What is a Big Bang AD migration?

A Big Bang migration cuts over all users, workstations, and data from source to target Active Directory in a single coordinated event, without an extended coexistence period. It is used when domain trust is not possible, when divestiture timelines compress the schedule, or when the source environment must be decommissioned quickly.

What does 'no domain trust, no SID history, no password sync' mean?

No domain trust means source and target domains cannot authenticate cross-domain. No SID history means legacy resource permissions cannot be preserved through SID mapping. No password sync means users receive fresh credentials at cutover. All three together represent the most demanding migration scenario, because there is no safety net.

How are workstations migrated when there is no domain trust?

Through Quest's Desktop Update Agent (DUA) and AD Agent. The agents disjoin the workstation from the source domain, rejoin to the target, migrate the local user profile to the new account, and validate application access, all without requiring a cross-forest trust.

Why would an organization choose a Big Bang migration over coexistence?

Divestiture timelines, security isolation requirements, or constraints that prevent domain trust. Big Bang migrations also avoid the operational overhead of maintaining cross-domain coexistence for months. The trade-off is that everything must work on cutover day, which is why thorough prep and lab testing are essential.

Case study · Consumer goods

Hybrid Active Directory and M365 Big Bang Migration for a Global Consumer Goods Company

Executing a no-trust, no-SID-history, no-password-sync Big Bang migration across Active Directory and Microsoft 365 with full workstation migration.

TL;DR. Global consumer goods company divestiture, 250 users, Big Bang migration with no domain trust, no SID history, no password sync. Users, workstations, mailboxes, OneDrive, Teams, and SharePoint all migrated in a compressed cutover using Quest ODM and ODMAD.

What was the client environment?

A global consumer goods company with operations across multiple countries needed to migrate its entire Active Directory and Microsoft 365 environment as part of a corporate divestiture. The migration was designed as a Big Bang cutover, with all users, workstations, and data migrated in a compressed timeline, and with the added constraint of no domain trust, no SID history, and no password synchronization between source and target environments.

What made this migration challenging?

Big Bang migrations with no domain trust are the most demanding migration scenarios. There is no safety net of coexistence and no fallback to source credentials if something goes wrong:

No domain trust. The source and target Active Directory domains had no trust relationship, meaning users could not authenticate across environments. Every user, group, and computer object had to be cleanly migrated to the target with new credentials.
No SID history. Without SID history migration, resource access permissions could not be preserved through legacy SID mapping. All access control had to be re-established in the target environment.
No password sync. Users would receive new passwords in the target environment, requiring careful coordination of user communications, password distribution, and support desk readiness for the cutover window.
Workstation migration. End-user workstations needed to be migrated from the source domain to the target, requiring DUA (Desktop Update Agent) and AD agent deployment, testing, and coordinated execution alongside the identity and data migration.
Service account security concerns. The client's security team had concerns about the permissions required for ODM DirSync service accounts, requiring detailed discussions and documentation before migration tooling could be fully configured.
Prerequisite delays. Critical prerequisites (remote access, DirSync server setup, O365 licensing, domain trust decisions, and test machines) were delivered incrementally over the first two weeks, requiring the consultant to adapt the work plan daily.

How did LeadThem approach the migration?

Structured discovery despite delays

Week 1: Discovery and CDS development. Reviewed ODM and ODMAD prerequisites. Confirmed project parameters: Big Bang strategy, no trust, no SID history, no password sync. Started CDS (Custom Deployment Solution) draft. Navigated prerequisite delays by advancing documentation and planning while waiting for remote access and DirSync server availability.

Week 2: Tooling configuration and security negotiations. Worked with the client's security team to address service account permission concerns. Installed ODM DirSync agents on both source and target servers (with initially limited account rights). Completed on-premises DirSync configuration once service accounts were provisioned. Participated in client discussions on scope changes for staged cutovers and workstation migration process.

Weeks 3-4: Workstation migration testing and user sync. Deployed DUA and AD agents to test workstations. Configured and tested ODM DirSync user sync workflows. Validated end-to-end workstation migration process including domain join, profile migration, and application access verification. Compiled and validated user migration rosters.

Weeks 5+: Production cutover. Executed Big Bang migration of user accounts, groups, and workstations. Migrated mailboxes, OneDrive data, Teams chats, and SharePoint content. Coordinated password distribution and user communications. Provided post-migration support for authentication and access issues.

What technical challenges did we solve?

Service account security standoff. The client's Identity & Access team required detailed justification for the permissions needed by ODM DirSync service accounts. Our consultant provided comprehensive documentation of each permission requirement, explaining why each was necessary and what migration capabilities it enabled. This transparent approach resolved the security team's concerns and allowed the project to proceed without compromising the client's security posture.
Prerequisite dependency management. With five major prerequisites (remote access, DirSync servers, service accounts, O365 licensing, and test machines) arriving on different dates across the first two weeks, our consultant adapted the work plan daily. We advanced whatever workstreams were unblocked while tracking dependencies and advising the client on critical dates. This kept the project productive from day one despite the rolling prerequisite delivery.
Scope change mid-project. The client's team introduced scope changes for staged cutovers during the project, modifying the original Big Bang plan. Our consultant participated in these discussions, provided technical guidance on the workstation migration implications, and adjusted the migration approach accordingly.

What were the results?

The global consumer goods company's Active Directory and Microsoft 365 environment was successfully migrated using a Big Bang approach, with no domain trust, no SID history, and no password synchronization. Users, workstations, mailboxes, OneDrive data, Teams, and SharePoint were all migrated in a coordinated cutover. The consultant's ability to navigate security concerns, adapt to prerequisite delays, and accommodate scope changes ensured the project delivered on its aggressive timeline.

Which tools and technologies were used?

Quest On Demand Migration (ODM) for cloud data migration
Quest ODMAD (On Demand Migration for Active Directory) with DirSync agents
DUA (Desktop Update Agent) for workstation migration
AD Agent for domain join and profile migration
Active Directory (no trust, no SID history configuration)
Microsoft 365 (Exchange Online, OneDrive, Teams, SharePoint)

Why LeadThem Consulting

Big Bang migrations with no domain trust are the hardest migrations to get right. There is no coexistence safety net and no room for error on cutover day. LeadThem Consulting's consultants have the experience to navigate the security negotiations, prerequisite dependencies, and scope changes that inevitably arise in these projects. When the client's security team pushed back on service account permissions, we did not escalate. We documented, explained, and resolved. That is the difference between a partner who executes and one who just follows a runbook.

What is a Big Bang AD migration?: A Big Bang migration cuts over all users, workstations, and data from source to target Active Directory in a single coordinated event, without an extended coexistence period. It is used when domain trust is not possible, when divestiture timelines compress the schedule, or when the source environment must be decommissioned quickly.
What does 'no domain trust, no SID history, no password sync' mean?: No domain trust means source and target domains cannot authenticate cross-domain. No SID history means legacy resource permissions cannot be preserved through SID mapping. No password sync means users receive fresh credentials at cutover. All three together represent the most demanding migration scenario, because there is no safety net.
How are workstations migrated when there is no domain trust?: Through Quest's Desktop Update Agent (DUA) and AD Agent. The agents disjoin the workstation from the source domain, rejoin to the target, migrate the local user profile to the new account, and validate application access, all without requiring a cross-forest trust.
Why would an organization choose a Big Bang migration over coexistence?: Divestiture timelines, security isolation requirements, or constraints that prevent domain trust. Big Bang migrations also avoid the operational overhead of maintaining cross-domain coexistence for months. The trade-off is that everything must work on cutover day, which is why thorough prep and lab testing are essential.

Facing a Big Bang migration with no domain trust?

LeadThem Consulting has executed the hardest AD and M365 migration scenarios. Let us plan yours.

Discuss your migration