the document have been used for identification purposes
only and belong to their respective companies.

ii | P a g e
 Domain Migration

Document Release Note & Revision List

Customer: ManpowerGroup
Project: AD Label consolidation and Domain Migration

Document details

Name Version no. Author Reviewer Description

AD Label consolidation Version 1.0 Abhijeet Kumar 1 Created the Document

and Domain Migration

Version 1.1

Revision Details

Revision Revision Revision Description Page Previous Action taken

Number Date Number page number (add/del/change)
1

iii | P a g e
 Domain Migration

About this Document

Purpose
As a part of ManpowerGroup Domain Consolidation project , it is required for Netherland site to
reconstruct the OU and migrate all object in Netherland subsidiary company OUs to Corp Domain. This
would require AD Labelling and Domain Migration in Netherlands site.
The purpose of this document is to guide the administrators on AD OU Labeling and Domain migration
of objects in ManpowerGroup Netherland. It provides brief overview and approach for AD Labelling and
domain migration and at the same time implementing a standard process for this type of activity.

Intended Audience
The target audience for this document is Windows / Active Directory Administrators. This document is
also intended to anyone who wants to gain knowledge on AD Label consolidation and Object Migration
across domain or OUs , its process and procedures.

References
The reference documents are available in the following table.

Document/Hyperlink Reference Link/Path

Name

iv | P a g e
 Domain Migration

Contents
1 AD Label Consolidation and Migration...........................................................................................1
1.1 Objectives.............................................................................................................................................................1
1.2 Preface..................................................................................................................................................................1
1.3 Scope of Service...................................................................................................................................................1

2 AD Label Consolidation....................................................................................................................3
2.1 Pre-requirements :.................................................................................................................................................3
2.1.1 OU Label Testing Phase..................................................................................................................................5
2.2 OU Label Consolidation Approach.....................................................................................................................5

3 AD Object Migration.........................................................................................................................7
3.1 Pre-Requisites.....................................................................................................................................................7
3.1.1 Evaluating the Existing Environment..............................................................................................................7
3.1.2 Migration Test Process.....................................................................................................................................8
3.2 Migration Approach............................................................................................................................................9
3.3 Migration Type....................................................................................................................................................9
3.4 Migration Process..............................................................................................................................................10
3.5 Review Log Files...............................................................................................................................................11
3.6 Rollback.............................................................................................................................................................11

4 AD Migration TOOL.......................................................................................................................12
4.1 Choosing right Tool............................................................................................................................................12

v|Page
 Domain Migration

List of Abbreviations/Acronyms

Abbreviations/Acronyms Expansion

GPMC Group Policy management console

AD Active Directory
ACL Access control list
OU Organizational Unit
IAM Identity and Access management
GPO Group Policy management
IIS Internet Information services

vi | P a g e
1 AD Label Consolidation and Migration

ManpowerGroup is the world’s workforce expert, creating innovative workforce solutions for nearly 70
years. The ManpowerGroup family of brands helps more than 400,000 clients across 80 countries and
territories address their critical talent needs, providing comprehensive solutions to resources, and manage
and develop talent.

1.1 Objectives
This document is designed to provide a guidance for the AD Label Consolidation and migration of AD
objects across different Organizational unit and different domain respectively. This document will guide
how users and other resources will be migrated/moved across OUs and Domain as per requirement.

1.2 Preface
As a part of AD consolidation project it is required to migrate all users in iSense a subsidiary company
of ManpowerGroup to CORP domain
This document provides guidance on the planning aspects required to carry out an Active Directory object
migration and AD Label consolidation, and the approved tools and utilities that can be used. The
guidance is designed to:
 Help identify potential design and deployment risks
 Provide rapid knowledge transfer to reduce the learning curve of designing an Active Directory
migration and AD Labelling solution
 Establish some preliminary design decisions before moving ahead with the migration
 Provide a consolidation of relevant and publicly available best practice guidance for Active
Directory migration that:
 Focuses on guidance specific to AD healthcare scenarios
 Reduces the need for decision making by making recommendations where appropriate

1.3 Scope of Service

The purpose of this  SOP is to provide detailed instructions on how to carry out AD Objects migration
task so that any team member can carry out the task correctly every time. Scope of service is broadly
applied for below projects or task performed in Manpower Netherland Domain Infrastructure.
 OU Labelling and restructuring
 Migrating User, computer accounts across domain

1|Page
 Moving User and Computer accounts, contacts, groups across different OUs
 Usage guide for Migration Tool i.e. Quest Solutions
 Validation and implementation of Identity and access for user accounts
 Validation for OU level Group policy
 Usage of IAM Tool

2|Page
2 AD Label Consolidation

AD Label Consolidation involves restructuring and renaming Organizational Unit as per requirement
thereafter moving the objects like User accounts , groups, computer accounts etc. from specific OU to the
Target OU.

In this case as a part of AD Label consolidation in Netherland Corp Domain , we are going to move the
User accounts and Contacts from OU: Manpower/EMEA/Netherland to OU :
ManpowerGroup/EMEA

2.1 Pre-requirements :

Factors to consider before User account movement across OUs.

1. OU Synchronization with Cloud service
If We have integrated our on-premises Active Directory with Azure AD by synchronizing our on-
premises environment with Office 365 than we need to check and verify for OU which is
synchronized with cloud service or Azure AD. According we should update the sync setting in
DirSync management

2. Groups Policy Applied

Group Policies can play key role for users and computer account behavior. we need to check and
validate for any applied OU level group policies in source and target OUs.

3. Organizational Unit Membership

We should check and validate for applied security permissions on target OU before User account
movement. check for security group membership in target OU as per requirement to avoid any access
related issue afterwards. all access applied on target OU must be exactly same as old source OU.

4. User account Membership

For all manually created user accounts, all security access and permissions applied via adding to
security groups.
We should check and validate for applied security permissions on target OU before User account
movement. check for membership in security tab in target OU properties and update same as source
OU to avoid any access related issue for users afterwards .

5. Users created via IAM tool

3|Page
For particular subsidiary company almost all internal user accounts in OU are created via IAM tools.
IAM tool automatically creates user accounts in a particular OU and applies the default identity and
access permission for resources by synchronizing the OU attributes.
Before moving any users from such particular OUs , it is required to update the IAM tool
configuration for the target OU so as to prevent synchronization failure. we need to check and update
all those settings in IAM configuration as per new target OU , which is being used for synchronous.
Note* : IAM tools is managed and supported by 3 rd party vendor “Tools4ever” . for making any
required changes we need to first consent with the vendor since any change made in OU might
result in synchronization failure.
The operational management can change configuration settings, to ensure correct provisioning
for changes in the MPG organization.

4|Page
Below is the screenshot for IAM tools dashboard and configuration:

IAM Tool
Configuration and Settings

 IAM Settings : Manage IAM configuration settings used by apps and processes
 IAM Gebruiker Management : IAM User Management, Manage the IAM users and groups.
 Behera gebruikersgegevens : Manage User information

5|Page
IAM Dashboard

6|Page
2.1.1 OU Label Testing Phase
Before performing this task in the production environment for mass users we should initially test it with one
or two internal users for knowing impact. If movement of Pilot users across OU is completed successfully
without any issue than we can proceed for others.

Pilot Testing

Below are the steps for testing :

1. For testing purpose we initially select one or two pilot user account
2. We will check and verify for GPOs linked with Source OU and Target OU
3. Update the IAM tool configuration setting as new target OU
4. Select pilot user and move it from source OU:
Manpower/EMEA/Netherland/iSense/Users/Employees to Target OU :
ManpowerGroup/EMEA/Netherland/Users/Employees

5. Wait for some time and observe for the impact

6. Take feedback from user and generate the error report
7. If no impact or issue reported , continue for remaining user account movement.

2.2 OU Label Consolidation Approach

Approach for OU Label consolidation is simple but need to consider for pre-requisite facts as per
described in section 2.1

Sample label consolidation for iSense is mentioned below. This approach is one of standard
scenario for OU label consolidation. All other OU labelling need to follow same standard.

Steps for OU Labelling.

1. Open GPMC and navigate to source OU: Manpower/EMEA/Netherland/iSense

2. Check for Linked GPOs ,Group Policy Inheritance and Delegation for selected source OU as per
below screenshot.

7|Page
8|Page
3. Update the GPO Link. we need to make sure all GPOs which are required are similarly liked to
target OU : ManpowerGroup/EMEA/Netherland/
Note* : Linked , inherited GPOs are subject to change as per requirement for CORP
domain and domain consolidation project. GIS Team working on this.

4. Update the IAM tool configuration setting as per new target OU. this can be done by 3 rd party
vendor “tool4ever”

9|Page
5. Select for user/computer/printer/groups account in source OU:
Manpower/EMEA/Netherland/iSense/

6. Now initially we will perform Pilot Testing for OU labelling for few accounts prior to bulk
user and computer accounts and other objects.

7. Now select Pilot object for Testing one at a time as per below :

i. For User Account

 Select any one User account and right click to show properties
 Check and verify for user account group membership and security permission before and
after movement
 Ensure target path where users account will be moved is configured in IAM Tools
 Verify target path where computer accounts will be moved is configured in Synchronization
service manager Tool in Azure AD server for O365 services.

ii. For Computer account

 Select any one Computer account and right click to show properties.
 Check and verify for security permission ,groups membership, Delegation and Bit Locker
recovery before and after movement
 Verify target path where computer accounts will be moved is configured in Synchronization
service manager Tool in Azure AD server for O365 services.

iii. For Service account

 Select any one Service account and right click to show properties.
 Check and verify for group membership and security permissions of service account before
and after movement
 Ensure that DN and other attributes of service account that will be moved is configured
correctly in relative application or service settings as per new target OU.

iv. For Groups

 Select any one Groups and right click to show properties.

10 | P a g e
 v. For Servers
 Select any one Server and right click to show properties.

vi. For Printers

 Select any one Printer and right click to show properties.
Note* : All OUs are mapped to print services , hence making any changes in Printer OU
will impact the end-users. Ensure below points before moving printers.
 Ensure that shared path is updated for printer in Group Policy

11 | P a g e
  Ensure that shared path is updated for printer in Print and document service.

 Ensure all above points addressed carefully before moving to point 8.

8. Navigate to move option in properties and click on move

9. Select the target OU : ManpowerGroup/EMEA/Netherland/Users/Employees

10. Now check for Pilot Object properties in target OU and verify for object location

11. Observe for some time and get feedback from pilot users and also for other objects regarding
their identity ,security and access permissions.
12 | P a g e
12. Prepare a report for all impacts and issues that are reported and make changes in infrastructure
and in process as per requirement.

13. If no impact or issue reported during Pilot Testing , Proceed for real-time process for all remining
User accounts, Computer accounts, Groups, Service accounts, etc.

13 | P a g e
3 AD Object Migration

AD migration involves migration of active directory object like User and computer accounts, groups etc.
across different domain either using Microsoft ADMT tool or any 3 rd party tool like Quest solution. As
part of any migration project, it is important to understand all the components that are to be migrated.

3.1 Pre-Requisites

The initial decisions to be made as part of a migration project is to first evaluate the current Active
Directory environment and then the approach as to how objects will be migrated to it.

3.1.1 Evaluating the Existing Environment

The aim of evaluating the existing environment is to understand the infrastructure that is currently in
place and the factors that should be considered before migration process.to be aware of the risks involved
in such
a migration projects. The aim is to also reduce the potential for unforeseen issues, which may arise during
the actual migration.
As part of the evaluation, a number of infrastructure areas should be assessed and documented as below
Table.
Infrastructure Area Comments
User Environment This includes the identification of login scripts, system or group policies in
Properties place, and home folder locations.
Duplicate users andIf you identify duplicate users between domains, you might want to merge or
groups rename some of these objects during the migration.
OS Dependent Software Ensure that if any software installed on a server to be decommissioned is still
required, it is catered for in the migration process.
Network Stored All information stored on the network servers needs to be identified, whether it
Information is user data or application data. The location of the data, who is responsible for
it, which users have access to it and the security requirements for data storage
must also be noted.
Customs Attributes Need to ensure for in-place custom attributes applied on OU level or particular
user/computer accounts
Computer account status Need to discover and verify for dead computer accounts that do not need to be
migrated.
File Shares by Computer Some shared file resources might require a permissions update as part of the
migration process.

14 | P a g e
Apart from above evaluation there are some additional factors which is needed to be considered

Factors to consider before Domain migration of objects are as follows :

15 | P a g e
 1. OU Synchronization
If We have integrated our on-premises Active Directory with Azure AD by synchronizing our on-
premises environment with Office 365 than we need to check and verify for OU which is
synchronized with cloud service or Azure AD. According we should update the sync setting in
DirSync management
2. Groups Policy Applied
Group Policies can play key role for users and computer account behavior. we need to check and
validate for any applied OU level group policies in source and target OUs.

3. Organizational Unit Membership

We should check and validate for applied security permissions on target OU before User account
movement. check for security group membership in target OU as per requirement to avoid any access
related issue afterwards. all access applied on target OU must be exactly same as old source OU.

4. User account Membership

For all manually created user accounts, all security access and permissions applied via adding to
security groups.
We should check and validate for applied security permissions on target OU before User account
movement. check for membership in security tab in target OU properties and update same as source
OU to avoid any access related issue for users afterwards .

5. Users created via IAM tools

For particular subsidiary company almost all internal user accounts in OU are created via IAM tools.
IAM tool automatically creates user accounts in a particular OU and applies the default identity and
access permission for resources by synchronizing the OU attributes.
Before moving any users from such particular OUs , it is required to update the IAM tool
configuration for the target OU so as to prevent synchronization failure. we need to check and update
all those settings in IAM configuration as per new target OU , which is being used for synchronous.
Note* : IAM tools is managed and supported by 3 rd party vendor “Tools4ever” . for making any
required changes we need to first consent with the vendor since any change made in OU might
result in synchronization failure.

Unfortunately, collecting this information and developing appropriate reports manually can be difficult
and is prone to error.
We can Consider investing in a third-party tool, such as Quest® Enterprise Reporter, to automate the
assessment process and help ensure we have a complete and accurate picture of our source environment.

16 | P a g e
3.1.2 Migration Test Process
The migration test process is the part of the Active Directory migration solution that needs to verify that
the migration will be successful. Test should also include rollback plan if issues are encountered that are
deemed too serious to continue with the migration.
Also, the scripts and processes developed for the migration should be thoroughly tested before any large-
scale live migrations are performed, to ensure they work as expected.

Pilot Test
As part of the pilot, all aspects of the migration solution will be carried out on a selected number of users.
These users will be expected to carry out their day-to-day activities as normal, but with the additional
responsibility of feeding back any issues regarding access to resources that were available prior to the
migration.

The typical basic steps involved in a pilot include:

 Identifying the pilot users, their computers and the data to which they require continued access
 Migrating or synchronizing these user accounts, including group membership and login scripts
 Migrating computer accounts to Active Directory
 Migrating data and other resources that are part of the migration but that do not interfere with
other production environment users. This includes maintaining access to shared data and server-
based applications for the pilot users
During the pilot test, focus on the following areas:
 Check that all the users and their permissions to files and folders were migrated as expected

 Note the time taken to perform migration for the number of users taking part in the pilot

 Note the network bandwidth used during migration and ensure that other live users are not
affected

Once the pilot test has been completed, document the findings and rework the migration processes as
necessary.

3.2 Migration Approach

There are two ways in which a ManpowerGroup organization can populate the new Active Directory
environment with the objects that should be migrated from the old environment :

 A Direct migration approach involves the migration of all users, groups, computers, and any
other objects required, typically within a one-time migration

17 | P a g e
  A Phased migration approach enables an organization to migrate various objects while
maintaining both the old and new environments using trust relationships or synchronization tools
during the transition period

Recommendation : It is recommended to use the phased migration approach due to the potential
complexity and size of the environment. This allows IT administrators to focus on easily
managed stages, cater for easier rollback as well as reducing the risk involved in a direct
migration.

3.3 Migration Type

As part of the ManpowerGroup iSense OU infrastructure , objects that are identified for migration across
Domain will be evaluated. This includes:
 Users
 Service accounts
 Groups
 Computers
 Printers
 Data
 Login Scripts
For each of these, document the details such as:
 Current name (including domain name if a user, group or computer account)
 Target name (especially if domain consolidation is part of the migration and multiple objects
currently share the same name)
 Current location (both physically and logically within the domain or Tree)
Target destination (the Active Directory organizational unit (OU) to which the object will be migrated,
and the location of a server if a physical move of the server takes place)

3.4 Migration Process

Two options exist for a migration process: a manual migration, or an automated migration using
migration tools. The option used is mainly dependent upon the following:
 The size of the migration (number of objects to migrate)
 Whether the objects that exist in the current environment are valid or not (an example of an
invalid object is when a user account exists for a user that has left employment)

18 | P a g e
  The configuration of objects such as access control lists (ACLs) of files and so on

Manual Migration
A manual migration process is one that involves re-entering user accounts, computer accounts and group
membership, and the securing of files and folders that are copied across to the new environment.
This option is typically used in an environment where:
 The number of objects to migrate is relatively small
 The objects need extensive updating due to inaccuracy of the objects’ properties
 The information to be migrated is out of date and no longer required
 The investment in learning, installing and using the migration tools could take longer than the
manual migration process itself

Automated Migration
An automated migration process uses tools to populate the new environment with information and data
taken from the current environment. This option is typically used in situations where a large number of
objects and files need to be migrated and these already exist in the current environment.
Recommendation
ManpowerGroup iSense should use an automated migration process due to the number of objects
typically found within the environment and the data security already put in place.

The tools available to use as part of the migration depend upon the platform from which objects are
migrated.
As per client requirement we will be using the Quest Migration tool provided by Quest solutions. it
enables the ManpowerGroup iSense to migrate active directory objects in a much faster and efficient
manner than using manual migration.

19 | P a g e
3.5 Review Log Files
Whether migrating from Windows /AD environment, log files are crucial components in ensuring a
successful migration. Administrators need regular statistics and reports so they can always know the
status of the migration. Reports should indicate the percentage of the migration completed and detailed
statistics on the number of successful and failed migrations of users, groups, servers, resources and
permissions.

3.6 Rollback
A final key aspect of any migration is dealing with errors and failures. It is always better to include the
Rollback Plan during testing . The rollback plan to be implemented if issues are encountered that are
deemed too serious to continue with the migration. Rollback in case of error is complex and confusing
because so many aspects of the environment need to be considered.
We can consider using 3rd party tool from Quest Solution for Rollback activity to avoid errors and save
time and money.

20 | P a g e
4 AD Migration TOOL

4.1 Choosing right Tool

Managing a migration manually is usually not practical, and it introduces considerable risk of mistakes
and omissions. Investing in a migration management tool can save time and money and help reduce the
risk of a failed migration. We must select for a tool that fulfills below requirements :
 Enables you to control all migration processes from a single management console.
 Automates the migration of servers and resources.
 Provides up-to-the-minute statistics to ensure you always know the current status of the migration
project.
 Ensures true coexistence between migrated and unmigrated users, so users can continue working
totally unaware of the migration project. The tool should be able to synchronize all changes made
during the coexistence period in both directions(from source to target, and from target to source),
including changes to passwords, group membership and resource permissions

Legacy applications require significant time and planning to be moved across ADs. Hence, we have come
up with 3rd party tool called as Quest Migration manager Tool for migration activity in
ManpowerGroup Organization. Below are the advantages of using Quest Migration Manger Tool over
Legacy Tool.
 Zero impact, full-directory migration
It supports Restructure AD during business hours, reducing IT workload with no adverse effect
on user productivity. With Migration Manager, we’ll be able to move all types of objects,
including users, groups, computers, volumes, printers, contacts, organizational units, network
topology (including sites, subnets and site links), and directory permissions.
 Complete coexistence
Maintain seamless user access to all network resources, such as servers and printers, regardless of
their migration status.
 Flexible, comprehensive planning
Planning any migration scenario, from simple AD improvements to a complete restructuring of
our entire domain. We’ll be able to reduce risk by staging users, scheduling workstation moves
and updating permissions. And we can easily mirror your production environment to a test lab to
ensure that all processes are effective and safe before they are applied.
 Automated, parallel processing
Automate the migration and enable parallel processing to save valuable time and ensure zero
downtime.
 Automatic updates
21 | P a g e
 It Save time and reduce risk by automatically updating permissions and resources, including AD,
SharePoint, Exchange, Internet Information Services (IIS), file and print servers, SQL Server,
cluster servers, and Microsoft Systems Management Server. You can also update NTFS security,
shares and more.
 Secure execution

22 | P a g e