Active Directory Migration Done Right: A Holistic ApproachApril 16, 2015
Active Directory (AD) is a critical cornerstone of your IT infrastructure. Therefore, any effort to migrate the AD environment must be planned very carefully in order to reduce risk and manage complexity.
This post will introduce you to a holistic, four-phase approach to performing an AD migration. It is not a project plan. We aim to give you guidance on what truly matters when creating the plan and selecting appropriate technology that will ensure a smooth transition.
Let’s first focus on preparation and the importance of establishing interoperability between the source and target environments.
Phase I: Prepare for Your Migration
Preparation is imperative to make sure you can create a transition and that interoperability is going to allow your objects (users, groups, applications, etc.) to function properly, regardless of the state of migration.
Planning and Design: The better the planning, the smoother the migration.
First, determine the estimated or desired duration of this transition, which, by the way, should never be dictated by technology. The business requirements and expectations always take precedence. Sometimes the migration needs to be accomplished as quickly as possible; other times, it should be done gradually to allow for the completion of other important activities, such as a hardware upgrade or an operating system upgrade. The business drivers will guide you to the proper duration and ultimately dictate the planning and design.
Analysis and Remediation
This is your time to understand how the new objects will correspond to the old ones to prevent any conflicts and avoid potential duplicates. Additionally, you should take the opportunity to clear out any “dead weight” – objects that are no longer used.
Interoperability Between Environments
Finally, you want to establish directory synchronization and interoperability between the environments so, as you make the transition, user or application workflow and productivity are never interrupted and objects can operate in the manner that is required by the business.
Phase II: Back-end Transition
This phase encompasses the migration of AD users, groups, and other objects and properties. There’s really not much sophistication to the actual migration. You know what the objects are and what they need to be, so you move them according to the plan established in the preparation phase. What’s important is your ability to move from the source to your target environment, according to pre-defined rules based on business needs.
There’s nothing magical about the back-end migration until you start thinking about nuances like changing names, or consolidating locations, especially in M&A situations. For example, if JaneDoe becomes DoeJ, you need to make sure that your object matching/mapping is facilitated by the selected migration technology—and not all technologies accomplish that easily, if at all.
Phase III: Front-end Migration
This consists of preparing your devices (workstations, laptops, and servers) for the new user accounts before migrating to the new AD.
Re-ACL (Access Control List, not the ligament in your knee) of Workstations and Servers
This is the process of appending all of the rights your new accounts will need in the new environment. You want to properly prepare for a seamless transition AND a seamless rollback, in the event something is not correctly identified. In preparation for the transition, a number of devices with varying degrees of access to your network must be properly modified and re-permissioned to reflect the AD changes. Sounds obvious; however, today’s highly mobile workforce presents specific challenges in preparing for a migration.
Cutover of Devices
In a complex and distributed network, you’ve taken precautions to intentionally close down certain access methods for remote devices to reduce your security risks, so make sure your technology solution can handle updating the laptops and other remote machines before you cut them over to the new environment.
Phase IV: Application Migration
There are really two categories: Microsoft standard applications (such as Exchange, Lync, SQL, and SharePoint) and third-party applications. In order to enjoy uninterrupted productivity, you want to verify full operation of these applications regardless of the transition state. Sometimes applications will be part of the migration; other times, they will remain unchanged until a future moment, yet AD objects will always relate to these applications regardless of the migration status.
Traditional Microsoft applications are relatively straightforward; however, in most cases, third-party applications will require custom approaches to integrate with the AD migration.
We think our four-phase approach offers the most-sound approach when your next AD migration occurs. We hope this gives you a new way of looking at your migration holistically, by breaking it down into phases and cautioning you to select the proper technologies. Join us at our webinar on April 23rd to learn more about these critical needs and how to make your AD migration seamless and successful.