A typical migration project using Active Directory can be broken up into six (6) phases.

• Phase 1: Install Directory Sync agents and create the Workflow
• Phase 2: Identify Devices and their related Users and Groups to migrate (Concurrent with Phase 3)
• Phase 3: Install Active Directory agents and Register Devices (Concurrent with Phase 2)
• Phase 4: ReACL Devices
• Phase 5: Cutover Devices

• Phase 6: Cleanup

  Note: The Cleanup process typically occurs several months after the completion of the project.

This user guide walks you through the steps required to complete each phase, which can also be used to migrate devices from AD environments to Entra environments. The Active Directory Entra-Join Quick Start Guide walks you through the process of configuring and performing migrations for AD to Entra migrations.

Best practices for each phase of the migration project are presented below:

Phase 1: Install Directory Sync agents and create the Workflow  

• Directory Sync is used to synchronize objects and must be configured before using Active Directory.

• Only those Devices which are in scope of the synchronization Workflow and the filters on its Environments will be available in Active Directory.

• At a minimum the Read From and Match To steps of the synchronization Workflow must be present for Devices.

Phase 2: Identify Devices and their related Users and Groups to migrate (Concurrent with Phase 3)  

• Before migrating Devices do some analysis and planning to see what Users and Groups may need to be migrated, what groups need to be consolidated, how duplicates will be handled, etc.

• More than one Workflow can be used to control the target destinations of Users and Groups.

• Identifying Devices, Users, and groups to migrate can be accomplished concurrently with installing Active Directory agents and Registering Devices in Phase 3.

Phase 3: Install Active Directory agents and Register Devices (Concurrent with Phase 2)  

• The Active Directory agent should be installed on the Devices to be migrated or pushed out via third party tool.

• Sufficient time should be allowed to address any issues with Device registration with the server. Correcting registration issues can take more time than expected. A typical large company with a large number of Devices may need a couple of weeks of off and on work to resolve registration issues with all Devices.

• Resolving Device registration issues can be accomplished concurrently with identifying Users and groups to migrate in Phase 2.

Phase 4: ReACL Devices  

• Run a ReACL (file level re-permissioning) job on as many Devices as possible early in the process.

• ReACL is a non-destructive process that can be repeated as often as necessary up until Cutover in Phase 5.

• Troubleshoot any Devices with ReACL jobs which did not complete successfully.

• Run a ReACL job again close to the actual Cutover date. This will allow you to complete most of the ReACL process early and provide time to resolve any issues with things such as anti-virus software and Group Policies.

Phase 5: Cutover Devices  

• Using some test Devices, Users, and Groups, verify a successful Device Cutover.

• Create any custom Actions that may be required to run as part of the Cutover.

• Typically, a final ReACL job should be run the weekend before the scheduled Cutover to ensure any new Users and other changes are processed.

• Optionally, use the Auto-Pilot Cleanup option to prepare the AutoPilot-provisioned device for migation. This must be done before the cutover if the source Entra ID Joined device is Autopilot-provisioned and the Entra ID Join Profile has the Auto-Pilot Cleanup option selected.

• A workstation reboot is required after the target account is enabled, the source account is disabled, and the Cutover is complete. This is usually completed in the evening when fewer end-users are impacted. Any impacted end-users should be alerted that this reboot is necessary.

  Disabling SID Filter Quarantining on External Trusts

  To disable SID filter quarantining for the trusting domain, type a command using the following syntax at a command-prompt:

  Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /usero: domainadministratorAcct /passwordo: domainadminpwd

  To re-enable SID filtering, set the /quarantine: command-line option to Yes.

  Allowing SID History to Traverse Forest Trusts

  The default SID filtering applied to forest trusts prevents user resource access requests from traversing the trusts with the credentials of the original domain. If you want to enable users to use the credentials that were migrated from their original domain, you can allow SID history to traverse forest trusts by using the Netdom command.

  To allow SID history credentials to traverse a trust relationship between two forests, type a command using the following syntax at a command-prompt:

  Netdom trust TrustingDomainName /domain: TrustedDomainName /enablesidhistory:Yes /usero: domainadministratorAcct /passwordo: domainadminpwd

  To re-enable the default SID filtering setting across forest trusts, set the /enablesidhistory: command-line option to No.

  For more information about configuring SID filtering refer to the Microsoft article available at https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx.

Phase 6: Cleanup  

• The Cleanup phase typically takes place about two months after all Device Cutovers are complete. During the Cleanup phase, all permissions should be removed from the source domain and then the Active Directory agent should be removed from the Devices.

• Before executing the Cleanup job to complete the Cleanup process it is recommended that you disable SID filtering/quarantine to verify that there are no issues with application access.

• Optionally, use the Set Intune Primary User action after the Device Cutover is completed.