DATAMTX LLC
Active Directories / Quest Migration Engineer (QMM)
⭐ - Featured Role | Apply direct with Data Freelance Hub
This role is for a Sr AD Migration Engineer with Quest Migration Manager expertise, offering a flexible, remote contract for 3 to 6 months at a competitive pay rate. Key skills include Active Directory migration, SID history injection, and application dependency management.
🌎 - Country
United States
💱 - Currency
$ USD
-
💰 - Day rate
Unknown
-
🗓️ - Date
April 28, 2026
🕒 - Duration
3 to 6 months
-
🏝️ - Location
Remote
-
📄 - Contract
Unknown
-
🔒 - Security
Unknown
-
📍 - Location detailed
Atlanta, GA
-
🧠 - Skills detailed
#Migration #EC2 #Oracle #Metadata #Deployment #Disaster Recovery #Scala #Security #Strategy #LDAP (Lightweight Directory Access Protocol) #Compliance #AWS (Amazon Web Services) #Documentation #Kerberos #Logging #Replication #Web Services #AWS EC2 (Amazon Elastic Compute Cloud)
Role description
WHO WE ARE
Datamtx (www.datamtx.com / formerly Datamatics) established in 1993 is globally HQ'd in Atlanta with a stellar history supporting both OEM's such as IBM, Oracle, Microsoft, Adobe, Infor, etc along with leading NOC's, Distributors (Eg,. Arrow Electronics, Synnex, etc) for both professional services and team augmentation services.
THE ROLE
We have an existing client with a need for a Sr AD Migration Engineer with deep Quest Migration Manager experience, preferably Quest certified.
This will be a remote role and we anticipate at least 3 months of work,
Part-time candidates are invited to apply as we are offering flexible hours with this role in line with the SOW-based delivery for this project.
PROJECT OVERVIEW:
This is an an on-premise Active Directory domain environment encompassing the full lifecycle migration of approximately 700 Active Directory accounts - including user accounts, service accounts, and group-managed service accounts (gMSAs) - from the existing source domain to a consolidated destination domain.
Of these 700 accounts, approximately 300 represent active end users who interact with domain-joined systems on a daily basis.
The destination domain controllers are hosted on Amazon Web Services (AWS) EC2 instances within the client's infrastructure, representing a modernization of the underlying compute platform while retaining an on-premise Active Directory architecture.
This approach preserves organizational investment in Group Policy, NTFS permissions, and domain-integrated applications while delivering improved infrastructure resilience and scalability.
The migration will leverage Quest Migration Manager for Active Directory as the primary tooling platform. Quest Migration Manager provides enterprise-grade capabilities for user, group, and computer object migration; SID history injection for seamless resource access during coexistence; and comprehensive logging and audit trails throughout the migration lifecycle.
Infrastructure Modernization: Leverage AWS EC2 for domain controller hosting, improving availability and disaster recovery posture. Security Posture Improvement: Establish a clean domain environment with updated OU structures, refined Group Policy, and strengthened access controls.
A critical success factor for this engagement is the disciplined management of application dependencies that are tightly integrated with Active Directory.
These include Okta identity federation, Imprivata ProveID clinical authentication agents, printer and peripheral device mappings, RADIUS/NPS network authentication, file server NTFS ACLs, DHCP configurations, and Certificate Services. Each dependency requires targeted migration actions, validation criteria, and hyper-care support to ensure minimal disruption to end-user productivity and clinical or business operations.
PROJECT SCOPE:
• Discovery and assessment of the source Active Directory environment, encompassing approximately 700 accounts and approximately 300 active end users.
• Full inventory of users, groups, organizational units (OUs), computer objects, service accounts, and group-managed service accounts (gMSAs).
• Group Policy Object (GPO) inventory, analysis, conflict identification, and migration planning.
• DNS zone inventory, conditional forwarder documentation, and DNS cutover planning. Application dependency mapping, including:
1. Okta federation and AD connector configuration
1. Imprivata ProveID agent bindings
1. Print servers and printer mapping deployments
1. RADIUS/NPS policies and network authentication
1. DHCP scope review and DNS suffix configuration
1. Peripheral devices (badge readers, scanners)
1. File server NTFS ACL audit and share permission documentation
1. Certificate Services assessment (AD CS)
• Network topology and firewall rule documentation and change request management.
• Service account deep-dive: SPN registrations, application dependency mapping, and Kerberos delegation configurations.
• Target OU structure design for the destination domain.
• Quest Migration Manager installation, configuration, and validation.
• Migration wave planning: 5 production waves of approximately 50–75 users each, plus a dedicated service account migration window.
• Pilot migration with 15–25 representative users and comprehensive validation across all dependency areas.
• SID history injection to preserve resource access during the coexistence period.
• Post-migration validation including authentication testing, GPO application verification, security access confirmation, and DNS finalization.
• Source domain decommission planning and execution, including domain controller demotion, AD metadata cleanup, and DNS zone removal.
• Knowledge transfer and operations handoff to [Client Organization Name] IT team.
• Project documentation deliverables: Discovery Report, Migration Design Document (MDD), Migration Runbook, Pilot Report, Wave Completion Reports, Post-Migration Validation Report, Decommission Completion Report, and Project Closeout Report.
REQUIRED SKILLS / EXPERIENCE
• Experience with Quest Migration Manager for Active Directory which will serves as the primary migration engine for this engagement, providing an enterprise-grade platform for directory object migration.
• Deep skill with: User, group, and computer object migration; SID history injection; password synchronization; resource updating (ACLs, shares, mailboxes); and comprehensive session logging with full audit trail.
• Experience with agent-based or agentless migration approach - to determine Phase 2 (Design & Planning) based on environment characteristics and security requirements.
• Experience with Migration sessions configured on a per-wave basis with full logging, rollback capability, and audit trail preservation for compliance documentation.
Migration Wave Strategy
Production migration will be executed in 5 waves of approximately 50–75 users each, with wave assignments determined by department, physical location, application dependency profile, and assessed risk level.
Each wave follows a standardized execution sequence:
1\. Pre-wave validation and readiness checks
2\. User notification (minimum 5 business days prior)
3\. Account migration (user objects, attributes, passwords)
4\. Computer object migration
5\. Group membership update and validation
6\. SID history injection
7\. GPO application and validation
8\. DNS updates and verification
9\. Application validation (Okta, Imprivata, printers, peripherals, file access)
10\. Hyper-care period (48–72 hours with dedicated support)
11\. Wave completion report and sign-off
A dedicated service account migration window follows the completion of user waves to minimize application impact.
Service account migrations are coordinated directly with application owners and include planned downtime windows for dependent applications.
Coexistence Strategy.
• SID history injection preserves access to source domain resources during the coexistence period, ensuring that migrated users retain seamless access to file shares, applications, and other resources that reference source domain SIDs.
• Conditional forwarders and DNS configuration maintain name resolution across both domains throughout the migration.
• Temporary firewall rules enable cross-domain communication (Kerberos, LDAP, DNS and Replication) during the migration period.
• The coexistence period is maintained until all waves are complete and post-migration validation confirms full operational functionality in the destination domain.
Rollback Strategy
• Documented rollback procedures are prepared for each migration phase and validated prior to execution.
• Pre-migration snapshots and backups of critical AD components (System State, GPOs and DNS zones) are captured before each wave.
• Per-user rollback capability is available during wave execution, enabling targeted recovery without impacting other migrated users.
• Formal go/no-go decision gates are established at pilot completion and before each production wave. Go/no-go criteria include authentication success rate, GPO application rate, and application validation results.
WHO WE ARE
Datamtx (www.datamtx.com / formerly Datamatics) established in 1993 is globally HQ'd in Atlanta with a stellar history supporting both OEM's such as IBM, Oracle, Microsoft, Adobe, Infor, etc along with leading NOC's, Distributors (Eg,. Arrow Electronics, Synnex, etc) for both professional services and team augmentation services.
THE ROLE
We have an existing client with a need for a Sr AD Migration Engineer with deep Quest Migration Manager experience, preferably Quest certified.
This will be a remote role and we anticipate at least 3 months of work,
Part-time candidates are invited to apply as we are offering flexible hours with this role in line with the SOW-based delivery for this project.
PROJECT OVERVIEW:
This is an an on-premise Active Directory domain environment encompassing the full lifecycle migration of approximately 700 Active Directory accounts - including user accounts, service accounts, and group-managed service accounts (gMSAs) - from the existing source domain to a consolidated destination domain.
Of these 700 accounts, approximately 300 represent active end users who interact with domain-joined systems on a daily basis.
The destination domain controllers are hosted on Amazon Web Services (AWS) EC2 instances within the client's infrastructure, representing a modernization of the underlying compute platform while retaining an on-premise Active Directory architecture.
This approach preserves organizational investment in Group Policy, NTFS permissions, and domain-integrated applications while delivering improved infrastructure resilience and scalability.
The migration will leverage Quest Migration Manager for Active Directory as the primary tooling platform. Quest Migration Manager provides enterprise-grade capabilities for user, group, and computer object migration; SID history injection for seamless resource access during coexistence; and comprehensive logging and audit trails throughout the migration lifecycle.
Infrastructure Modernization: Leverage AWS EC2 for domain controller hosting, improving availability and disaster recovery posture. Security Posture Improvement: Establish a clean domain environment with updated OU structures, refined Group Policy, and strengthened access controls.
A critical success factor for this engagement is the disciplined management of application dependencies that are tightly integrated with Active Directory.
These include Okta identity federation, Imprivata ProveID clinical authentication agents, printer and peripheral device mappings, RADIUS/NPS network authentication, file server NTFS ACLs, DHCP configurations, and Certificate Services. Each dependency requires targeted migration actions, validation criteria, and hyper-care support to ensure minimal disruption to end-user productivity and clinical or business operations.
PROJECT SCOPE:
• Discovery and assessment of the source Active Directory environment, encompassing approximately 700 accounts and approximately 300 active end users.
• Full inventory of users, groups, organizational units (OUs), computer objects, service accounts, and group-managed service accounts (gMSAs).
• Group Policy Object (GPO) inventory, analysis, conflict identification, and migration planning.
• DNS zone inventory, conditional forwarder documentation, and DNS cutover planning. Application dependency mapping, including:
1. Okta federation and AD connector configuration
1. Imprivata ProveID agent bindings
1. Print servers and printer mapping deployments
1. RADIUS/NPS policies and network authentication
1. DHCP scope review and DNS suffix configuration
1. Peripheral devices (badge readers, scanners)
1. File server NTFS ACL audit and share permission documentation
1. Certificate Services assessment (AD CS)
• Network topology and firewall rule documentation and change request management.
• Service account deep-dive: SPN registrations, application dependency mapping, and Kerberos delegation configurations.
• Target OU structure design for the destination domain.
• Quest Migration Manager installation, configuration, and validation.
• Migration wave planning: 5 production waves of approximately 50–75 users each, plus a dedicated service account migration window.
• Pilot migration with 15–25 representative users and comprehensive validation across all dependency areas.
• SID history injection to preserve resource access during the coexistence period.
• Post-migration validation including authentication testing, GPO application verification, security access confirmation, and DNS finalization.
• Source domain decommission planning and execution, including domain controller demotion, AD metadata cleanup, and DNS zone removal.
• Knowledge transfer and operations handoff to [Client Organization Name] IT team.
• Project documentation deliverables: Discovery Report, Migration Design Document (MDD), Migration Runbook, Pilot Report, Wave Completion Reports, Post-Migration Validation Report, Decommission Completion Report, and Project Closeout Report.
REQUIRED SKILLS / EXPERIENCE
• Experience with Quest Migration Manager for Active Directory which will serves as the primary migration engine for this engagement, providing an enterprise-grade platform for directory object migration.
• Deep skill with: User, group, and computer object migration; SID history injection; password synchronization; resource updating (ACLs, shares, mailboxes); and comprehensive session logging with full audit trail.
• Experience with agent-based or agentless migration approach - to determine Phase 2 (Design & Planning) based on environment characteristics and security requirements.
• Experience with Migration sessions configured on a per-wave basis with full logging, rollback capability, and audit trail preservation for compliance documentation.
Migration Wave Strategy
Production migration will be executed in 5 waves of approximately 50–75 users each, with wave assignments determined by department, physical location, application dependency profile, and assessed risk level.
Each wave follows a standardized execution sequence:
1\. Pre-wave validation and readiness checks
2\. User notification (minimum 5 business days prior)
3\. Account migration (user objects, attributes, passwords)
4\. Computer object migration
5\. Group membership update and validation
6\. SID history injection
7\. GPO application and validation
8\. DNS updates and verification
9\. Application validation (Okta, Imprivata, printers, peripherals, file access)
10\. Hyper-care period (48–72 hours with dedicated support)
11\. Wave completion report and sign-off
A dedicated service account migration window follows the completion of user waves to minimize application impact.
Service account migrations are coordinated directly with application owners and include planned downtime windows for dependent applications.
Coexistence Strategy.
• SID history injection preserves access to source domain resources during the coexistence period, ensuring that migrated users retain seamless access to file shares, applications, and other resources that reference source domain SIDs.
• Conditional forwarders and DNS configuration maintain name resolution across both domains throughout the migration.
• Temporary firewall rules enable cross-domain communication (Kerberos, LDAP, DNS and Replication) during the migration period.
• The coexistence period is maintained until all waves are complete and post-migration validation confirms full operational functionality in the destination domain.
Rollback Strategy
• Documented rollback procedures are prepared for each migration phase and validated prior to execution.
• Pre-migration snapshots and backups of critical AD components (System State, GPOs and DNS zones) are captured before each wave.
• Per-user rollback capability is available during wave execution, enabling targeted recovery without impacting other migrated users.
• Formal go/no-go decision gates are established at pilot completion and before each production wave. Go/no-go criteria include authentication success rate, GPO application rate, and application validation results.
