Best Practices for Active Directory Migrations

+ Full Text

WHITE PAPER

Best Practices for Active Directory Migrations A Strategic Approach to Migrating the Corporate Directory

Best Practrices for Active Directory Migrations

Table of Contents Introduction: The Strategic View of Active Directory Migrations ................................................ 3 Active Directory Migration Drivers .............................................................................................................. 3 The Challenges of Migrating Active Directory ............................................................................................. 4

How to Approach an Active Directory Migration ...................................................................... 4 Define the End-State of the Active Directory Infrastructure ....................................................................... 5 Create a Checklist for Migration Active Directory Domains ........................................................................ 5 Maintain Active Directory Synchronization ................................................................................................. 6 Maintain Ongoing Operations and User Functionality ................................................................................ 6

Related IT Infrastructure Migrations ....................................................................................... 7 Migrating Messaging or Collaboration Platforms........................................................................................ 7 Migrating Windows Servers......................................................................................................................... 8

Conclusion ........................................................................................................................... 8

2

Best Practrices for Active Directory Migrations

Introduction: The Strategic View of Active Directory Migrations Microsoft Active Directory is a cornerstone of the IT infrastructure for many enterprises. It plays such a central role because users’ Active Directory identities determine their access to and usage rights for IT resources. Active Directory also plays a role in managing software deployments on individual computers (workstations) and other registered devices. Indeed, Active Directory is the nexus for an organization’s application infrastructure; few other IT directories have as much visibility and user impact. (Figure 1)

Figure 1. Active Directory plays a central role in managing users, computers, devices, and applications within an organization.

Given this important role, it’s easy to understand that migrating Active Directory to a new environment is a complex task that must be planned and managed carefully. The first step in creating an Active Directory migration plan is to understand the drivers and challenges involved.

Active Directory Migration Drivers The drivers for an Active Directory migration can be many and varied, depending on both business and technical factors. One frequent business driver is a corporate restructuring that is prompted by a merger, acquisition, divestiture, or another organizational change. In these cases, a whole or partial Active Directory migration may be needed to support the new business structure and IT resources.

3

Best Practrices for Active Directory Migrations

A common technical driver is the evolution of Active Directory environments when they grow too large and unwieldy. In this case, a migration can be made to reduce the environment’s complexity as well as management and maintenance costs. Network changes to deploy or adapt to new technologies may also drive upgrades or migrations in Active Directory environments. For example, some network topologies inhibit adoption of new technologies such as Microsoft Office 365. Upgrading to new versions of Microsoft Exchange or adopting cloud-based applications may require Active Directory migrations in order to accommodate the associated changes in user and resource definitions, policies, and access.

The Challenges of Migrating Active Directory Once the migration decision has been made, several common challenges emerge. The first challenge is to minimize the impact of migration activities on users. The migration process should be transparent to users, allowing them to continue working productively with the same applications and resources. The absence of trust between the old and new Active Directory environments presents another migration challenge. Depending on your reasons for the migration, certain security and network capabilities may not be available and you will need another way to establish trust between the environments. A related challenge is the ability to migrate without shared admin access. For example, when you migrate because of a merger, acquisition, or divestiture, shared admin access may be inappropriate or prohibited. Dealing with a distributed network adds to the complexity of a migration because Active Directory is fully tied to the underlying network infrastructure. This challenge is compounded by the need to update access control lists (ACLs) for all resources managed across the Active Directory environment. These challenges can be addressed by applying well-established best practices for Active Directory migrations such as those defined in Binary Tree’s approach to enterprise migrations.

How to Approach an Active Directory Migration Like any other major IT project, an Active Directory migration should begin with common IT best practices: •

Discovering and analyzing the source Active Directory environment

Planning the target Active Directory environment

Remediating any applications that rely on the Active Directory structure to ensure they will not cause a business disruption during the migration

Validating the new transition approach in a lab setting

4

Best Practrices for Active Directory Migrations

Conducting a pilot project with a small number of users and resources, starting slowly and increasing velocity as the pilot achieves success

Creating backup and recovery plans for unexpected issues that arise during the migration, allowing you to restore the previous Active Directory environment without impacting users and organizational workflow Anticipating risks and establishing plans to address them

In addition to these core practices, you’ll want to follow several best practices specific to Active Directory environments.

Define the End-State of the Active Directory Infrastructure Defining the end-state of your target Active Directory infrastructure helps you make the right migration decisions. A useful end-state definition covers plans for: •

Implementing the right structure for domains and organizational units

Identifying and handling duplicate accounts and accounts that shouldn’t be migrated

Determining the best migration cutover process from the source to the target environment Analyzing interactions with external domains and identifying any source domain account dependencies Establishing new policies and standards as needed

• • •

Determining the right number of domain controllers and planning for data movement among them

Create a Checklist for Migration Active Directory Domains Creating a checklist for Active Directory domain migration is a good way to make sure you understand the Microsoft Windows trust requirements. Although there are a variety of ways to migrate with or without two-way trust between the old and new environments, understanding which trust elements are available to you is the key to performing a proper Active Directory migration. User password migration is another important issue to address with the domain checklist. Sometimes user passwords follow varied standards, and you may not be able to migrate passwords as part of the overall Active Directory migration. However, because setting new passwords is very disruptive to users, passwords should be migrated whenever possible. Finally, the checklist should also include migration requirements for NetBIOS and Domain Name Service (DNS) naming resolution, as well as group security policies and other security settings.

5

Best Practrices for Active Directory Migrations

Maintain Active Directory Synchronization For migration planning, it’s important to understand the differences and similarities between Active Directory synchronization and Active Directory migration. It is almost inevitable that any Active Directory migration will be performed gradually and you should plan for a period of coexistence and synchronization between the old and new environments, even for a very small Active Directory implementation.

Figure 2. Keeping the directories synchronized during a phased Active Directory migration is vital to ensuring the productivity of your users.

As shown in Figure 2, synchronization between the source and target environments involves continuous, bidirectional information sharing. In contrast, a migration involves a one-time, oneway transfer of information from the source to the target environment. A synchronization plan helps maintain current users’ attributes throughout the migration process. It also helps to ensure that any other changes are performed properly in both the source and target Active Directory environments over the course of a gradual migration. Synchronization maintains transparent interoperability between the source and target environments while minimizing risk, downtime, and interruptions to users.

Maintain Ongoing Operations and User Functionality Many operations performed during a gradual migration will become ongoing management and maintenance tasks in the new environment when the migration is complete. Examples of these operations include provisioning users, managing groups, administering ACLs, synchronizing passwords, and reporting. These operations are all part of the circular life cycle in any migration or transformation that involves Active Directory, Exchange, Microsoft SharePoint, or any other enterprise platform.

6

Best Practrices for Active Directory Migrations

The Active Directory migration must maintain the user’s profile to drive computer and device mappings, connectivity for Microsoft Outlook, and many other aspects of the user’s daily operations and productivity. When migrations take place after business hours or over weekends, user communications are important to ensure that workstations are turned on and connected to the network. For any user computer not connected, the migration may not take effect right away and your migration plan will need to include steps for later remediation.

Related IT Infrastructure Migrations At first glance, Active Directory migrations may not appear to be related to migrations of messaging environments such as Microsoft Exchange, collaborative platforms like SharePoint, or Windows server environments. However, there is an implied link because the migration of one will often impact or necessitate a parallel migration of the other.

Migrating Messaging or Collaboration Platforms Microsoft Exchange is integrated with and relies upon Active Directory for key user and resource information. Any Active Directory migration will impact user access to Microsoft Exchange mailboxes and have an impact on an Exchange migration. Similarly, any Exchange migration will have a direct impact on an Active Directory migration.

Figure 3. Exchange is dependent upon Active Directory for directory services.

Microsoft SharePoint is not as integrated with Active Directory as Microsoft Exchange; however, Active Directory migration will frequently impact the SharePoint environment and will require the modification of rights along with modification of user identities. Of course, at times an Active Directory migration may need to be performed without an Exchange or a SharePoint migration. Any kind of Exchange migration will also depend on key attributes and key objects that are defined within Active Directory. This dependence means an Active Directory analysis is essential before beginning the Exchange migration because the analysis may show a need to modify the Active Directory environment or perform a full, parallel migration.

7

Best Practrices for Active Directory Migrations

Migrating Windows Servers A frequently overlooked aspect of an Active Directory migration is a Windows server migration. Windows servers are not necessarily part of the Active Directory components and server migrations are typically performed more frequently than Active Directory migrations. However, coordinated migrations of Windows servers and Active Directory environments may be necessary in these situations: •

Replacing domain controllers because of a remote office move

Converting local users and groups on a server to domain accounts in order to simplify server management

Consolidating legacy servers to new physical or virtual Windows servers for better performance and management

Replacing aging, failing, or unsupported legacy file servers

When planning a Windows server migration in conjunction with an Active Directory migration, several considerations are critical: •

Security IDs (SIDs) are not portable across member servers

Access to files, folders, and shares must be maintained during and after both migrations

Changes must be synchronized during the migrations

User access to mapped drives, folders, and files must be maintained during and after the migrations

Conclusion The best practices discussed in this paper reflect Binary Tree’s approach to enterprise migrations. Following this approach will help you plan and perform a successful migration of Active Directory alone or in conjunction with Microsoft Exchange or Windows Server migrations. Binary Tree also offers the Active Directory Pro software that enables a project team to automate the migration and restructuring of the Active Directory environment while ensuring full coexistence between migrated and un-migrated users.

8

Best Practrices for Active Directory Migrations

Learn more about Binary Tree For more information on Binary Tree, visit us at www.binarytree.com/company/about-binary-tree.

Binary Tree Social Media Resources

© Copyright 2019, Binary Tree, Inc. All rights reserved. 1310. The Binary Tree logo and the tagline “Powering Enterprise Transformations” are registered trademarks, and any references to Binary Tree’s products and services are trademarks, of Binary Tree, Inc. All other trademarks are the trademarks or registered trademarks of their respective rights holders.

9