Blog · Carve-Out Tech

Identity is the contract. Get it wrong and nothing works.

Carve-out active directory migration is the work of giving Newco its own identity backbone so that every user, group, computer, and service account is owned by Newco rather than the seller. The track sits at the centre of every other IT workstream inside the broader carve-out advisory program because directory failures cascade. Email breaks, file shares disappear, application logins fail, endpoint policy stops applying. The buyer-side advisor pushes the directory plan to the front of the schedule for exactly this reason.

6
Decision Points
9-15mo
Typical Duration
8 min
Read Time
2026
Last Updated
Section 01

Active directory as the spine of identity. Everything traces back here.

Active directory and the cloud identity provider it federates with sit underneath nearly every IT service Newco consumes. User accounts, group memberships, certificates, group policy, DNS for internal services, SSO trust to SaaS applications, conditional access, and device management all read from the directory. Separating the directory cleanly is the precondition for every other separation track to run safely.

Most carve-outs inherit a seller directory that has been operating for a decade or more. The directory carries accumulated history: nested groups, stale service accounts, custom schema extensions, hard coded references in legacy scripts. The migration plan has to cope with this complexity without breaking the active business.

The buyer-side advisor scopes the directory environment in the first month and produces a separation strategy that names every directory dependent service and the order in which they cut over. The work pairs with TSA exit IT separation.

Section 02

Greenfield directory versus domain migration. Two paths. Very different bills.

The first design decision is whether Newco builds a greenfield directory from scratch or migrates the existing directory objects out of the seller forest into a new Newco forest. The greenfield path means clean schema, modern policy, and no inherited debt. It costs more in user reprovisioning and application re integration. The domain migration path preserves more history but inherits whatever was wrong in the source.

Smaller carve-outs typically pick greenfield because the user count is manageable and the application portfolio is small enough to re integrate. Larger carve-outs sometimes pick domain migration to avoid the disruption of touching every user account. The buyer-side advisor builds the cost case both ways and presents the trade off to the Newco CIO and the operating partner.

The cloud identity layer often gets greenfield even when the on premise directory does not. A new tenant in the cloud identity provider sits alongside the migrated on premise environment, providing a clean SSO surface for SaaS applications. The hybrid pattern has become the dominant design for most mid market carve-outs.

Section 03

Timing and tools. The toolchain is mature.

Directory migration tools are mature and reliable. The standard pattern is to deploy a migration toolset that creates trust relationships between source and target environments, then moves objects in controlled batches. Users keep working across both environments during the migration window because the trust allows cross authentication.

Timing is shaped by application dependencies more than by tool capability. The migration cannot move ahead of the applications that depend on the source directory unless those applications can tolerate the trust based coexistence. Some applications cannot. The buyer-side advisor catalogues these constraints early so the wave plan is realistic.

A common pacing problem is the seller's pace versus Newco's pace. The seller may want users out of its forest quickly. Newco may want the migration to take longer so application re integration can keep up. The TSA service catalog should set a target completion date for the directory exit and the governance committee tracks against it. The work pairs with TSA azure active directory separation.

Section 04

Application dependencies and SSO. Every SaaS connection has to be redone.

Every application that authenticates against the seller's identity layer needs to be re integrated against the Newco identity layer. SSO trusts have to be rebuilt. SCIM provisioning connectors have to be reconfigured. Service accounts running automated jobs need new credentials. Each integration is small in isolation but the volume across a typical mid market estate runs into hundreds.

The application inventory needs to be built in month one. Each application gets a record of how it authenticates today, how it will authenticate after Newco takes over, who owns the rework, and when the rework lands. SaaS applications typically use SAML or OIDC and rework is a few hours per application. On premise applications with custom identity wiring can take days each.

Conditional access and zero trust policy is the other surface that needs rebuild. Newco probably wants different conditional access policy than the seller, especially around device posture, geographic restrictions, and risk based authentication. The new policy should be defined and tested before the directory cutover wave so users land in a known state. The work pairs with TSA Okta identity separation.

Section 05

Security policy carry over. Right size, not copy paste.

Group policy, certificate templates, password policy, and privileged access management are all carried by the directory. Newco needs to decide which policies to bring over, which to redesign, and which to retire. The temptation is to copy paste the seller's policy because it works. The right move is to right size the policy to the Newco operating model.

Privileged access is the highest risk area. The seller's domain admins, enterprise admins, and tier zero accounts must not retain access into Newco after cutover. The same applies in reverse: Newco's eventual admins must not have lingering access into the seller environment. The cleanup of privileged access happens at the directory cutover and is documented for both parties as part of the audit trail.

Certificate authorities are a quieter but equally important surface. Newco usually stands up its own internal CA rather than continuing to consume the seller's CA after exit. Certificates issued by the seller's CA must be reissued by the Newco CA before they expire or before the TSA ends, whichever comes first. The work pairs with carve-out cybersecurity Day One.

Section 06

Cutover and decommissioning. The clean exit closes the loop.

The cutover from the seller directory to the Newco directory is rarely a single event. The standard pattern is a series of waves, each wave moving a set of users and the applications they touch into the Newco environment. The final wave decommissions the trust to the seller directory and removes the last Newco objects from the source.

Decommissioning is the step most carve-outs underestimate. It is not just turning off a service. It involves removing all Newco service accounts from seller systems, retiring trust relationships, purging Newco data from seller backups according to a documented schedule, and getting written confirmation from the seller that the decommissioning is complete. The buyer-side advisor pushes this paperwork through the governance committee so the carve-out closes cleanly.

Post cutover, Newco runs an identity reconciliation report for several months to catch any service accounts, scheduled tasks, or scripts that were missed. Identity drift is the most common post exit cleanup item and it is far cheaper to catch in the first ninety days than to find six months later in an audit. The work pairs with carve-out network separation and carve-out endpoint management.

Related Reading

More on carve-out technology.

Free Download

Get the buyer-side TSA Exit Playbook.

The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.

No spam. Unsubscribe in one click. · Read the overview first →

Identity is the contract. Get it wrong and nothing works.
TSA Exit Acceleration

Land the directory migration before the rest of the stack stalls. On the TSA timeline.

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.

White paper

The TSA Exit Playbook

Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.

Read the playbook →
White paper

The Identity & Access Separation Playbook

Stand up a clean identity tenant first — every application cutover and every security control depends on it, and the seller holds the keys until you do.

Read the playbook →
The Day One Letter

Get buyer-side TSA intelligence every two weeks

One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.

Subscribe to The Day One Letter →