Measure Twice. Cut Once. Preparing Active Directory for a Bulletproof Exchange Migration

When planning for any major IT event, I caution you to take the advice of carpenters, construction workers, and other tradespeople: Measure Twice. Cut Once. My point being that before your enterprise loads up the migration software and moves its users to the cloud, you should take the time—as long as it takes—to perform an Active Directory Discovery.

Here’s why: Many customers may have had their Active Directory since the early Windows 2000 days. That could mean fifteen years of different administrators, IT changes, and M&A activity lurking throughout the company’s Active Directory! Furthermore, those changes will likely never surface with most monitoring tools. As a result, most companies don’t realize how important it is to perform an Active Directory discovery session before an email migration. At a high level, these should be considered to be two distinct events: the Discovery and the Migration.

Here are some typical problems encountered during the Discovery process:

  • Multiple forests: A lot of accounts exist in multiple forests, resulting in duplicate accounts, which complicate the synchronization process and make it difficult to know which ones to keep and which ones are duplicates.
  • Technical issues: Invalid characters, non-Internet routable UPNs, and illegal characters are just some of the issues you’ll encounter when setting up directory synchronization to Microsoft Office 365.

Warning: These and other problems may contribute to serious scope creep that can completely derail your migration project!
Believe me, I know. You spend a lot of time creating a pristine plan and understanding all of the cool new features, and marketing those features to your customer base as change for the better. Then you go to set up your Active Directory synchronization – only to encounter all of these problems because you didn’t perform a Discovery. Now you have to stop the project and remediate these problems before you can even start migrating.

Where should you start if you haven’t done an AD deep dive for quite some time? First, perform a Discovery of your on-premises AD environment. Understand all of the accounts, all of the forests, and how your AD structure is configured (account resource or empty root model). If you have multiple forests, you likely have trusts pointing in all different directions – forming a tangled mess and imposing security risks. To prepare, there are some great third-party tools from Microsoft and others. From there, you can make intelligent decisions to simplify, consolidate, or otherwise clean up the mess.

Let’s assume that you perform a Discovery and have domains all over the place and decide to simplify, or basically collapse/consolidate your existing forests. Once down that path, you have to understand how permissions are granted – which can also cause issues. When you migrate a user account from one forest to another, you’re also bringing along all the security identifiers (SIDs) so they can be added to the user’s access token. Think of an access token as a keyring, and each SID is a key on the keyring. Fact is, some servers can only accept a certain number of keys. What happens if you’ve migrated several times and you have a hundred keys, but older servers can only read 70? That means that 30 are randomly discarded. One of those keys could allow access one day and deny it the next! Situations like this are very difficult to troubleshoot, to say the least.  
Some other considerations:

  • Typically, the upfront Discovery is one of the most time-consuming components of the project, which makes it hard to sell. As expected, duration of this project is dependent on the size and complexity of the organization.
  • Who should conduct the Discovery? Those performing the actual migration—a trusted third party and/or the IT team.
  • We at Binary Tree utilize a best practices roadmap based on our experience performing thousands of enterprise migrations, so we’re a great resource and a good place to start.

Need more information? Then sign up for our upcoming webinar where fellow Binary Tree MVP Gary Steere and I will discuss all of the above and more when it comes to preparing for a bulletproof enterprise migration.