3 steps to consolidate Active Directory after a mergerDecember 20, 2018
Day one of your merger or acquisition is in the books. You pushed hard to make sure users could start collaborating right out of the gate. You set things up so users could look each other up in a shared directory, send emails inside and outside the organization, and schedule meetings.
Now, you’ve got some breathing room to migrate everyone onto a single IT infrastructure. And it starts with the foundation of your messaging system: Active Directory. In this post, we walk you through three key steps to sync your existing Active Directory instances, then integrate and migrate them into a new, evolved infrastructure.
1. Integrate your directories
The first step is to sync any separate Active Directory instances so users in each environment can work together as one organization. If you already did this as part of your prep for day one, skip down to step 2. However, it’s more likely that all you were able to do by day one is sync the email directories. So there’s more work to do, and here’s how to proceed.
Sync directories. Before and during your migration, each of the merging directories will need to keep serving their own objects. Each directory has its own set of users, groups, devices, and other objects that it continues to support. Plus, you will likely need to keep adding and modifying objects over the course of your migration. So your first task is to continuously sync the two directories. When you make a change to one of the instances, you want to it quickly reflect in the other.
Set up a trust. When you sync directories, you’re setting them up so that both environments will need to contain two sets of objects going forward, not just one. To allow this, you might need to establish a “trust” between the two directories, which sets them up to support new objects. The goal is to let users of each organization easily access resources in the other organization—like servers, workstations, printers, and other devices. Users might also need to access data in the other environment, and data can be located on different file shares or SharePoint sites in a different directory.
Update admin policies. When you combine organizations, you also tend to end up with different sets of system admins. Very often, these admins will need to manage objects in the directory to which they previously had no access. So when we talk about establishing trust between directories, it’s more than just “technical” trust. It’s also matter of human trust: trusting that admins from the new group will follow the policies of the admins in the old group. To that end, you might need to update your admin policies to better serve the needs of a combined organization.
As a result of all these activities, you’ll end up with an integrated Active Directory environment. That's the first step.
2. Build a new AD environment
Now that you’ve integrated two or more legacy directories, you need to design an ideal directory structure that works for the combined organization. Can one of your existing directories satisfy your needs? It’s possible. But most often, you’ll need to build out a new Active Directory infrastructure.
Building a new directory will help make sure that you can satisfy the combined needs and requirements of the new organization. And it sets you up to scale to meet new requirements as you grow in the future. After all, the new organization likely has bigger goals than either of the formerly separate organizations.
To start down this path, you should first assess the needs of the new organization. Here are some questions to ask:
- What should you do about existing objects, groups, devices, data, security, operations, and policies?
- How does your new organization view all of these components? And what needs to happen with them in the future?
- What do you need to build to satisfy these views and needs?
- How can you make your new AD infrastructure scalable for future growth?
3. Migrate the old into the new
For this step, we assume that you decided to create a brand-new Active Directory instance for your new organization. To do this, you start by designing and deploying the new instance. Then you need to sync it with your legacy directories and start migrating data over. Here’s how.
Sync the old with the new. Before you can start migrating data over to your new directory, you have to sync your legacy environments with the new one. As we talked about in step 1 above, all of the directories involved have to be integrated so they can interoperate. If you’re setting up a new Active Directory as yet a third separate instance, you have to establish a coexistence/interoperability triangle. Which means you should integrate all of your legacy directories with the new one.
Choose a cut-off point. This is the point where you decide that you’re no longer putting new objects into your legacy directories. Going forward, you’re going to start using the new Active Directory for all newly created objects, be they users, groups, servers, printers, workstations, or whatever else is managed by the directory.
Move your data. Now you can start gradually moving old legacy objects and applications into the new directory. For larger organizations, this process likely won’t happen overnight. More often than not, it's going to take some time. And that's why interoperability is so critical.
Retire your legacy directories. When you’re finished migrating, you’re ready to retire your legacy directories. This often isn’t as easy as removing machines that house domain controllers. It's also removing any traces of the old naming structures and old object attributes from the new infrastructure. So the actual process of retirement is not just retirement. It's also one of cleansing the new infrastructure from any references to the old one.
There you have it. These are the three high-level steps to an Active Directory transformation. If you need help working through the details and nuances of your project, Binary Tree is standing by. See more about how we can help you transform your Active Directory.