Prepared by
Holger Reiners
Principal Consultant
Jrg Finkeisen
Michael Wirth
Table of Contents
Management Summary............................................................................................................................. 5
Technical Background............................................................................................................................... 6
Domain Migration.............................................................................................................................. 9
Domain Rename............................................................................................................................... 9
Domain Migration........................................................................................................................ 11
Domain Rename......................................................................................................................... 12
Domain Migration........................................................................................................................ 12
Domain Rename......................................................................................................................... 13
General considerations................................................................................................................... 20
Disjoint Namespaces...................................................................................................................... 20
Discontinuous Namespaces........................................................................................................... 22
General recommendation............................................................................................................... 22
OU structure................................................................................................................................ 23
Functional levels......................................................................................................................... 24
Schema extensions..................................................................................................................... 24
Co-existence solution...................................................................................................................... 24
Application Migration....................................................................................................................... 25
Application categories................................................................................................................. 27
Application Questionnaire................................................................................................... 27
Modeling Guidelines............................................................................................................ 28
Integration Depth................................................................................................................. 29
Customer experiences................................................................................................................ 32
Migration Preparation.................................................................................................................. 34
C1 - Initial configuration...................................................................................................... 35
C1 - migration ready............................................................................................................ 36
C1 - application migration................................................................................................... 37
C1 - final state..................................................................................................................... 37
C1 - in trusting domains...................................................................................................... 38
C2 - initial configuration....................................................................................................... 39
C2 - Case 2 - application cant work with migrated objects, sync to meta store..................42
C2 - in trusting domains...................................................................................................... 45
C2 - experiences................................................................................................................. 45
C3 - Initial configuration...................................................................................................... 46
SID based........................................................................................................................... 47
Name mapping.................................................................................................................... 53
C3 - Effort drivers................................................................................................................ 56
C4 - initial configuration....................................................................................................... 57
C4 - Migration...................................................................................................................... 58
C4 - final.............................................................................................................................. 59
C4 - in trusting domains...................................................................................................... 59
C5 - initial configuration....................................................................................................... 60
C5 - final.............................................................................................................................. 61
C5 - in trusting domains...................................................................................................... 61
Summary..................................................................................................................................... 61
Appendix................................................................................................................................................. 62
Internet references.......................................................................................................................... 62
Migration information.................................................................................................................. 62
Rename information.................................................................................................................... 62
Figure index
Figure 1 - forest root domain rename............................................................................................................. 10
Figure 2 Transition phases and activities........................................................................................................ 16
Figure 3 Application categories according to integration depths.....................................................................30
Figure 4 Migration preparation........................................................................................................................ 34
Figure 5 C1 - initial configuration.................................................................................................................... 35
Figure 6 C1 - migration ready......................................................................................................................... 36
Figure 7 C1 - application migration................................................................................................................. 37
Figure 8 C1 - final state.................................................................................................................................. 37
Figure 9 C1 - Exchange co-existance states for all categories.......................................................................38
Figure 10 C2 - initial configuration.................................................................................................................. 39
Figure 11 C2 - application can work with migrated objects, even if disabled..................................................40
Figure 12 C2 - case 1 - application migration to the new forest, users still in migration..................................41
Figure 13 C2 - application cant work with migrated objects, sync to meta store............................................42
Figure 14 C2 - case 2 - application migration................................................................................................. 43
Figure 15 C2 - final state................................................................................................................................ 44
Figure 16 C3 - initial configuration.................................................................................................................. 46
Figure 17 C3 - SID based - some security principals are migrated and active...............................................47
Figure 18 C3 - SID based - option 1 - all security principals are migrated and active.....................................48
Figure 19 C3 - SID based - option 1 - server migration..................................................................................49
Figure 20 C3 - SID based - Opt.2 - some objects are migrated and active.....................................................50
Figure 21 C3 - SID based - option 2 - reACL the resources...........................................................................51
Figure 22 C3 -SID based - final...................................................................................................................... 52
Figure 23 C3 - name mapping - some security principals are migrated and active........................................53
Figure 24 C3 - name mapping - name remapping.......................................................................................... 54
Figure 25 C3 - name mapping - resource server migration............................................................................55
Figure 26 C3 - name mapping - final.............................................................................................................. 56
Figure 27 C4 - initial configuration.................................................................................................................. 57
Figure 28 C4 - migration................................................................................................................................. 58
Figure 29 C4 - final......................................................................................................................................... 59
Figure 30 C5 - initial configuration.................................................................................................................. 60
Figure 31 C5 - final configuration.................................................................................................................... 61
Table index
Table 1 C2 - effort driver details...................................................................................................................... 45
1 Management Summary
An Active Directory domain name that contains one or more labels separated by a dot is referred to as a fully
qualified domain name with two or more names and it will be referred as FQDN in this document. In contrast
there is the concept of single-label domain (SLD), which refers to Active Directory domain names with only
one label.
Given that SLD is not a commonly deployed configuration and that many Microsoft and third-party
applications have not been tested under an SLD configuration, Microsoft recommends FQDN Active
Directory deployments. For companies who have deployed SLD, they should transition to an FQDN Active
Directory deployment. This will ensure that they get the most value out of their deployed applications.
For companies that will be evaluating transition to FQDN from SLD configurations, this document describes
the options and considerations that they will need to take into account. In particular it describes Domain
Migration and Domain Rename operations and explains the different considerations of these two options, so
that companies can build a transition plan that makes sense to them.
Long-term, the goal of Microsoft is to have customer infrastructures using common, tested configurations to
minimize costs and effort to administrate the Active Directory (AD) and DNS environment. The use of multilabel names is Microsofts recommended naming configuration.
Organizations that have SLD configurations should begin by analyzing their current environment to find out
the best mitigation option.
Domain rename operations might be feasible in certain scenarios, mainly for smaller organizations or those
that can tolerate some outage while removing and reinstalling applications that are incompatible with domain
The migration into a non-SLD forest and domain structure should be well aligned with the product lifecycle
and the future IT infrastructure roadmap of the organization.
The transition from a single label to a fully qualified Active Directory domain namespace puts your clients,
servers, domain controllers, the operating systems and applications in a namespace configuration that can
deliver the following benefits:
Provides the broadest application support, including the ability to deploy applications on day 1 after
release without fear that support will be deprecated in a future release, will be deferred until a future
release, or will never support forests configured with SLDs, possibly even blocking installation in
Receives the highest number of test passes by Microsoft and third-party application developers
Requires the least additional configuration to register and resolve DNS names of interest
Delivers the lowest total cost of ownership (TCO) by reducing complex configurations and by
consolidating forest and domain structures
Aligns the namespace assigned to your forest with same type of namespace assigned to the top
thousands of domains deployed and operated by other customers over the last decade or more
Receive Microsoft cloud support, because only domains with fully qualified DNS names are
supported by Microsoft cloud services such as BPOS and Office 365
2 Technical Background
The Domain Name System (DNS) defines a hierarchical namespace forming a tree of domain names. The
domain name syntax definitions are specified in several RFCs (mainly, 1035, 1123 and 2181).
Active Directory Domain Services (AD DS) uses a DNS namespace format for domains in an Active Directory
forest. The distinguished name (DN) paths of naming contexts and objects are derived from the DNS name
assigned to the forest root domain as well as from the domain that owns the object. The recommended DNS
name assigned to an Active Directory domain consists of two or more name parts or labels separated by a .
(dot), such as, contoso.com. The AD DNS domain can be subordinate to a top-level domain, such as .com,
or subordinate to your internal DNS namespace (that is, domain corp.contoso.com can be subordinate to the
internal namespace of contoso.com). It is recommended that your AD domain names be part of an officially
registered DNS namespace that is owned by your company or organization.
Single-label DNS names are DNS names that consist of only one domain label and do not contain a dot
(except the trailing dot representing the DNS root domain, that is omitted in most use cases). For example
contoso, com, net, or local are single-label domain (SLD) names while contoso.com, contoso.net, or
contoso.internal are fully qualified DNS names. SLD configurations in Active Directory are created when an
administrator decides to assign an SLD name to one or more domains in an Active Directory forest. The most
common SLD configuration is that the forest root domain (FRD) has been assigned a single label DNS
For the purpose of this whitepaper, we will distinguish between single-label domain (SLD) names and fully
qualified domain names (FQDN), that is, domain names with more than one label.
SLD names are not strictly prohibited by the DNS RFCs, but the RFCs are typically referring to the non-SLD
configurations that are seen as a worldwide common DNS configuration.
As Active Directory provides infrastructure services like authentication, authorization and directory data
storage on a network, the namespace that your organization chooses for Active Directory forests and
domains directly affects applications that use Active Directory. When we refer to Single Label Domain names
in this whitepaper, we implicitly mean the DNS name assigned to a domain in an Active Directory forest.
Microsoft published the following detailed information, advisory, and recommendations for Active Directory in
SLD configurations:
Information about configuring Active Directory domains by using single-label DNS names
Warnings installing Active Directory Domain Services on Windows Server 2008 and Windows Server 2008
R2 in domains with single-label DNS names
Unable to select DNS Server role when adding a domain controller into an existing Active Directory domain
Some Microsoft products can be installed in a SLD name configuration. When the installation is using an
SLD, certain considerations might apply, as noted by Microsoft Product Groups. Though existing Microsoft
products can continue to function using SLD, it is not a recommended configuration for future deployments,
and might not work with some products or versions. Other Microsoft or third-party applications that end-users
might want to run in an environment might not be compatible with a SLD. Microsoft recommends deploying
an infrastructure using common, tested configurations to minimize extra deployment and testing costs.
Some existing applications that support SLD today have announced their intent to drop SLD support in future
New, more advanced applications typically dont support SLD and will not be adding such support going
For application development teams, the additional test overhead required to validate application compatibility
in SLD configuration so they can be supported for production deployment represents an effective doubling in
test cost across major and minor version releases, service pack updates and QFE updates; this cost is not
justified by the small number of forests configured to use SLD. The overhead prevents application
developers from pursuing new and more interesting features that improve product relevance and
competitiveness in the market.
Therefore, there might be incompatibilities when products are implemented in an SLD environment.
Sometimes there are known issues and workarounds to mitigate the SLD configurations. Some products are
known to be blocked by SLD configuration.
Organizations with various namespace configurations (including SLD) can obtain support subject to the
terms of the Microsoft Support Lifecycle policy and their Microsoft support agreement. This means that
Microsoft Premier Support customers will receive equivalent support for current Microsoft products running in
either an SLD or a FQDN environment. In either case, Microsoft will evaluate the need for a hotfix in
response to a support incident on a case-by-case basis.
In order to protect customers from accidentally deploying a new SLD, the Active Directory Installation Wizard
(DCPromo.exe) in Windows Server 2008 warns against creating a new SLD and in Windows Server 2008 R2
explicitly blocks creating a new SLD.
For detailed information on supported products and configurations, refer to the following information on the
Microsoft website:
Microsoft support for Single Label Domains
DNS Namespace Planning Support
Namespace Planning and Product Compatibility
3 SLD scenarios
In many organizations, Active Directory Domain Service (AD DS) is the major infrastructure component that
uses the DNS system, and it is tightly bound to the DNS structure. An Active Directory SLD configuration is
defined when one of the Active Directory domains in a forest uses a SLD name as the Active Directory
domain name.
Some typical SLD domain configurations are:
Domain Migration
The preferred approach to move from an SLD Active Directory configuration to a FQDN Active Directory
configuration is the forest and domain migration. This is the same operation as seen in many merger and
acquisition scenarios or in forest consolidation operations.
The migration approach requires building and operating a new FQDN forest in parallel to the existing SLD
Active Directory forest. The design of the new FQDN forest and domain structure is the opportunity to
enhance and optimize the configuration to adapt the Active Directory to new and future requirements. When
the FQDN forest is fully operational, migration tools will have to be used to move objects to the new forest.
Careful planning is required to avoid breaking application functionality. During parallel operations of the
Active Directory forests, the coexistence requires ongoing synchronization of certain data between forests.
Additionally, the provisioning of a consistent data store might be required to provide application data
independently of both forests to mitigate effects of object DN name changes due to migration.
The sequence and speed of Active Directory object migration and migration of member servers and
workstations should be well aligned to the application lifecycle in the organization. It also depends on the IT
organizations staff capacity and general change capabilities.
The migration of security principal objects requires the usage of migration tools, which are available from
several vendors. Microsoft offers the Active Directory Migration Tool (ADMT) that can be downloaded free of
charge from the Internet.
For further information about Active Directory migration, please refer to the ADMT Guide: Migrating and
Restructuring Active Directory Domains (http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx ).
Domain Rename
The domain rename option was introduced with Windows Server 2003 Active Directory and enables the
rename of the NetBIOS and DNS domain name of any domain of an Active Directory forest in a single
operation. You can also use the domain rename operation to restructure domains i.e., child domains can
be restructured to grandchild or tree domains and tree domains can be restructured to child or grandchild
domains. Changing the NetBIOS of domains with a rename operation is optional. Certain target
configurations can require two or more subsequent rename operations.
The following restrictions are related to a domain rename operation:
The new domain name cannot be the same as an existing domain name in the forest.
It is not possible to change which domain is the forest root domain.
It is not possible to add domains to the forest or to drop domains from the forest via the domain
rename operation. Domains can be added or removed by using the Active Directory installation
wizard after the rename operation is complete.
NetBIOS and DNS names assigned as new names to domains in the forest must be unique.
Renaming the forest root domain changes the distinguished name (DN) path for the schema and the
configuration partition, while the DNS and NetBIOS names of all other domains remain unchanged.
In a first step, the domain rename operation prepares the domain controllers in the forest that should be used
for the rename operation. The new DNS namespace will be manifested as XML statements in a forest
description file. The domain naming master FSMO holder transforms this file into a domain rename script
and stores that script to an attribute that is replicated to all domain controllers in the forest.
After the preparation is done, the administrator initiates the rename execution. With the start of the rename
execution, all domain controllers in the forest will reconfigure themselves to reflect the new forest
configuration and then restart with the new configuration. During this time, the Active Directory service is not
available for client users, services, or applications.
For further details regarding the planning and execution of a domain rename operation, refer to the following
information on Microsoft TechNet:
To make the rename operation effective, after the operation it is necessary to:
restart all application servers and workstations in the renamed domains twice
re-create trusts with external domains
(If the root domain is renamed, recreate the forests and Kerberos realms trusts)
rejoin computers with NT 4.0 operating system to the renamed domain
The risk and complexity of a domain rename operation depend on many factors.
The top challenge of domain rename is application compatibility. This has to be investigated and tested for
applications on all servers and workstations in your Active Directory forest. The most important question is:
Does the application have hard-coded references to the old DNS (or NetBIOS) domain name or its hierarchy
within the forest?
If you cant answer this question or your vendor doesnt know, you must assume that the application is not
compatible with domain rename. At this point, youre now faced with having to remove all applications that
are incompatible or whose compatibility is unknown, perform the domain rename, and then reinstall the
applications; otherwise, the rename operation is effectively blocked.
The application compatibility issue is critical since the rename operation will be effective for all services and
applications at one single point in time, the instant after the domain controllers have rebooted. Thats why the
domain rename operation requires an intense organizational effort to coordinate several infrastructure and
application dependencies due to the single point in time of the domain rename operation.
Clients joined to renamed domains have to be rebooted twice to reflect the rename operation. This task is
easier for desktop computers but is more challenging to enforce for roaming laptops.
Not all applications and server-based applications are compatible with the domain rename feature that is
supported on domain controllers running Windows Server 2003 or later. These incompatibilities will either
block the domain rename feature or make the use of the domain rename feature more difficult when you try
to rename an SLD name to a fully qualified domain name configuration.
Examples of applications that are incompatible with domain rename include, but are not limited to, the
following products:
For the most updated list of applications that are incompatible with domain rename, see Information
about configuring Active Directory domains by using single-label DNS names
Domain Migration
Domain Rename
The decision for the right transition option for the organization is a complex and individual decision process.
The following paragraphs will discuss aspects that should be considered.
Domain Migration
If the domain rename is blocked by unsupported applications or is of high risk to the organization, the Active
Directory forest and domain migration is the preferred option. The migration approach requires more in terms
of time, budget, and personnel resources than the domain rename. But advantages are the lower risk,
because the migration happens in smaller sets of objects, and the ability to rollback to the source
environment if there are issues. In a migration process, you can do a large part of the work out-of-band,
without affecting the availability of applications and services in your production environment.
During the migration, you need expertise for all your applications and services. You will need a clear
understanding of their integration with Active Directory, but you will also need to put attention on seemingly
simple questions like: Do I have access to the installation media?
There are two main options for the general migration approach and shaded variants in between.
Fast migration approach
With the fast migration approach, all Active Directory objects and applications will be migrated in a very short
timeframe. Normally this will require additional and timely extra effort to do all the migration activities within
the time frame.
The advantage of this approach is that the co-existence phase is very limited and, in some cases, wont be
as complex as would be required for a longer time period. The organization will be earlier in a FQDN
environment that may enable new applications or services.
Application lifecycle integrated migration
The application lifecycle integrated migration will enable a smooth transition of the applications and services
to the FQDN environment. The applications and services will be migrated when the hardware or software
lifecycle require a system operation. This approach will be at least one application lifecycle long and
stretches across several years.
The advantage of this approach is that it can be combined with other IT initiatives to reduce the application
migration costs, in comparison to the costs of the fast migration approach. On the other hand, the coexistence solution must be managed during the complete timeframe and it may become more complex, as a
result of changing requirements during the operation time line.
For both migration options, the organization should align the migration decision with other planned IT
initiatives and should define a migration end date for the completion of the move to the FQDN environment.
Domain Rename
The Active Directory domain rename operation is attractive, because it offers the ability to get rid of the SLD
configuration in a straight forward process.
The first and foremost potential blocker is application compatibility. All applications in the environment must
support the Active Directory domain rename operation. If an application doesnt support rename AND you
cant take the outage caused by removing the application from the source domain and reinstalling it in the
destination domain AND re-associating application and configuration data, then the rename should be seen
as blocked.
In most customer environments, the only domain with an SLD name is the forest root domain. And in most
scenarios, this domain is empty; that is, there are no applications and services installed on servers in this
domain. The only servers in this domain are domain controllers. Subordinate domains in the tree have
FQDNs, and servers and workstations are more commonly members in these subordinate domains with
FQDNs than in the forest root domain with the SLD. In this scenario, you could rename the forest root
domain and assign a fully qualified name that puts this domain into a separate name tree and changes the
subordinate domains to form another separate tree of domains. This reduces the impact of domain rename
operation, since only all domain controllers in the forest have to be rebooted but no member servers or
workstations. The most compelling benefit of this approach is that the names of the application domains do
not change. This might drastically reduce the application compatibility impact. In this scenario, the focus for
application compatibility is on applications that have deep and hard coded integration with the Active
Directory schema and configuration naming contexts, such as Microsoft Exchange and Active Directory
Certificate Services.
If the organization environment supports the Active Directory domain rename operation, the operation must
be well planned and thoroughly tested, and all risks have to be assessed. The domain rename operation will
reconfigure the environment at one specific point in time. Any potential issues will arise directly after the
rename operation. The organization will either have to prioritize application repairs and may overload the
operation teams or have to accept application service degradation for a longer time period.
Single-Label-Domain - Considerations, migration and co-existence, Considerations, migration and co-existence, Version 1.32, Final
267673279 / 1.09.2011, Rev. 5
page 20
Analyze your environment
A deep analysis of the environment and a planning phase should be considered to gather the necessary
information to evaluate and decide for the best suitable mitigation approach for the organization. Chapter 6:
Analysis of your SLD environment provides an overview of things to consider during the analysis activity.
Transition option decision
After the analysis phase, the organization must decide a transition option. Aspects an organization should
consider for the decision are covered in Section: 4.4 Transition option decision.
Execution - Migration
If the organization chooses migration as the transition option, the following activities should be completed.
Forest name selection
Chapter 7 Forest name selection will summarize the key considerations for selecting a new FQDN Active
Directory forest DNS namespace.
Provide hardware and procure licenses
For the new Active Directory infrastructure, additional hardware and software is necessary. Initiate the
procurement of the resources early to avoid delays in the procurement process.
Plan and build the new FQDN Active Directory forest
Section 8.1: Execute a Domain Migration outlines the major steps of the build process of the Active Directory
for the new FQDN environment.
Plan and build co-existence strategy
During the migration the existing and new environment must be managed and operated in an integrated way.
The processes will influence both environments. Therefore a co-existence strategy must be developed and
the necessary information synchronization established.
Section 8.2: Co-existence solution provides insights into the co-existing planning, approaches, and possible
Plan and do application migration
The real challenge of the environment migration is the application migration. The applications must serve
users from both the existing and the new forest while the application instances with all configurations and the
application data are being moved from one environment to the other. Clients must be reconfigured to
consume the new application and service instances in the FQDN environment. Application and service
instances in the SLD instance have to be decommissioned. Section 8.3: Application Migration provides
insight to the applications Active Directory dependencies. Categorize the applications and develop migration
strategies for each application category.
Plan and decommission the SLD environment
After the migration is finished, the SLD Active Directory and perhaps some services and applications that
arent migrated must be decommissioned. This task is organization and situation specific. It should be
planned as a switch off the light operation, but with the ability to start up the environment again if there are
unexpected dependencies. This task should be considered for every application during the application
migration activities.
Execution - Domain Rename
If the organization chooses domain rename as a transition option, the following activities should be
Forest name selection
Chapter 7: Forest name selection summarizes the key considerations for selecting a new FQDN Active
Directory forest DNS namespace.
Inventory the applications
Inventory your applications and try to get feedback about the domain rename impact and support from the
manufacturer of the application.
If the rename operation itself fails, either you can repeat the operation after you have fixed issues that are
reported in log and trace files or you have to execute a forest recovery operation to re-establish the old forest
General considerations
Microsoft recommends using an officially registered DNS namespace for new forest environments. The
namespace should be as static as possible and not prone to future change, e.g., through mergers or
organizational change. Thats why you should use generic name components and avoiding using
organization or department names.
It is a best practice to use the namespace to distinguish between internal and external services. This
distinction can be made by using different parts of the same namespace hierarchy or by using a completely
different namespace hierarchy. When choosing internal DNS names to use for your Active Directory
domains, start with the registered DNS domain name suffix that your organization has reserved for use on
the Internet (such as company.com) and combine this name with either a place holder (e.g., corp, ds, int,
etc.), or geographical or other static names used in your organization to form full names for your Active
Directory domains.
Migration considerations
For the name of a new FQDN forest, it is technically possible and supported to use a name that is
subordinate to the existing SLD forest namespace. For example, if your existing forest uses the names aa for
the forest root domain and dom.aa for the second domain, you could use new.dom.aa as the name of the
forest root in the FQDN forest. This configuration will require some additional configuration in the trust to
enable the correct routing of name suffixes across the forests for authentication and resource ticket requests.
Disjoint Namespaces
A disjoint namespace in AD DS occurs when one or more domain member computers or domain controllers
have a primary Domain Name Service (DNS) suffix that does not match the DNS name of the Active
Directory domain of which the computers are members. For example, a member computer that uses a
primary DNS suffix of corp.company.com in an Active Directory domain named na.corp.company.com is
using a disjoint namespace.
A disjoint namespace is more complex to administer, maintain, and troubleshoot than a contiguous
namespace. In a contiguous namespace, the primary DNS suffix matches the DNS name assigned to an
Active Directory domain. Network applications that are written to assume that the Active Directory
namespace is identical to the primary DNS suffix for all domain member computers do not function properly
in a disjoint namespace.
A disjoint namespace should work (and is supported) in the following situations:
When a forest with multiple Active Directory domains uses a single DNS namespace, which is also
known as a DNS zone
An example of this is a company that created regional domains in Active Directory with names such
as na.corp.company.com, sa.corp.company.com, and asia.corp.company.com and uses a single
DNS namespace, such as corp.company.com.
When a single Active Directory domain is split into separate DNS namespaces
One example of this is a company that has an Active Directory domain of corp.contoso.com that
uses DNS zones such as hr.corp.contoso.com, production.corp.contoso.com, and
A disjoint namespace does not work properly (and is not supported) in the following situations:
A disjoint suffix used by domain members matches an Active Directory domain name in this or
another forest. This will break Kerberos name-suffix routing.
The same disjoint suffix is used in another forest. This prevents routing these suffixes uniquely
between forests.
When a domain member certification authority (CA) server changes its fully qualified domain name
(FQDN) so that it no longer use the same primary DNS suffix that is used by the domain controllers
of the domain to which the CA server is a member. In this case, you may have problems validating
certificates the CA server issued, depending on what DNS names are used in the CRL Distribution
Points. But if you place a CA server in a stable disjoint namespace, it works properly and is
page 28
Because the primary DNS suffix of a computer can indicate different information, you can manage
the DNS namespace separately from the Active Directory domain name.
You can separate the DNS namespace based on business structure or geographical location. For
example, you can separate the namespace based on business unit names or physical location such
as continent, country/region, or building (subject to the supported and unsupported constraints listed
Further splitting of the namespace of a large single Active Directory domain environment may help
avoid storing and administering hundreds of thousands of records in a single DNS zone.
You must create and manage separate DNS zones for each Active Directory domain in the forest
that has member computers that use a disjoint namespace. (That is, it requires an additional and
more complex configuration.)
You must perform manual steps to modify and manage the Active Directory attribute that allows
domain members to use alternate primary DNS suffixes.
To optimize name resolution, you must perform manual steps to modify and maintain Group Policy to
configure member computers with alternate primary DNS suffixes.
When your environment requires multiple primary DNS suffixes, you must configure the DNS suffix
search order for all of the Active Directory domains in the forest appropriately. To set the DNS suffix
search order, you can use Group Policy objects or Dynamic Host Configuration Protocol (DHCP)
Server service parameters. You can also modify the registry.
You must carefully test all applications for compatibility issues.
Migration considerations
During the migration, the intention is to support NTLM and Kerberos for authentication across forest
boundaries. Kerberos uses service principal names (SPNs), which contain FQDN host names of services. If
the current SLD environment uses a disjoint namespace and the new forest will also be operated with a
disjoint namespace, then the namespace planning has to make sure that SPNs are unique across forests
and that overlapping Kerberos SPN suffixes are avoided.
If the disjoint namespace reflects location, a per-location migration of this namespace might be feasible.
However this would require that an entire location be migrated over in a relatively short time span with
Kerberos authentication interruption. This adds additional complexity and risk to the application migration.
A completely new disjoint namespace without overlap (such as, hostname.site.corp.company.com) with
regards to the existing disjoint namespace names (such as, hostname.site.company.com) is technically
possible as it would avoid overlapping Kerberos SPN suffixes.
Microsoft recommends against introducing another disjoint namespace in the environment, if the DNS
infrastructure and processes supports a joint namespace for the environment.
Discontinuous Namespaces
A discontinuous namespace, also referred to as non-contiguous namespace, is one in which the domains in
a forest are not lined up in one hierarchical DNS tree. If the domains in a forest have discontinuous DNS
names, they form separate trees of hierarchical domains within the forest. An Active Directory forest can
contain one or more domain trees. An example of a multi-tree forest would be a forest containing the
domains contoso.com and fabrikam.net.
Active Directory forests with multiple domain trees are considered well-formed forests and are fully supported
by Microsoft.
The first domain created in a forest always has the role of the forest root domain, independent of other DNS
trees in the forest.
A discontinuous namespace is more complex to administer, maintain, and troubleshoot than a contiguous
namespace. For example, special DNS suffix configuration on clients is required to enable cross-domain use
of short host names.
General recommendation
Start your Active Directory with a simple and clear design. For most organizations, a single forest, single
domain design, also known as a single domain forest, will fit.
For the DNS namespace selection, there are three main recommendations:
For your trees of domains, use DNS namespaces that are officially registered for your organization
Use separate internal and external DNS namespaces
If possible, avoid the use of a disjoint namespace, because it is more complex to introduce, maintain,
and operate.
The DNS namespace design is one important aspect in an Active Directory design; however, it only follows
the decisions on the number of forests and domains. The number of domains, Organizational Unit (OU)
structure within these domains, physical design (sites and subnets), and forest or domain functional levels
are other fundamental aspects that need to be decided before the first domain controller in the new forest
can be promoted.
The following chapters are not intended to replace any of the existing documentation about Active Directory
design. We still do strongly recommend studying this documentation or, in even more complex organizations,
seeking consulting services support during this design phase. However, we want to stress a couple of
aspects an organization might want to consider during the design of the new AD infrastructure in the light of
an SLD to FQDN migration.
Another great source of input for the new design should be your own experience gathered from operating
your existing systems. You should take some time to document these lessons learned from your networking
and AD teams as well as your security staff, Helpdesk, and business units responsible for your line-ofbusiness applications.
In the past, organizations sometimes deployed a so-called placeholder or empty root domain. However,
experience shows that the most efficient approach for most organizations is to strictly minimize the number
of domains, that is, to start with a single-forest/single-domain design, and add domains only when concrete
reasons (such as, geopolitical or network replication considerations) dictate creating another domain
instance. Also note that security and isolation considerations do not motivate an empty root domain, as
domains cannot be considered a security boundary in AD DS.
Another potential optimization could be achieved by reevaluating the number and distribution of domain
controllers, that is, by considering a stronger consolidation of domain controllers if your network infrastructure
permits. Start your deployment from the central hub locations of your network and expand from there if
decentralized domain controller installation is needed. Also, consider the use of read-only domain controllers.
Another consideration should be the fact that Windows Server 2008 and Windows Server 2008 R2 (as
well as their client counterparts, Windows Vista and Windows 7) have the IPv6 protocol enabled by
default. A recommended best practice is to leave IPv6 enabled and bound whenever possible. Even if you
decide to disable IPv6 on your systems, you should be prepared to define at least one IPv6 subnet and
assign it to one of your Active Directory sites (for example, the Default-First-Site-Name site).
OU structure
Two main criteriadelegation of administration and application of Group Policy settings to user and
computer objects will influence your organizational unit structure. Again, creating a new Active Directory
forest will present a great opportunity to assess your existing system and identify areas of improvement or
consolidation. On the other hand, changing an OU structure is relatively easy to achieve post-deployment,
compared with changing forest structure.
Microsoft recommends that you install the latest version and service pack of the Windows Server operating
system on the new domain controller computers. This enables you to leverage the most advanced server
features, best hardware support, and the latest security patch and hotfix level.
Another trend which can be seen both in data centers as well as branch office scenarios is, of course, server
virtualization as well as the fact that the newer server operation systems are built as 64-bit platforms only.
Functional levels
A new forest infrastructure brings the opportunity to build a completely legacy free environment. Given that
all new domain controllers are built using the latest version of the Windows Server operating system, there is
a unique opportunity to switch to the highest domain and forest functional level right from the beginning and
by doing so immediately enable the most advanced Active Directory features. Examples are the Active
Directory Recycle Bin, which allows for quick recovery of deleted Active Directory objects, and Fine-Grained
Password Policies (FGPP) which allow having more than one password policy setting within a single domain
(the lack of this feature in the past sometimes motivated organizations to deploy more than one domain).
Schema extensions
Another great opportunity for an efficient deployment approach lies in the possibility of introducing all the
schema extensions which are anticipated for all the AD-integrated applications that the organization is
planning to deploy. All these extensions can be installed before any user is migrated or any application is
actually installed in the new environment; this will largely reduce testing efforts and associated risk.
Co-existence solution
All migration scenarios require the source and target environments co-exist during the migration process.
This co-existence implicates technical requirements and creates demands for co-existence processes and
people to execute them.
The co-existence period starts as soon as the setup of the new Active Directory forest and related
management solutions is finished. The co-existence period ends when the last server in the SLD Active
Directory forest is decommissioned.
By definition, co-existence includes all supporting processes and additional efforts that are required purely
because two separate enterprise Active Directory forests exist.
The implications of co-existence include:
Maintenance of two enterprise Active Directory forests, including related management tools and
solutions (that is, provisioning, monitoring, server maintenance, etc.).
Maintenance of trust relationships from external domains to both the existing and the new forests
and the name resolution configuration to support such trusts.
An LDAP application directory as an abstraction layer for LDAP-dependent applications to provide a
single point of LDAP access to the data of the two Active Directory forests in the background.
A solution for object synchronization between the two forests and the LDAP application directory.
The solution should provide automated synchronization of a defined set objects and a selection of their
As a synchronization solution, organizations might implement Microsoft Forefront Identity Manager 2010
(FIM). Synchronization solutions are also available from other vendors. An organization can also choose to
extend an existing identity management system to provide the required co-existence functionality.
The synchronization solution connects, at minimum, the following directories:
The synchronization solution should also support the synchronization of passwords from the SLD forest to
the FQDN forest. This allows users to use their current password after their accounts have been migrated
and activated in the new forest.
The LDAP Application directory can be implemented as an Active Directory Lightweight Directory Services
(AD LDS) directory solution. AD LDS is an integrated server role on Windows Server 2008 R2.
During the co-existence phase, the LDAP application directory provides the old namespace for
applications, so that the migration of application server configurations will be de-coupled from the migration
of objects from the SLD forest to the FQDN forest. That means that objects that have been migrated to the
new forest can still be retrieved using the old search DNS. This solution follows the assumption that it is
easier to change a target server in an application than to change the complete namespace configuration.
Another important reason to establish this LDAP directory is that the set of objects that an application
retrieves might be distributed between the SLD and non-SLD forests due to migration states.
Application Migration
While analyzing existing applications, it makes sense to distinguish the applications in terms of technical
aspects of the integration with Active Directory. This is important in order to understand the different technical
elements that have to be factored in when talking about application migration in conjunction with the Active
Directory forest migration.
It is important to note that application can have different scopes of integration. Some applications depend on
the forest and forest configuration, while others access information in specific domain naming contexts in the
In the following classification, we use the acronym FTM (Forest To be Migrated) for the SLD forest as the
source of the migration operation. The acronym DTM stands for Domain To be Migrated, that is, one
domain in the SLD forest as the source of migration operation.
We found the following typical application scenarios in customer environments.
Active Directory integrated configuration - strict
First and foremost, this category is characterized by the fact that the application can only live in either one or
the other Active Directory forest. The application boundary is the Active Directory forest. The application
configuration is stored in Active Directory. Application specific schema extensions are required.
Parallel instances of the application in an organization are possible. This application can live in both forests
with dependencies to the other (e.g. mail routing of a mail domain for Exchange). The migration of the data
between the instances is necessary. A user can be served only by one instance at a time.
Examples: Microsoft Exchange, Microsoft Lync
Active Directory integrated configuration - flexible
The application boundary is typically the Active Directory forest. The application configuration is stored in
Active Directory. Application specific schema extensions might be required.
This application can live in both forests without any dependencies. The two deployments won't significantly
influence each other. A user can be served by more than one instance.
Examples: Active Directory Certificate Services (PKI)
Windows integrated applications - on servers in the domain to migrate (DTM)
These are applications that use the Windows integrated authentication and authorization. The main factor
here is that these applications use the user's NT Token from the DTM to extract user and group SIDs and
use these SIDs to compare against SIDs in Access Control Lists (ACLs) on protected resources like files and
Examples: File servers in the domain to migrate
As an alternative to the usage of the SID the application can use the users token provided domain and
sAMAccountName for a name mapping inside the application.
Examples: Microsoft SQL Server
Windows integrated applications - on servers in trusting domains
These applications also use the Windows integrated authentication and authorization. The difference is that
these applications use the user's NT Token from the DTM to extract user and group SIDs and use these
SIDs to compare against SIDs in Access Control Lists (ACLs) on protected resources like files and folders on
servers in a domain that trusts the DTM (trusting domain).
Examples: File servers in a trusting domain
As an alternative to the usage of the SID the application can use the users token provided domain and
sAMAccountName for a name mapping inside the application.
Examples: SQL Server
Application categories
The definition of different types of Active Directory integration is one very important input for the migration
planning process. But there are more parameters to consider for the application migration. The integration
type defines what has to be migrated, but it needs more parameters to be able to determine the expected
effort and possible timeframe of an application migration. Therefore, the application questionnaire should
also contain questions about object numbers and integration depth. Additionally, information about the
operation procedures as well as business criticality and business impact per application will influence the
application migration planning, possible timeframe, and effort.
In most cases, the information about the operation procedures as well as business criticality and business
impact per application cannot be credibly and comprehensively collected through a simple questionnaire. In
addition, it could be a good move to combine other application changes, like upgrades, to be combined with
an application migration.
This is the main reason why this document limits the consideration to the technical aspects of the migration.
The document will provide some non-technical information to consider, but the migration dependencies are
not limited to this non-technical information and must be adapted to each migration situation.
Machine accounts
Service accounts
Administrative user accounts
End user accounts
Group accounts
Which different ways of using Active Directory security principals must be distinguished?
Is there complete knowledge about how and where Active Directoryrelated data is configured?
What is the toolset for the application configuration?
Which other application data can be stored in Active Directory?
Service connection point
Application meta data
Organizational data
User state data (directly in AD DS or as a link from a user account to an external store like AD LDS)
Which are the main factors that influence time and effort for the migration of an application?
page 45
Downtime restrictions and other constraints as a result of SLAs and the business impact of the
Time restrictions for the transition period. (for example, frozen environment time during holiday
Additional operational processes during the transition time
Additional helpdesk costs caused by the migration and transition.
The model must be simple enough to allow for easy assignment of a given application.
It is a model and thus has limitations.
Assignment to categories must be feasible with existing data about applications.
The categories must be related to migration specifics, especially to migration methodology and
Each category should be aligned to a certain migration strategy and path.
Each category should have a good percentage of applications that fall into it.
Migrate server accounts (change domain membership) or set up new servers in the new
Migrate technical accounts (service accounts, admin accounts) or re-create accounts
Move services data to servers in the new environment (configuration in Active Directory, data on file
servers, data in databases) or re-create this data
Re-ACL services data or adjust name mappings (the reference to the Active Directory object, if
Change service configuration to point to new Active Directory forest (if Active Directory objects are
already there)
Change client-side application settings to point to the new service location
Decommission the service in the old environment
Active Directory object migration is the process of creating a copy of an object in the existing forest with the
same syntax and semantics in the target forest. This process is determined by parameters such as the
A main parameter that highly influences the effort and cost is whether the service or application has to be
moved or can be re-created in the new environment.
Business applications will have to be moved in most cases, while management services such as System
Center Configuration Manager (SCCM) or System Center Operation Manager (SCOM) have to be created in
the new environment. Since this might be the case for a number of applications, we created a separate
category for these.
The resulting application categories are described in the following paragraphs.
C1: HIGH AD integration depth, HIGH service integration depth Complex integration
The application uses a large number of objects in Active Directory. These objects are of different object types
and are highly distributed in the Active Directory environment. This application category requires the greatest
effort and cost to migrate servers, clients, data, and Active Directory objects. The migration of these
applications requires the migration of application data (inside and outside of the Active Directory
environment) as well as the reconfiguration of client-side applications.
These applications often have special requirements on the sequence of user and group migrations and on
the state of associated users in both forests (active/passive, passive/active). Therefore, these applications
are the drivers for user and application migration. They determine when a certain user and group can be
migrated and all other applications have to follow and adapt to the approach.
These applications also create the need to keep associated objects in both forests in sync.
Example: Microsoft Exchange migration from the existing Exchange organization to the new Exchange
organization in the new forest.
The service uses many Active Directory objects of different types. The application does not use Windows
security principals from AD DS directly, except for a few service and administrative accounts. Instead, it uses
LDAP queries and mappings based on user or group names to make access decisions. The application
usually reads from the Active Directory database, but writing to the Active Directory database is not excluded.
Thus, we also include Active Directory provisioning solutions like Identity Management solutions here.
The service configuration, though, is very simple to change (for example, change the base DN) and the
number of affected application configuration items and servers is also low, that is, fewer than 10 servers, less
than 25 configuration items, or other factors that are easily changed and required little effort.
Although the service can be reconfigured quite easily, the service-related objects are mostly security
principals. With the migration progress, these security principals may be distributed between the FTM and
new forest during the migration and transition phase. This fact must be taken into account specifically.
Synchronization and provisioning tools are often required to support the migration of these applications. In
some cases, a virtual directory intermediate directory solution might be required to support the applications
during the migration.
If SID mapping is used and there are many configuration objects to change since the SID principals change
during migration, the application will rather fall into category C1 or C3.
The service uses a small number of Active Directory objects, in most cases this will be groups. The service
configuration, though, is very complex to change and the number of affected servers is also high, that is,
more than 10 servers, more than 25 configuration items, or other factors that are more complex to change
and require a great deal of effort. Examples are applications that use many folders and files on many NTFS
volumes and shares that are protected by ACLs. These ACLs contain the SIDs of groups from the DTM
For this category, the migration of the related Active Directory objects is not the most costly part of the
migration. Instead it is the cost of reconfiguring the applications, depending on the available knowledge
about where the configuration has to be executed, the number of required changes, and what toolset is
available for this task.
The service uses a small number of Active Directory objects; in most cases, these will be configuration items.
The application does not use Windows security principals from the Active Directory database, except for a
small number of service and administrative accounts. There are no or only a few dependencies on other
applications or services.
Special cases are applications that cant be migrated or when it is a better option to reinstall them without a
migration. In principal, these applications can fall in one of the before-mentioned application categories; but
from an application, operation, or other perspective, the preferred option is to create a new service instance
in the new environment. In most cases, these will be applications that support IT management and
operations tasks and processes.
In this case, migration means to set up a new instance of the service in the new forest. There might be the
requirement to integrate or sync both instances to get consolidated views. This is not feasible for all such
type of services.
The following list provides guidelines from our experiences with past migrations to better support the
operation of both environments during the migration and transition phase. These recommendations are not
strict rules, but should be considered in the overall migration planning process.
To keep the environments in a better manageable state, avoid cross-forest ACLs where possible.
(Using a principal from one forest in a ACL of a system in the other forest)
To keep the environments in a better manageable state, avoid cross-forest group memberships
where possible. (Adding a principal from one forest as a member in a group of the other forest)
Accounts have to be in both forests for Exchange, but to access the service only one account can be
enabled at a time.
In an environment that has user GPO application, the account activation follows the workstation
migration due to GPO application. This will avoid having an old workstation with new group policies
in a cross-forest scenario, which is complex to handle in terms of operations.
In an environment that only has workstation GPO applications, the account activation isnt
dependent on the workstation, as long as the GPOs between the environments are compatible with
the user environment.
Customer experiences
In the migrations that have been carried out by Microsoft Services together with customer teams, we
validated the application categories and application migration approaches. It was found that the categories
and approaches are generally valid for most customer environments.
Further, it was recognized that any questionnaire cannot be completely sufficient to estimate the migration
effort and process for a given application, whether it is a Microsoft application, a custom application, or a
third-party application. The application owners must be educated to better understand how Active Directory
integration affects their application now, during transition, and in the new Active Directory environment so
they can estimate the related effort and to create a solid plan for their specific application.
The experience across the customers is that this education cannot be done with a questionnaire alone. The
questionnaire would be too complex if it were to cover every possibility. The conclusion was that it is more
practicable to gather specific information in an interview mode. The interview enabled a better understanding
of the application and revealed more dependencies and aspects of the application than the questionnaire
An application migration center (AMC) could offer the application owner various services to support the
migration process.
The application migration center could compile a customer specific application questionnaire to gather the
required application migration information.
Before working directly with the application migration center, the application owner could be offered a classroom or web-based training to understand the aspects of Active Directory integration, the purpose of the
application migration questionnaire, and the specific information that is required to prepare for the migration
of the applications.
In a next step, the application owner, with the support of team members or co-workers, should fill out the
application questionnaire. This could be done in a form that is made available on the organizations intranet.
The form can contain sample answers and guiding hints to collect the best possible answers.
After the filled-out questionnaire is submitted, the AMC specialists analyze the answers, categorize the
application, and prepare the application-specific migration activities. A decision will be made whether a
detailed interview or an on-site workshop will be required to further work out the migration plan for the
specific application migration. The individual interview or workshop with the application owner is the first step
in the estimation and planning process. It will further detail the findings from the questionnaire as well as
gather detailed, migration-related dependency information and clarify individual questions for the application.
The information collected will include technical, process, and business dependencies.
The AMC team should then develop of a detailed plan for the application migration, including work packages
and a basic timeline. At this point, the joint team of the application owner and the migration center will be
able to establish a cost and effort estimation for the end-to-end migration of the application.
During the application migration, the AMC team will support the application owner with migration patterns,
collected experiences from other application migrations. The specialist working with the AMC can provide
technical assistance for application migration.
The AMC should have a good communication plan. Typically, the AMC will communicate via a known
telephone number, functional mailbox, and an internal web site.
Based on successfully executed migrations, the AMC could publish case studies, best practices, and
blueprints to support applications owners with the planning and execution of do-it-yourself-migrations without
involving the on-site services of the AMC.
Overall, the AMC should catalyze the knowledge and experience about the Active Directory migration and
the typical application dependencies to enhance the migration speed, quality and reduce the application
migration risk.
Single-Label-Domain - Considerations, migration and co-existence, Considerations, migration and co-existence, Version 1.32, Final
service. Each defined application category needs a different approach to be migrated to the new
environment. The next chapters will provide the principal steps, dependencies, caveats, and effort drivers for
the application migration of the categories.
Migration Preparation
The core scenario is the same for all application migrations:
The existing environment (source) consists of the domain to migrate that contains the user and group
principals to migrate. Optionally, the domain to migrate can have one or more trusting domains.
The new environment (destination) is a new forest or domain to migrate too.
The new forest or domain is operational.
The coexistence solution is in place and can be configured to synchronize required objects and attributes.
An Active Directory migration tool is in place that provides at least the following functionalities:
Effort drivers:
page 60
Complexity of the synchronization process during the migration and transition phase
The application uses a high number of objects in Active Directory. These objects are of different object types
and are highly distributed in the Active Directory. The migration of these applications requires the migration of
application data (inside and outside of the Active Directory) as well as the reconfiguration of client-side
The Active Directory stored data (such as mailbox information on a user object for Exchange) is labeled APP
CONFIG DATA. The application data outside of AD (such as mailbox data on an Exchange server) is labeled
These applications have to keep associated objects in both forests in sync during the migration. The
necessary synchronization is covered by the migration and co-existence solution.
Activities to achieve the step:
Effort drivers:
Complexity of the synchronization process during the migration and transition phase
A new instance of the application is installed in the target environment, and the new instance is up and
running. The migration and synchronization solution has prepared the objects in the new forest with the
necessary information for the co-existence phase.
Activities to achieve the step:
Effort drivers:
This step will migrate the application data to the new application instance and re-ACL the application data
resources to the new AD object references. This step has dependencies on the application and on the
migration tool.
Activities to achieve the step:
Effort drivers:
After all required Active Directory application configuration data is synchronized and all application data is
migrated, the final state of the application migration is reached. The old application instance can be
Activities to achieve the step:
Effort drivers:
All other applications must obey that the possible account states during the transition and parallel phase are
limited and thereby limit the possible application migration solutions.
The service uses lots of Active Directory objects of different types (APP DATA in Figure 10). The application
does not use Windows security principals from AD DS directly, except for a few service or administrative
accounts. Instead, it uses LDAP queries and mappings based on user or group names to make access
The application configuration (labeled APP CONFIG) is not overly complex and typically is very simple to
change (for example, change the base DN) and the number of affected application configuration items and
servers is also low.
Although the service can be reconfigured quite easily, the service-related objects are mostly security
principals. With the migration progress, these security principals may be distributed between the DTM/FTM
and new forest during the migration and transition phase. The synchronization and provisioning tools must
take the two environments into account.
In some cases, an intermediate LDAP store or virtual directory solution might be required to support the
applications during the migration. The need for an intermediate directory store boils down to the following
If one of these questions can be answered No, case 2 is usually the application migration approach. The
other application can use the case 1 approach.
Yes - case 1 approach is suitable for the application (see Sections,, and for more information)
No - case 2 approach is suitable for the application (see Sections,, and for more information)
During the migration timeframe, the synchronization solution synchronizes user and group accounts between
the two environments. A C2 application might use nonstandard attributes and other objects as well.
If this is the case, the synchronization solution must be adapted accordingly.
Activities to achieve the step:
1. Preparation of the synchronization settings in the migration and co-existence solutions.
Effort drivers:
Complexity of the synchronization process during the migration and transition phase
Appendix C2 - Case 1 - application can work with migrated objects, even if disabled
In this case the application can work with disabled user accounts in either environment. This means that only
one account of the associated accounts is active and the application still queries one (the existing or the
new) Active Directory base DN.
Activities to achieve the step:
Effort drivers:
Figure 12 C2 - case 1 - application migration to the new forest, users still in migration
Because the application is independent of the user account state, the application server systems can be
independent from the user migration migrated to the new environment.
Activities to achieve the step:
Migrate the application system and its configuration to the new forest
Effort drivers:
Appendix C2 - Case 2 - application cant work with migrated objects, sync to meta store
Figure 13 C2 - application cant work with migrated objects, sync to meta store
In this case, the application will check the account state and will only work with enabled user accounts in the
response of the query. This requirement can be fulfilled during the transition phase by an intermediate
directory. The intermediate directory can be a separate LDAP store or a virtual directory. In the following
figures, an LDAP store is used, but can be replaced by a virtual directory.
The data of the intermediate directory is maintained by a synchronization of the relevant information from the
both environments. The important fact is that the synchronization must obey the user account status in the
intermediate directory if one associated account is enabled.
The application must be reconfigured to the intermediate directory to work during the transition phase.
Activities to achieve the step:
Create the LDAP intermediate directory store for the application as a mirror of the AD objects
Establish a synchronization of the relevant app data to the LDAP intermediate directory store.
The synchronization must implement the proper account state logic between the both ADs and the
intermediate directory store.
Change query base DN of the application
a n configuration items in the application
b n application servers to configure
Effort drivers:
The application systems can be migrated independent of the Active Directory object migration, as long as the
synchronization to the intermediate directory store maintains the necessary attributes.
Activities to achieve the step:
Migrate the application system and configuration to the new forest; still query the intermediate store.
Effort drivers:
Appendix C2 - final state - application and objects are migrated to new forest
After all application-related Active Directory Objects are migrated to the new environment, the intermediate
store and the existing instance can be deleted from the environment.
Activities to achieve the step:
Effort drivers:
For Case 2, see Section C2 - Case 2 - application cant work with migrated objects, sync to
meta store.
Effort drivers
Appendix C2 - experiences
The C2case 1 is good in theory, but there is the risk that such an application will break during the transition.
Additionally, most likely there will be applications that fall into the C2case 2 category and require the
intermediate directory store anyway. To reduce these risks, all case 1 applications should use the case 2
The implementation of the intermediate store should be considered as an LDAP store and not as a virtual
directory. The experience with virtual directories is that the performance can be a major concern with many
queries and that complex query logic might be required in a migration scenario.
The service uses a number of Active Directory objects; in most cases, this will be groups. The service
configuration and the application data, though, is very complex to change and the number of affected servers
is also high. Examples are applications that use many folders and files on many NTFS volumes and shares
that are protected by ACLs. These ACLs contain the SIDs of groups from the DTM domain.
Another method of security principal association of this category is name mapping. The application uses the
<NetBIOS Domain>\<sAMAccountName> as the identifier for the application. This identifier will change
during the migration to the new forest.
For this category, the migration of the related Active Directory objects is not the most costly part of the
migration. Instead it is the effort of reconfiguring the applications, depending on the available knowledge
about where the configuration has to be executed, the number of required changes, and what toolsets are
available for this task.
The C3 application approach is divided into the two cases (Section SID based and Section
Name mapping).
Activities to achieve the step:
Effort drivers:
Complexity of the synchronization process during the migration and transition phase
Figure 17 C3 - SID based - some security principals are migrated and active
Some of the migrated user accounts with SID History are active in the new environment. They will access the
resources in the existing environment. The access control check is passed by using the SIDs from the SID
History attribute of the user or group account of the new environment.
Activities to achieve the step:
Effort drivers:
Single-Label-Domain - Considerations, migration and co-existence, Considerations, migration and co-existence, Version 1.32, Final
267673279 / 1.09.2011, Rev. 5
page 83
The SID based migration offers two options for the reACLing process.
option 1 - sequential migration
longer time frame
higher complexity of operation
The following chapters will describe both SID-based migration approaches.
Figure 18 C3 - SID based - option 1 - all security principals are migrated and active
All users and groups are migrated with SID History to the new environment. They will access the resources
in the existing environment. The access control check is passed by using the SIDs from the SID History
attribute of the user or group account of the new environment.
The existing user accounts are disabled and cant access the resources.
Activities to achieve the step:
Effort drivers:
The challenge is that all users and groups must be migrated and active in the new forest. This
process can take considerably longer than planned.
The existing application server systems or only the app data is migrated without ACL change to the new
forest. The app data is reACLed in the new forest environment.
Activities to achieve the step:
Migrate the server object or the app data to the new domain
a Keep the ACLs on the resources
b During the migration users can access the app data by the use of SID History.
reACL the resources
a New SIDs will be used for further data access.
Effort drivers:
The reACLing process can be very time consuming. The reACLing performance depends on the
number of objects that have to be reACLed.
Figure 20 C3 - SID based - Option2 - some objects are migrated and active
Option 2 requires that all security principals in the ACLs are available across domain boundaries. The user
accounts, global and universal groups are available across the domain by default. Domain local groups are
bound to the domain and can have users, global, and universal groups as members. To fulfill the
requirements available across the domain boundary and can have users, global and universal groups as
members, all domain local groups of the existing environment must be converted to universal groups. Then
these groups can be used across the domain and forest boundary.
Some of the existing user accounts are active in the existing environment. They will access the resources
with the existing ACLs in both the existing and new environment. The access control check is passed by
using the original SIDs of the user or group account of the existing environment.
Some of the migrated user accounts with SID History are active in the new environment. They will access the
resources with the existing ACLs in the existing and new environment. The access control check is passed
by using the SIDs from the SID History attribute of the user or group account of the new environment.
Activities to achieve the step:
Change all existing domain local groups to universal groups in the existing forest.
Migrate the server object or the app data to the new forest
a Keep the ACLs on the resources
Important: Only ACLs for users, global groups, or universal groups can be used across the
domain boundary.
Effort drivers:
If trusted foreign security principals are nested into the existing domain local groups, resolve the
dependencies in the domain local group.
In this step, the existing (old) SID in the ACL will be replaced by the new forest (new) SID. This will break
user access from the existing environment.
The challenge is the management of closed migration sets of security principals and data.
Activities to achieve the step:
Replace existing (old) SID with new forest SIDs in the ACLs.
a This cuts off access for users/groups from existing forest.
Effort drivers:
The definition and organization of closed migration sets of security principals and data.
The reACLing process can be very time consuming. The reACLing performance depends on the
number of objects that have to be reACLed.
Depending on the migration situation and closed user groups, the reACLing process must be run
multiple times on a server or app data set.
All users and groups are migrated with SID history to the new environment. They will access the resources in
the existing environment. The access control check is passed by using the new SIDs from new forest.
The SID history information of all user and groups in the new forest can be removed to reduce the access
token and Kerberos token size.
Activities to achieve the step:
Remove all SID History information of the existing domain from the migrated objects.
Effort drivers:
Application in trusting domains can also use SID based mappings. For these applications to work, a domain
or forest trust from the existing to the new forest is necessary, because Windows authentication is used.
The application server migration in the trusted domain isnt necessary.
ReACLing is only required if direct permission assignments from the existing domain (DTM) security
principals have been used.
Most likely DTM principals are nested into the trusted Active Directory domain local groups. These
memberships must be replaced by the corresponding groups from the new forest.
Figure 23 C3 - name mapping - some security principals are migrated and active
Some of the migrated user accounts are active in the new environment, and the existing DTM account is
deactivated. They will access the resources in the existing environment. The access control check fails,
because the application cant map the new <NetBIOS Domain>\<sAMAccountName> to an application
principal or role.
Activities to achieve the step:
Effort drivers:
C3 - name remapping
Changes to the name mapping entries have to be applied so that they now include security principals users
and groups - from the new forest. This is required in order to allow application data access for migrated
users. Adding new group name mappings without removing old name mappings enables access from both
environments for group members during the transition phase.
Activities to achieve the step:
Reconfigure the application access control to the new name of the security principal
Two options:
a Add - both names are mapped (for groups)
b Replace - only the new name is mapped (for users)
Effort drivers:
The challenge is to be able to apply the required changes to all applications in this category at the
exact time when the user migrates to the new environment.
The remapping process can be very time consuming. The remapping performance depends on the
number of objects to be remapped and the number of stores.
Depending on the migration situation, the remapping process must be run multiple times on a server
or app data set.
C3 - server migration
The application server or the app data migration can be done during the user and group migration process.
The name mapping isnt influenced by the migration. The name remapping process, as described in Section C3 - name remapping, must take place.
Activities to achieve the step:
Migrate the server object or the app data to the new domain
a The name mapping isnt changed,
b The system migration and the name mapping changes dont depend on each other,
Effort drivers:
C3 - final
After all application-related Active Director Objects have been migrated to the new environment, the existing
(DTM) group mapping can be removed from the app data.
Activities to achieve the step:
Effort drivers:
The remapping process can be very time consuming. The remapping performance depends on the
number of objects to be remapped and the number of stores.
Application in trusting domains can also use name mappings. For those applications to work, a domain or
forest trust from the existing to the new forest is necessary because Windows authentication is used.
No application server migration in the trusted domain is required.
Remapping is only required if direct mapping from the existing domain (DTM) security principals has been
The number of ACLs (process run-time) or the number of mappings will influence the migration effort
of the application.
Depending on the migration coordination and other dependencies, the reACL or remapping process
must run multiple times on the system to ensure that all ACLs and mappings are found. A good
configuration management that has a management database containing the ACLs and mapping
assignments can reduce the effort by running specified reACL and remapping cycles.
The service uses a small number of Active Directory objects: in most cases, these are configuration items.
The application does not use Windows security principals from Active Directory, except for a few service or
administrative accounts. There are no or only a few dependencies on other applications or services.
Usually, no special synchronization requirements exist for this application category.
Activities to achieve the step:
Effort drivers:
Appendix C4 - Migration
Figure 28 C4 - migration
The application server or application data can be migrated to the new forest environment according to the
required application steps.
If the application uses Active Directory to store application configuration data, this data has to be transferred
to the new forest. Computer, service, admin, etc., accounts must be re-created or migrated to the new forest.
Activities to achieve the step:
Effort drivers:
Appendix C4 - final
Figure 29 C4 - final
After the migration of the application server or application configuration data, the old DTM application servers
and accounts can be decommissioned.
Activities to achieve the step:
Effort drivers:
This type of application cant be migrated because it is required in the existing forest and in the new forest. In
most cases, this type of application will be applications that support IT management and operations tasks
and processes.
In this case, migration means setting up a new instance of the service in the new forest. There might be the
requirement to integrate or sync both instances to get consolidated views. This is not feasible for all such
In general this application category has no requirements with regards to the co-existence synchronization.
Activities to achieve the step:
Effort drivers:
Appendix C5 - final
The new instance of the application is built in the new forest. The new application instance is configured and
the application data transferred if necessary.
The new application instance will use new computer, service, and administrative accounts from new forest.
Activities to achieve the step:
Effort drivers:
The migration of a category 1 application will drive all other application migrations. In most cases, the
Exchange migration of the mailboxes is the leading migration and defines the rules of the application
migration. All other application migrations will be done after the Exchange migration.
The complex part is the user activation in the new environment, because it has to consider all the
applications a user must use and the application restrictions a user may experience when his or her
workgroup is distributed between the SLD and FQDN environments. The formation of closed user sets
should be planed based on business requirements. This task must be considered in the overall migration
process detail planning.
9 Appendix
Internet references
Migration information
ADMT Guide: Migrating and Restructuring Active Directory Domains
How to associate an external account with an existing Exchange 2000 mailbox
You cannot move or log on to an Exchange resource mailbox
Rename information
What Is Domain Rename?
How Domain Rename Works
Renaming a Domain: Process and Side Effects
