Five Active Directory migration best practices

Active Directory delivers essential authentication and authorisation services across the IT ecosystem, so it’s critical for Active Directory migrations to go smoothly. Whether your project is driven by merger and acquisition (M&A) activity, a divestiture, the need to consolidate your domains or some other factor, here are five Active Directory migration best practices that can help you deliver a successful migration.

1. Document your desired end state

Everyone wants to achieve a successful migration – but how will you know whether yours is successful or not? Or, more to the point, how can you prove to all your stakeholders that the migration was indeed a success?

The key is having a clear, documented vision of the desired end state. What should your OU structure look like? What Group Policy needs to be applied? What is your desired forest and domain level? Spell out as many details as you can. Keep the following tips in mind:

Select your target directory with care, choosing a greenfield only when it’s truly necessary.

One fundamental decision will be the choice of target directory. In any Active Directory migration, you have two options: consolidate into one of the existing directories or move to a new directory (a greenfield). To choose the right option for your migration project, apply these Active Directory migration best practices:

• Consider business and legal requirements – In some cases, business or legal requirements dictate the choice of target environment. For example, in an acquisition scenario, you might be required to use the acquiring company’s Active Directory as the target. However, don’t simply assume that the decision has been made; take the time to actually determine what options are available to you. In particular, merger deals often provide more flexibility than one might think.
• Consider technical requirements – Perform a thorough assessment of all the environments involved in the migration. Analyse their current directory configurations and Group Policy Objects (GPOs), as well as the applications and scripts that tie into Active Directory. Consider which environment most closely matches your desired end state needs. Also review the health of the environments to determine if there are issues that cannot be remediated, since that makes that environment a less attractive target.
• Don’t start from scratch unnecessarily – Organisations are sometimes tempted to start fresh so that they can define their OU structure, GPOs and other components from the ground up. However, migration to a greenfield can add significant time, cost, effort and risk to a project: you’ll need to build your Active Directory objects, security policies, application tie-ins and more. Therefore, a greenfield migration is recommended only when it’s required for legal purposes, when you’re divesting into new environment and when the existing environments are in such an unhealthy state that it is not recoverable (for example, replication isn’t working despite your best efforts with the Microsoft support team).

2. Perform a thorough discovery

Remember that the directory itself is the easy part.

Migrating your Active Directory itself is a relatively straightforward process. After all, all directories are structurally the same, with users, computers, groups and so forth, so that part of the migration is a known quantity. It’s all the applications, services and other components that rely on Active Directory that make migrations complex.

Therefore, it’s important for your discovery process to be as thorough as possible. In particular, be sure it includes:

• Group Policy – Review the Group Policy in place in all the source environments and determine your desired GPOs for the target environment.
• Onboarding and off-boarding processes – Think about processes that involve user creation and deletion, device deployment, group membership and mailbox provisioning. For example, your HR department might have applications that create new accounts in AD for new hires and that update accounts when employees change roles, and various IT or security teams might have deployed scripts that run on a regular basis to clean up stale objects.
• Device registration and management – Consider whether your devices will be Azure-joined, whether they will change their encryption settings, whether they will be managed by new software and whether they will change to use new VPNs and certificates.
• Identity management – Identify impacts to users accessing various resources, including whether single-sign-on (SSO) might need to be updated for certain applications and whether users will need to reconfigure multi-factor authentication (MFA).
• Third-party and custom applications – Look for both IT-approved applications and shadow IT. If there are applications quietly running on a computer sitting under somebody’s desk that are essential for an important business process, you need to know about them.
• Non-Windows systems – Unix-based systems, for example, might be relying on AD for authentication and authorisation services.

Uncovering all of these dependencies is essential to a successful migration. But there’s no report you can run in Active Directory to list every application that queries AD. And you’re not going to find a consultant or a tool that knows about all of them in your specific combination. And while you might have lots of internal expertise, nobody is an expert in Active Directory, Exchange, SQL, SharePoint and Office 365. So, do your best to be thorough, and also build time into your migration plan to deal with unknowns that pop up during the course of the project.

Look at the big picture.

Don’t just dive deep into your own migration planning; also remember to raise your head and see what else is going on across the organisation. In particular, you need to consider any other migration projects that might be happening, such as tenant-to-tenant migrations or a migration of on-premises mailboxes to Exchange Online. Co-ordinate with those teams on migration timing and strategies for minimising effort and risk.

Look for other initiatives beyond migrations as well. For example, is HR switching to a new management system? Will the infrastructure team be implementing new firewall restrictions? By working together, you can help ensure you’re not stepping on each other’s toes and that you have sufficient technical and support resources in place.

3. Strive for a comprehensive strategy – but build in flexibility. Remember that migration is much more than just the final move

Actually moving the data and workloads is only one part of a solid migration plan. Active Directory migration best practices require you to pay attention to all of the phases:

• Planning – Don’t skimp on the planning phase! Careful planning reduces the risk of business disruptions, schedule overruns and outright failures. In addition to performing a thorough discovery as discussed earlier, be sure to define and document your use cases, paying special attention to which departments are more flexible about interruptions and which cannot tolerate any downtime. Also be sure to identify all your stakeholders and establish robust project teams. While AD sysadmins are a critical part of the team, you will also want dedicated resources to help manage specific aspects of the project, such as white glove migrations, communications and application co-ordination.
• Build and test – Once the plan is in place, configure the tools you’ll be using. Then perform test migrations for each of the use cases you identified in order to identify issues that need to be resolved before you migrate any production users or devices.
• Pilot migrations – Start by migrating a small set of users, usually IT staff. Solicit their feedback and use it to refine the process before migrating business users and definitely before migrating VIPs.
• Velocity – Complete the remaining migrations.
• Post-migration validation and clean up – Make sure that all data and workloads have been successfully moved, clean up any problems that might have been introduced, and, if applicable, decommission the source environment when you’re satisfied it is no longer needed.

Know that careful planning reduces risk – but no plan survives contact with the enemy.

Even organisations that are well versed in Active Directory migration best practices often underestimate the time and effort required to complete all these phases. While technical teams are often handed required completion dates by management, if you do have the opportunity to help set the timeline for the project, be sure to push for sufficient time for all the phases and not just the migration jobs themselves.

Keep in mind this bit of wisdom from military strategist Helmuth von Moltke: No plan survives contact with the enemy. No matter how good your Active Directory migration plan is, it should be written in a way that respects that it’s going to have to change as you go through the migration process.

4. Address compliance from the beginning of the project

Understand your compliance obligations and document everything thoroughly.

Active Directory migration best practices also include compliance. Be sure to understand your organisation’s compliance requirements and build them into your migration plan. Think through how you can satisfy your obligations with policies, procedures and other controls – and be sure to thoroughly document both the underlying requirement and your strategy for meeting it. Merger and acquisition scenarios can complicate the process, since you need to understand the compliance requirements of the united organisation that will emerge from the deal, as well as the controls that each entity currently has in place.

Choose your controls thoughtfully, considering how they will impact users.

Remember that there is no one right way to achieve compliance. A useful metaphor is that it’s like completing a tax return. In any but the simplest financial scenario, if you gave all your tax information to 10 different CPAs, they might all come back with a different completed tax return. That’s okay; that’s how it works. What’s important is that after you submit that return, if the IRS has questions or wants to do an audit, you have good reasons for all the choices that you made. Similarly, you need to be able to provide defensible reasoning when compliance auditors ask about the IT controls you chose.

As you select the specific strategies for meeting compliance requirements, be sure to think about the user experience. For example, you might be considering a new password policy that changes what constitutes a valid password, or you might want to start encrypting users’ devices to help meet data protection mandates. These both clearly have an impact on users, which you should weigh in your decision-making.

Communicate with business users early and often.

Effective communication is critical to success, and it needs to go in both directions. On the one hand, you need to seek out input from users about what their needs are and how you can best support them. On the other, you must also help users understand the reasons behind the migration project, publish key dates ahead of time, provide details on any pre-migration tasks they need to complete, and prepare your support team so that they can address any questions during and after the migration. For example, once you have settled on your compliance controls, be sure to help users understand what they will need to do and why.

Use whichever communication paths work best for your organisation: user guides, FAQs, training sessions and so on. Without good communication, from a user’s point of view, your migration might be considered a failure simply because they didn’t know what to expect.

5. Look for ways to reduce risk

Consider a phased migration over time.

Even with proper planning, testing and pilots, migrating everyone at once entails significant risk. For starters, the migration engineers will be under enormous stress and the support team may be overwhelmed by the volume of calls. In addition, there is the very real risk that some migrations will not be complete by start of business the next day, especially if users are out of office or in different time zones.

For all but the smallest Active Directory migrations, a phased migration is usually a better and safer choice. Active Directory migration best practices recommend migrating users, devices and workloads in logical chunks, such as project teams or business departments. That way, the migration team can focus on each group’s unique needs and the support team’s ticket volume will remain far more manageable.

Of course, organisations need for business processes to continue throughout a phased migration. Quality migration tools provide coexistence between the source and target environments to minimise user impact. Coexistence often includes syncing of passwords and group membership to ensure seamless access to IT resources, as well as maintaining a unified address book to facilitate continued communication and collaboration regardless of any individual’s migration status.

Understand that tools can make or break your migration timeline.

Microsoft offers a free tool to help: Active Directory Migration Tool (ADMT). While ADMT can suffice for small migrations, it involves a slow and manual process that does not scale well for larger organisations. As a result, while you save on budget by using a free tool, you can end up spending an enormous amount of time and money on personnel to perform the migrations.

In addition, ADMT does not allow for much customisation or automation, and since it is a free tool, you will not get in-depth, personal support.

Conclusion

There’s no getting around it: Active Directory migrations are inherently complex and getting them right is essential for your business. To help ensure a successful project, follow the Active Directory migration best practices outlined here and consider enlisting an advanced migration solution that will simplify and automate the migration process.

To schedule a demo, contact Quest here : https://www.quest.com/register/96761/