Carve-out migration guide part 1: Introduction and migration tool Overview

The final stage of any carve-out project, where a corporate segment of a large parent company ("Parent") is being separated to become its own independent organization ("NewCo"), involves the complete migration of all IT resources and services. Basic services such as Active Directory authentication and Exchange email, which were historically handled by the Parent IT department, must be gracefully transitioned to the NewCo's datacenter without causing any major disruptions. This process inevitably involves accessing and making changes to the Parent's server infrastructure and this oftentimes poses problems. The nature of carve-out projects is such that once the deal is finalized, the once-helpful Parent IT staff may not prioritize the carve-out project needs above other projects and may be resistant to provide access to their environment. They essentially become a foreign organization.

Whereas many cross-forest migration guides exist online, many require Domain Admin or other administrative rights in the source domain and very little is written about what to do when your source domain admins simply won't provide the permissions you require. This series of posts aims to address those unique problems faced during a carve-out migration.

This series is derived from West Monroe's experience with several large-scale carve-out projects involving organizations of hundreds or thousands of employees being separated from their corporate parent. Once the new target domain is created and its supporting infrastructure built-out, the five stage migration process is started. Active Directory and Exchange are always the two major IT services that need to be transitioned. Their respective objects to be migrated are as follows:

Active Directory

• Users
• Security Groups
• User Workstations
• Group Policies
• User Permissions

Exchange

• User mailboxes
• Distribution Groups
• Public Folders
• Outlook Profiles
• Mobile Profiles

Although there are many different migration tools, West Monroe has most recently been using the following combination of products:   

BinaryTree CMT Coexistence for Exchange Directory Synchronizer (DirSync)

• Used to migrate AD Groups and Users
• Migrates all Exchange-related attributes
• Does not migrate SID history
• Does not migrate non-primary SMTP addresses for Distribution Groups

BinaryTree E2E (E2E)

• Used to migrate all mailboxes
• Enables the automatic creation of objects required for mail coexistence
• Does not migrate public folders (without Domain Admin rights)
• Does not allow for Outlook Profile Updates 

Microsoft Active Directory Migration Tool (ADMT)

• Used to migrate Workstations
• Used to migrate SID history
• Does not migrate any Exchange-related attributes

Microsoft Exchange Inter-Org Replication Tool (IORepl)

• Used to migrate public folders
• Used to bi-directionally sync public folders, including free/busy

This combination of tools, used in the correct sequence and with the proper preparations, allows for the migration of all Active Directory and Exchange services while minimizing any disruptions to the business. The high-level migration process by which West Monroe uses these tools is as follows:

Pre-migration steps:

1. Establish and Test Mailflow Coexistence
2. Install, Configure, and Test all Migration tools

Big-bang migration steps:

1. Migrate all Groups with DirSync
2. Migrate all Users with DirSync
3. Migrate SID history for all Groups with ADMT
4. Migrate SID history for all Users with ADMT
5. Migrate and sync public folders with IORepl

Site-by-site, phased migration steps:

1. Migrate Workstations with ADMT
2. Migrate Mailboxes with E2E

Post-migration steps:

1. Disable Mailflow Coexistence
2. Change public MX records
3. Establish public autodiscover records
4. Remove Trust

In part 2 of this guide, I will be discussing the steps required to establish and maintain Exchange mail-flow coexistence between the Parent and NewCo organizations.