How to Plan an Active Directory Migration

Microsoft’s Active Directory (AD) runs your Windows network and keeps mission-critical legacy apps and workflows running at some organizations. Replacing can be a big commitment and migration planning is an essential step to undertake before kicking off your project.

Big commitments are made for very good reasons. Consider that AD has become a top target for cyber attackers and doesn’t meet modern IT requirements. AD makes it difficult to support hybrid and decentralized organizations that use a variety of device types, and has become progressively harder to administer. AD also requires a suite of other solutions in order to connect identities to cloud infrastructure, web applications, networking gear, and more.

Those are some of the drivers behind why many organizations are eliminating or modernizing AD with cloud directories. Successful migrations start with understanding your objectives and continue on through support, feedback, and validation. 

Every migration is different, but every organization requires a migration plan. Organizations that inherit extensive customizations and custom, homegrown applications may still require AD, but can reduce its usage and attack surface area. Most organizations can migrate to a modern cloud directory completely, enabling them to benefit from greater efficiency, security, and simplicity.

This article is a guide to determine whether AD should be contained or replaced. Then you’ll learn about why cloud directories work differently and how to draft a detailed migration plan. Many organizations have successfully migrated to independent cloud directory services, and you can rest assured that they all invested some time upfront for planning and preparation.

Why Replace AD

AD is a 25+ year-old technology that was built for a Window’s centric, on-premises world. It’s officially a legacy product that’s often the weakest link in any security platform. It doesn’t even matter how skilled and experienced the admins are. The costs, complexity, and risks of using AD will always be a problem, but there are solutions depending on how it’s being used.

Microsoft recommends using AD in a hybrid configuration with Azure Active Directory’s (now called Entra ID) most premium subscription plan. That means maintaining your data center or a colocation facility while adopting cloud services. Still, it doesn’t stop there. Microsoft’s popular Microsoft 365 (M365) bundles don’t include everything that’s needed for your protection.

Microsoft’s Strategy for AD: Sell More Products

Defender for Identity and Defender for Servers are security products to safeguard identities against attacks that hackers use to steal credentials and move laterally through networks. Otherwise, you run the risk of AD being compromised and becoming a pathway to your systems and data. Running AD without protection is increasingly risky as attackers set their sights on AD to exploit its architectural limitations. Microsoft understands that problem too.

Eliminating or containing AD is a more straightforward approach. Cloud directories provide IT simplification and modernization with unified identity, device, and access management. Microsoft has moved in this direction with its cloud identity and security products. It has given less emphasis to improving AD; it sells security products instead of eliminating AD’s defects.

The next section will help you understand when it’s better to replace or contain AD. You’ll also have to decide whether Microsoft’s prescribed path is what’s best for your organization. We’ll share more about JumpCloud to help you make that comparison after plotting out the migration.

Prerequisites for Migrations

AD may not be as irreplaceable as you may believe. Most organizations can modernize it and begin to benefit from cloud directories without any breaking changes. For example, your firewall, WiFi infrastructure, or core switch can likely handle DHCP/DNS for your office networks. Every organization has unique requirements and available resources that will inform its migration decisions.

First, it helps to spend some time learning about cloud architecture.

Learn About Cloud Architecture

Cloud directories don’t always provide a 1:1 replacement to AD, but that should be viewed as an opportunity to increase IT efficiency and security. Cloud directories are built to overcome many of the weaknesses of AD’s legacy architecture using open web standards and modern identity and access management (IAM). Other AD services can be substituted out as needed.

Nested groups are a prime example of why AD’s legacy approach to access control doesn’t exist in the cloud. Cloud directories handle authorization via groups rather than through an indirect inheritance from the parent group object. It’s easier for admins to determine why a user object has a particular entitlement. This more mature approach to managing entitlements can increase IT efficiency with automated membership changes. The immediate benefits are easier on/off boarding, increased efficiency, and more responsiveness to meet business objectives.

Understanding the differences in architecture between AD and the cloud is the first step in planning a migration strategy. AD can be replaced or enhanced to strengthen IAM with modern authentication and other features that reduce reliance on AD … and its downsides and risks.

The next step is knowing which approach to take for AD: replace it or contain it.

Know When to Replace AD

These criteria are generally a “greenlight” for a migration to a cloud directory:

• Having domain-bound Windows devices and unbound cross-OS device types 
• Having Windows servers including Windows File Servers
• Using M365, Azure resources, and on-device Office installations
• Deploying third-party Windows applications that use open standards (OIDC, SAML, LDAP, etc.)
• Having multiple domains, multiple forests, multiple OUs
• Having multi-organization trust situations; cloud directories will flatten security groups and OUs, using attributes to strengthen access control

Only enterprises with custom, homegrown applications that cannot utilize modern authentication standards such as OIDC and/or SAML will not be able to fully migrate. A containment strategy where these apps and AD become ring-fenced can be implemented.

Know When to Contain AD

Here are some example of when AD modernization is the best strategy:

• Having legacy and custom applications that can’t update to modern authentication protocols (this may change in the future)
• Having highly customized AD schema and SharePoint workflows 
• Having certificate-based authentication for network access (this may change in the future)
• Having some multi-organization forest trust situations (this may change in the future)

Begin drafting a migration plan once you’ve determined which scenario describes your organization. A migration plan is crucial to minimize downtime, manage risks, and ensure data integrity during the transition. It helps allocate resources effectively, maintain a positive user experience, and meet compliance requirements.

Creating an AD Migration Plan

Migrating from AD involves several critical steps to ensure a smooth transition. Here’s a plan outline and checklist that will help you along your way.

Assessment and Planning

Inventory the current environment: Begin by documenting all AD objects, including users, groups, and computers. Be sure to include your organizational unit (OU) structure, group policies, and domain levels. Then, focus on what else you may not know.

Take time to assess your current environment to discover all dependencies (like application tie-ins), configurations, and potential issues that you may encounter. This is a good time to audit your environment for shadow IT that may be supporting some important business processes. Shadow IT can be something as simple as an Office macro, and local or SaaS apps.

Some other helpful tips are:

• Perform an inventory of employee and company-owned devices that will be accessing your resources. Those devices (and their “owners”) will have to be enrolled into your new system and managed. Even BYOD devices like laptops and smartphones should be managed.
• Determine whether access to non-Windows systems such as network hardware is required.
• Determine whether you’ll need to reconfigure your applications or reconfigure single sign-on (SSO) once you adopt multi-factor authentication (MFA) or change the log-in process. Think of the impact that those changes will have on the people of your organization. Technical considerations have an impact on people too.
• Decide on the cloud directory service that best fits your needs.
• Determine whether you have in-house organizational skills or require professional services for cloud adoption. Creating a cross-functional team of stakeholders with well defined roles and responsibilities is important for successful cloud adoption.

Define your goals: Clearly outline what you want to achieve with the migration such as technical considerations like improving security, reducing costs, or greater IT efficiency. This is when you’ll document your desired end state and clearly define what you want your new environment to look like. It will be your yardstick for whether you’ve been successful or not. 

Also consider:

• Business outcomes
• Financial impacts
• Communicating objectives with business leaders

Perform a risk assessment: Identify potential risks and develop mitigation strategies such as conducting pilot migrations, thorough testing, and having a rollback plan in case of issues. The importance of these activities cannot be understated. Effective contingency planning ensures that the migration can proceed smoothly, even if unexpected issues arise.

Compliance: Ensure that your migration plan meets all regulatory and compliance requirements before getting started.

Design

Organization design: Decide on the structure of your new environment (e.g., hybrid or cloud). A hybrid structure will keep your existing OUs in place but a migration will flatten the organizational structure within your directory using groups to separate administrative units.

Security considerations: Plan for security enhancements, such as improved authentication protocols and encryption. Cloud directories can offer phishing-resistant authentication or even passwordless access. They also offer RADIUS that secures access to your Wi-Fi networks and/or VPNs even with certificates.

• Other considerations include determining whether authentication will pass through to AD or occur within the cloud directory. Many identity providers (IdP) offer federation, which makes it possible to collaborate with external users and other organizations. Understanding these authentication flows will make it easier to transition.

Preparation

Test environment: Set up a test environment to simulate the migration process.

Backup: Ensure you have a complete backup of your current AD environment even if you are planning to use a test environment completely. Ideally, you could test with some real world data, devices, and users to ensure that everything is as close to your production environment as possible.

Migration planning: Create a detailed migration plan that includes timelines, resource allocation, and risk management strategies. Ensure flexibility to adapt to any unforeseen challenges. Other tips include:

• Ensure your network is configured to support the cloud directory.
• Review and update security policies to align with cloud best practices. Technically, GPOs don’t exist in the cloud but pre-built policies and mobile device management (MDM) do.
• Engage stakeholders i.e. business leaders to align your motivations and objectives.

Migration tools: Choose the right tools for the migration. Consider migrating in phases to manage the process more effectively and reduce the impact on users.

Schedule: Create a detailed migration schedule, including timelines for each phase.

Execution

Pilot migration: Conduct a pilot migration with a small subset of users, apps, and devices to identify any issues. Cloud directories enable you to select users for migration. Select users who are representative of their departments. They can become champions to assist their cohorts.

A simple checklist can be a very helpful tool to ensure a smoother transition. Having a methodology in place to measure business outcomes at this stage may also be helpful. For example: “was IT able to onboard a new hire better than before the pilot?”

Full migration: Execute the full migration based on the results of the pilot. All users and users and groups will be synced to the cloud directory at this point in time.

• Migrate users and groups to the cloud directory; ensure that all user attributes and group memberships are correctly transferred
• Move devices to the new directory service
• Update applications to authenticate against the cloud directory

Post-Migration

Validation: Verify that all objects and settings have been correctly migrated. All users, groups, devices, and applications should be functioning correctly.

Decommission AD (optional): Gradually phase out the old AD infrastructure once the migration is confirmed successful. The server can be repurposed for development, training, and or backups.

Monitoring and Support

Monitor: Continuously monitor the new directory environment for any issues.

Support: Provide support to users and address any post-migration issues promptly. Training is an important step and shouldn’t be disregarded. Consider sharing a few reference cards.

Feedback loop: Work to optimize configurations for performance and security. Gather feedback from users and IT staff to make necessary adjustments. Iterate and improve your systems.

JumpCloud’s AD Migration Options

JumpCloud’s Active Directory Integration (ADI) and AD Migration Utility tools can be used to migrate identities away from AD. ADI supports multiple workflows, providing flexibility while keeping necessary services for DHCP, DNS, faxing, file sharing, printing, virtualization, and more.

ADI continuously syncs users, groups, and passwords between AD and JumpCloud. Its components are installed on a member server and configured to import and sync identities for each domain. It provides several options for authentication flows: bi-directional syncing and one-way syncing (in either direction). Pass-through authentication back to AD is supported to uphold security and compliance requirements for local authentication and authorization.

Additional Resources

• Get step-by-step recommendations for how to decommission Active Directory based on your directory goals and how you currently use AD in this free research report from the team at EMA, a third-party analyst firm.
• Why would Pos Malaysia, a national courier service that has been in operation for over 200 years, select JumpCloud to replace its legacy domain-based systems? JumpCloud’s open directory platform meets the requirements for a future architecture that will drive its next phase of sustainable growth.
• UnternehmerTUM is a nonprofit organization that serves as a startup incubator for more than 50 companies each year. In addition to serving as an Active Directory replacement, JumpCloud has transformed the way the nonprofit manages its devices. Check out the case study.

JumpCloud Can Help You Migrate AD

JumpCloud pairs the ability to manage every endpoint with an open directory platform for IAM to secure every identity. This unified approach delivers strong access control while consolidating IT management tools into a single console for increased operational efficiency. Unified device and identity management provides detailed reporting to track events, identities, and other IT assets. 

It does a lot of what AD does for you today: from policies to user management. You can even temporarily elevate local account permissions on a time-bound basis, execute PowerShell commands, provide remote assistance, and deploy software — all from a single pane of glass.

JumpCloud also offers an optional password manager and the ability to configure phishing-resistant authentication and single sign-on for your users with JumpCloud Go™. Connect to whatever resources you need, including AD, Google Workspace, HRIS platforms, and more. You can try JumpCloud for free to help decide whether it’s right for your organization.

We’ve been doing this since 2013. Our team will work with you to understand the unique requirements for your migration and what you’ll need to replace AD (if that’s your ultimate goal). JumpCloud has expertise in mapping roles, services, and features from AD to the cloud.