Getting Active Directory ready for a bulletproof migrationFebruary 14, 2019
When you’re planning any major IT transformation, we recommend that you do what the great craftsmen do: Measure twice. Cut once. That’s because we’ve seen it happen time and again. You spend all this effort creating a pristine plan and understanding the cool new features of the platform you’re migrating to. You market those features to your users, to help show them how it will be a change for the better. And then the moment you start migrating, you run into issues. Now you have to stop the project and remediate these problems before you can keep going.
Sound familiar? It happens to a lot of organizations. Here’s how you prevent this from happening to you. Before you load up your migration software and start moving users to the cloud, you should take the time—as much time as it takes—to find and fix issues with your Active Directory environment. Depending on the complexity of your environment, this discovery phase can take longer than the migration itself.
Potential issues in Active Directory
If you’re like many organizations, you’ve had Active Directory in place since the early Windows 2000 days. That could mean 17+ years of different admins, IT changes, and mergers. You might not be able to easily find issues and inconsistencies with most monitoring tools. As a result, most companies don’t realize how important it is to perform an Active Directory discovery before they migrate their messaging. So they tend to run into issues during their migration instead.
Problems with Active Directory tend to cause serious scope creep. Here are some things to watch out for:
- Duplicates in multiple forests: A lot of accounts exist in multiple forests. This results in duplicate accounts, which complicate the synchronization process and make it hard to know which ones to keep and which are dupes.
- Technical issues: Invalid characters, illegal characters, and non-Internet routable UPNs are just some of the issues you’ll find when you’re trying to set up directory sync to Office 365.
- Limitations on access tokens: When you migrate a user account from one forest to another, you’re also bringing along all the security identifiers (SIDs) so they can be added to the user’s access token. Think of an access token as a keyring, and each SID is a key on the keyring. The fact is, some servers can accept only a certain number of keys. So what happens if you’ve migrated several times and you have 100 keys, but older servers can read only 70? It means that 30 of your keys are randomly discarded. One of those keys could allow access one day and deny it the next. Situations like this can be hard to troubleshoot, to say the least.
Do an inventory
If you haven’t done a deep dive on your Active Directory environment in a while, where do you start? First, do a discovery on your on-premises AD environment. To help take stock, there are some great third-party tools from Microsoft and others. Use them to do an inventory of all of your accounts and what they’re for. Take a look at your forests and how they’re configured. Is it an account resource or empty root model? If you have multiple forests, you likely have trusts pointing in all different directions, which can easily form a tangled mess and impose security risks.
Simplify and consolidate
Now that you know what you have, you can make intelligent decisions to simplify, consolidate, or otherwise clean house. Let’s assume that you do a discovery and find that you have multiple domains. So you decide you need to simplify or collapse/consolidate your existing forests. As you go down that path, you need to understand how permissions are granted, which can also cause issues later.
Partner with an expert
This up-front discovery can be the most time-consuming part of your migration project. If your in-house IT team doesn’t have the time or expertise to do a thorough discovery, this is a great opportunity to hire an expert like Binary Tree. We can do an Active Directory Assessment to help you find and fix issues with your AD environment, before they derail your migration. Contact us to get started.