Show Transcript
Hide Transcript
Welcome. This is Quest Unscripted.
A vlog series on trending topics.
And Quest solutions related to Active Directory.
Office 365.
Oh, and don't forget, Azure AD.
You are here because you have questions.
We're here because we have answers.
I think.
We will address questions we've received from customers.
Who experience the same challenges as you.
All with the goal of helping you confidently move.
Manage.
And secure.
Your Microsoft environment.
We call the show Quest Unscripted because.
Except for this intro.
Nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hey, Joe. Welcome to Quest. I know you came through our Binary Tree acquisition.
Yep.
Now, one thing that comes to mind when I'm thinking about Quest versus Binary Tree is we've both had this cached credential utility. Can you talk to me about the Binary Tree cached credential utility and maybe how that differs from what Quest has doing?
Yeah, sure. So the idea, to give you a little bit of background, is the offline domain join, the cache credentials function, is used when doing active directory migrations where people aren't coming into an office.
Like COVID-19, right?
Yeah, exactly. With COVID everybody works from home and trying to do active directory migrations with people at home is kind of a challenge. And so the process is that we can move those machines into another domain using some utilities. And it's how should I say it, there's Microsoft ways, which is typical, manual methods.
And then within the Binary Tree product, to migrator pro for active directory, we've actually integrated those functions within the product. So it's two things. It's two steps. It's caching credentials and actually doing the offline domain join.
Well, let's talk about it for just a second. Cached credentials, why is that important? My understanding is if I don't update the cash credentials and I'm not online and my account change--
You're stuck.
I can't do anything.
Yeah. So it's a big deal. So what happens is, that it's really easy to move a machine from one domain to another domain. So Microsoft requires you to reboot. You reboot your machine, you hit control and delete and you type in your target credentials and there's no DC to validate your credentials with.
What do you do?
What do you? You're locked out of your machine. And so what the process does is it actually will cache your target credentials on your machine prior to actually doing the domain join and moving that machine into the domain. So that when the reboot actually happens, you hit control and delete, you type in your password, it's using those target m those cached target creds, to allow you access to that machine and then at that point, you can get in to your VPN tunnel and connect in as you normally would.
The challenge is that if you try to use say, the cache credentials utility, there's a lot of stuff that has to happen. It isn't automated.
Now, that's the cached credential utility from Quest?
From Quest, yes. And that it's kind of there as a separate function.
But it gets the job done.
It gets the job done, absolutely. There's no question about that. And in fact, the Binary Tree uses the same type of methodology to do it. However, what we've done is that we've integrated that cache credentials function into the product so that when you're looking at a list of machines and who's getting migrated, you select a group of remote workers and you say cache credentials perform this operation.
What happens then is that automatically the user will get a big box that pops up on their workstation that says, hey, we're getting ready to migrate you. We need to validate your credentials in the target before we do the migration, they put in their password and it's done.
So my understanding is the Binary Tree tool, it understands which computer it's associated with. Is that how that works?
Yeah.
That's cool.
We build the list and we push it out and it takes care of all of those things just automatically. So again, that's one of the things that's really nice about it is that it's an integrated thing. Integrated into the function and integrated into the migration of the users. So you don't have to do anything special in order to make that work from an end user perspective.
A couple of things. Really, really important before we kind of talk a little bit more about this. But talking about requirements associated with caching credentials. So we often deal with customers that are doing divestitures or migrations where we can't establish a trust, a forest trust between the two source and target environments.
I think that's happening more frequently with security concerns as well, right.
Yes, Exactly. And the problem with that is that in a normal type of active directory migration where everybody's in an office, it doesn't matter. The Binary Tree tools are kind of really designed not to need any trust for anything except for when we're doing the caching credentials function.
And so the way it works technically, is that the user gets a box that pops up, says put in your credentials. It reaches in to the source DC. The source DC then needs to reach out to the target DC to validate those credentials. Because otherwise how would you validate them.
The challenge with it is that in order to make that work, the source environment has to trust the target environment. OK.
Has to be able to see it.
Yeah. To be able to get those credentials cached on that machine, source has to trust target. Now, we talk with customers every day, they're like, oh my gosh, we can't do that. We can't do any type of trust for any reason whatsoever. And you go back and say, well, then you're going to have to have your users FedEx their machines in. Or they're going to have to drive into an office to be able to have IT do it.
We wrote up a really big, really good detailed white paper on the whole process that we can send out to our customers. But generally speaking, what we do is we tell them, look, make a transient. Set it up for a short period of time, monitor it. Send out the cash credentials job, get those users to validate those credentials. As soon as they're done, shut it off and move forward.
Lower the risk of anything adverse happening.
Right.
If the benefit outweighs the risk, go ahead and do it.
Yes. Exactly. And the reality of it is that most people once we give them the paper, once we explain what's happening, how it's working, and the fact that they can put the trust on or off as much as they need to, most companies will be OK with that. But again, it's really important to understand the requirements associated with doing any type of caching credentials and getting that one way trust established, at least for the short term while you're doing that job.
And then going back to the BT product, the offline domain joint function is again, built in. You click a button, move the machines, done. So very simple, very straightforward. We wanted to try to make this as easy as we could for the people running the migrations as well as, obviously, the end users and that's why we spent so much time putting that process into the product.
Are there any caveats or challenges that customers are faced using this that if only I would have known to do this, I would have had that issue. Or is it pretty much it just works?
It pretty much just works. It's fairly straightforward. It doesn't support Linux or Unix machines. It doesn't support Mac. But otherwise, it works great.
I think the beauty of it is, the users are doing it themselves and they have rights to their profile by default so it's just fill in the information for them, right.
Yeah, exactly.
Right.
Exactly right. Yeah. It's a great function. It makes things a lot easier. Again, makes the project time much shorter from a professional services perspective. There isn't a lot of training that's necessary to show them how it all works. It's all fairly compartmentalized and packaged up.
Well, thank you, Joe. I definitely appreciate the time.
Yeah, absolutely.
