Home » Active Directory » Active Directory Cross Forest Migration – The Complete Guide
Active Directory ~ 7 Minutes Reading

Active Directory Cross Forest Migration – The Complete Guide

author
Published By Aldrich Calvin
Anuraag Singh
Approved By Anuraag Singh
Calendar
Published On April 17th, 2025
Is an Active Directory cross forest migration on your horizon? Read the guide that discusses reasons like consolidation and mergers, explores methods using Microsoft's ADMT tool (with limitations) and PowerShell (complex scripting). It also presents a professional automated tool as a simpler, more efficient alternative for migrating users, groups, and computers seamlessly between forests.

There are different situations where you need to perform Active Directory cross forest migration. Here you will find the distinct manual methods to do Active Directory migration, such as ADMT and PowerShell. A proficient automated tool is also discussed that makes the process simpler.

In Active Directory migration, user accounts, groups, and other objects are also migrated from one AD forest to another. In some situations, admins also search for how to move users from one domain to another in the same forest. Microsoft suggests making a plan before performing the Active Directory migration and taking a backup of the data. There are multiple reasons why you need to perform AD migration across two different forests.

Why Perform Cross-Forest Migration of Active Directory?

  • To consolidate the multiple forests into a single forest due to which reduces the administrator’s overhead.
  • To improve the security of the forest. One forest is easier to secure as compared to multiple forests.
  • To improve the performance, because a single forest is more performant than multiple forests.
  • The data is also stored at a central location, which makes the data easier.
  • Sometimes the organization merges with another at a time, and to store all of the data in one place, you need to perform Active Directory migration.

Active Directory Cross Forest Migration Using the ADMT Tool

The ADMT (Active Directory migration tool) is a Microsoft application that can be used to migrate Active Directory across forests. Follow the steps sequentially.

Step 1. Download the ADMT tool and sign in to the destination domain.
Step 2. Open ADMT and go to Action, then User account migration wizard, and hit Next.
Step 3. It’s time to select the source domains and the destination domains.
Step 4. Fetch the users to perform migration and hit OK.
Step 5. Select the targeted Organizational unit and click Next.
Step 6. Now, tick the “Do Not Migrate source object if a conflict is detected in the domain” in the conflict dialog box and Next.
Step 7. After a while, verify the migrated users for the successful cross-forest migration of Active Directory.

Limitations of the ADMT Tool

  • ADMT requires the SQL server to store the data.
  • Migration of trustless inter-forest objects is not possible.
  • Allow all the native permissions before migration.
  • No option to track the process.
  • Requires ADMT SID history before the migration.

All these drawbacks prompt admins to look for ADMT replacements. One of which is the PowerShell-led transfer.

Active Directory Cross Forest Migration Step By Step Using PowerShell

You can perform the AD migration with the help of PowerShell commands. This manual method is complex and requires a lot of technical knowledge. It is not certain that all of the data has been successfully migrated. Moreover, you can also migrate computers from one domain to another with PowerShell. You can apply this method by detaching the domain from the old domain and connecting it to the new domain. Follow the steps below.

Step 1. Set up a new Active Directory in the destination and make sure it is working perfectly.
Step 2. Install and run the Remote Server Administration Tools (RSAT) on the source computer from where the migration will take place.
Step 3. Setting up a trust relationship between the source and destination domains for hassle-free migration.
Step 4. Then, launch PowerShell as an administrator on the source computer from where the migration will take place.
Step 5. Disconnect the domain from the current source computer.

Remove-Computer -UnjoinDomainCredential Domain01\Admin01 –Restart

Replace ‘Domain01’ according to the source domain and ‘Admin01’ with a domain administrator account that possesses the required permission to perform the unjoin process.
Step 6. Now, replace the ‘Domain002’ with the destination domain, and ‘Admin002’ with a domain administrator account.

Add-Computer -DomainName Domain002 -Credential Domain002\Admin002 –Restart

Step 7. Then, reboot, the domain should now attach to the destination
Step 8. If the changes are not done, then use the other scripts. Repeat the complete process for every computer where you want to migrate the AD.

Active Directory Cross Forest Migration Professionally

You can use the Active Directory migration tool to perform the Active Directory cross forest migration. There is no requirement for any technical knowledge to operate this tool. This tool is able to migrate the AD user’s printers, computers, and many more. There is also an option of creating multiple jobs to migrate AD objects. Supports multiple AD migrations at once. Also, migrate the newly added properties of the objects. You will not face any downtime during the migration. Sometimes there are errors occurs during the migration then you can use the Active Directory migration checklist to overcome those errors.

Download Now  Purchase Now

Prerequisites

  • Requires Microsoft .NET version 4.6.1 or later.
  • Complete DNS settings should be applied to all DCs.
  • Requirement of a trust Relationship.
  • Configuration of the DNS suffix search list is a must.
  • Need to add the Admin account to the administrator groups.
  • Active Directory servers have to be on the same network.
  • The schema should be the same in both source and destination.
  • The user needs to have AD access.
  • Antivirus should not be able to block the application.
  • Disable the firewall on both machines for smooth functioning.

Steps Need to be Followed

Step 1. Download and enter the administrator as user ID and password.

Enter Default Credentials

Step 2. Then, enter the details of the domain and Save and Continue.

Register Domain Controller for Source

Step 3. Enter the second domain details. Click on Save and Continue.

repeat for target

Step 4. Then, click on the first domain, enter the credentials, and Save.

Add and Validate Admin Credential

Step 5. Now, move to the Active Directory option and click on Fetch Active Directory Objects.

Fetch Active Directory Objects

Step 6. Click on the second domain, enter the details, then Save.

Add and Validate Admin Credential

Step 7.  Fetch objects for Active Directory cross forest migration.

Fetch Active Directory Objects

Step 8. Then, create the Migration scenario by assigning a name to the scenario and entering the source and destination domains. Save & continue.

Create Migration Scenario

Step 9. After the creation of the scenario, create the Task in the Task window. Assign the name to the Task, select the objects, and Save & Continue.

Create New Task (Select Computers)

Step 10. Then, do mapping of the objects by clicking on the three dots and selecting the merge or create option, and click the option of Start Task.

Either Merge or Create

Conclusion

Due to the requirement of the Active Directory cross-forest migration, the admins are searching for successful migration methods. Here we have explained both the manual methods, whether it is ADMT or PowerShell. However, due to some limitations and complexities, they are not advised to use. The automated tool is also explained for seamless Active Directory cross-forest migration. You can choose any method as per your needs.

Frequently Asked Questions

  • Q. What is the difference between an Active Directory Forest and an AD Domain?
    You can consider the forest as the top-level container of the Active Directory. An organization typically only needs one forest. Moreover, the forest itself contains one or more domains sharing schema, config, and global catalog with each other.
    Domain, on the other hand, is a subset of the forest; there might be more than one domain, each with its own logical grouping of objects. Here, our migration ritual involves data transfer at the forest level, which is quite complicated.
  • Q. Is it mandatory to form a trust relationship between the two forests across which our migration takes place?
    Yes. Trust allows forests to authenticate requests and enables resource access between the two entities. Microsoft’s native ADMT won’t be able to perform the inter-forest transfer unless there is a trust relationship.
  • Q. What role does the SID history migration play in the AD-to-AD transfer?
    SID (Security Identifier) history lets migrated accounts retain their old SID as an additional identifier, maintaining access to source forest resources post-migration when using ADMT.
  • Q. Between PowerShell and ADMT, which one is better/easier to use?
    If you are comfortable with scripts/coding and use them regularly for AD management, then by all means, go for PowerShell. GUI is easier to understand, though it may take longer, so if your AD is small and your team lacks technical expertise, ADMT is the better choice.
    However, if you choose the third option, i.e., the professional tool, you get the speed of PowerShell with the intuitiveness of ADMT
Table of Contents