Preparing Active Directory for the Cloud

Preparing Active Directory for the Cloud

IT departments in organizations of all sizes can expect to be moving resources to one cloud or another in the very near future. This is becoming a fact that all IT professionals are going to need to deal with in the coming years.

One factor that can impact the success of migrations to cloud services is the overall health and preparedness of your on-premises Active Directory. In my experience, this is a step that many organizations overlook in their move to cloud resources.

So, let's take a look at some of the steps an organization can take to prepare an on-premises Active Directory forest before moving resources to the Microsoft cloud. I assume many of these steps will also be relevant for migration to other cloud services, but my focus here is going to be Microsoft cloud services.

Why should I care if my AD is “ready” for the cloud?

Fair question. The point of moving to Office 365 or Azure is that Microsoft runs the infrastructure for those services for you. That infrastructure includes Azure Active Directory, so your organization’s on-premises Active Directory impact on Office 365 is limited.

On the other hand, your on-premises AD does contribute to your Office 365 tenant in several ways. First, the whole point of AAD Connect is to copy accounts from your on-premises AD into Azure AD. If those source accounts are poorly configured, then you will have poorly configured Azure AD accounts. It is worthwhile to ensure that all the information in your on-premises AD accounts is correct and complete. Phone numbers, managers, direct reports, office locations, and other information does get copied into Azure AD and may be relevant to how you use Office 365 services. Your cloud migration project is always a good time to complete that work that always seems to fall down the priority list without this sort of migration project.

What aspects of Active Directory should I check?

The easy answer here is “all of them." I suppose I can be somewhat more helpful than that though.

The first and most obvious AD remediation I would recommend is to clean up AD objects that will be synchronized into Azure AD via AAD Connect. IDFIx is the tool that Microsoft has created for that purpose, and I find it a great place to start.

Beyond what improvements you can get from the information provided by IDFIx, here are some other places I recommend customers review before moving to the cloud.

Password Policies – Passwords are a poor way to secure your accounts, and hopefully will be a thing of the past in the next few years but while we are still relying on them so heavily I strongly recommend customers review their password policies and make sure they reflect the current best practice guidance.   NIST provides current password guidance. that is useful.  I have a series of blog posts on my personal blog addressing my recommendations for securing accounts in Azure AD as well.

Organizational Units – OUs are one the primary ways organizations use to keep track of where objects are in AD. They are also the best way to filter what objects are synchronized into Azure AD via AAD Connect. Ensuring your organization’s OUs are well configured before you start sync’ing AD to Azure AD is a really good idea that will probably save lots of headaches down the road.

Group Policy Objects – Microsoft has recently added a preview feature to Intune that will analyze on-premises GPOs and give you information about how they will translate to related cloud settings. Microsoft has good resources for additional information on these and other Intune UI updates and features.

This tool is not for “migrating” your GPOs to the cloud but instead shows you what on-prem GPO setting you have in place that can be replicated within Intune. No doubt this functionality will grow and improve over time.

DNS – A well setup DNS deployment is essential to Active Directory health. While this can be setup outside of Active Directory, many organizations use Active Directory integrated DNS so I am including it on the list here.

Make sure your DNS is clean and well organized, and all lookups work as expected. TTL values can be very important in cloud migrations where many changes are being made. Differences in internal and external responses should be well understood as a cloud migration will likely bring changes in where specific resources are finding their DNS results.

Overall, Active Directory Health Monitoring – This seems a little self-evident to warrant much space in this post, but I find that when I work with customers to do a migration there is often work to be done on this front. Replication, time services, disabled accounts, backup and restore procedures, trusts, site configuration, and group configuration and organization are all important. Other AD based services like Certificate Authorities and AD FS servers can also be very important to the success of your migration depending on the configuration you use.

Documentation – Documentation is probably the most important part of maintaining your Active Directory deployment unless your working in a one-person shop, and probably even then. If your organization is subject to any sort of compliance rules, good documentation is the most important step to meeting those obligations.

Wrap up

Your cloud migration success will very likely be affected by the health of your on-premises Active Directory, and possibly in ways you will not initially expect. My personal experience has taught me to be very careful with a review of the on-premises Active Directory before attempting to start any cloud migration.

There is a lot of ground that can be covered in ensuring that your on-premises Active Directory is up to snuff. It can be a time-consuming process, but it is one I find well worth the effort.

Active Directory Monitoring and Reporting

Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.

Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.