Measure Twice Cut Once: Getting Active Directory Ready for a Migration
When you are planning any major IT transformation, we recommend that you do what the great craftsmen do: Measure twice. Cut once. That’s because we have seen it happen time and again. You spend all this effort creating a pristine plan and understanding the cool new features of the cloud platform you are migrating to. You market those features to your end users, to help show them how it will be a change for the better. And then the moment you start migrating, you run into issues. Now you have to stop the project and remediate these problems before you can keep going.
Sound familiar? It happens to a lot of organizations. Here’s how you prevent this from happening to you. Before you load up your migration software and start moving users to the cloud, such as Microsoft 365, you should take the time—as much time as it takes—to find and fix issues with your Active Directory environment. Depending on the complexity of your environment, this discovery phase can take longer than the migration itself.
Potential issues in Active Directory
If you are like many organizations, you have had Active Directory in place since the early Windows 2000 days. That could mean over 20 years of different admins, IT changes, and mergers. You might not be able to easily find issues and inconsistencies with native monitoring tools. As a result, most companies don’t realize how important it is to perform an Active Directory health check before they migrate their messaging. So they tend to run into issues during their migration instead.
Problems with Active Directory tend to cause serious scope creep. Here are some things to watch out for:
Duplicates in multiple forests: A lot of accounts exist in multiple forests. This results in duplicate accounts, which complicate the synchronization process and make it hard to know which ones to keep and which are dupes.
Technical issues: Invalid characters, illegal characters, and non-Internet routable UPNs are just some of the issues you will find when you are trying to set up directory sync to Office 365.
Limitations on access tokens: When you migrate a user account from one forest to another, you are also bringing along all the security identifiers (SIDs) so they can be added to the user’s access token. Think of an access token as a keyring, and each SID is a key on the keyring. The fact is, some servers can accept only a certain number of keys. So what happens if you have migrated several times and you have 100 keys, but older servers can read only 70? It means that 30 of your keys are randomly discarded. One of those keys could allow access one day and deny it the next. Situations like this can be hard to troubleshoot, to say the least.
Do an inventory
If you have not done a deep dive on your Active Directory environment in a while, where do you start? First, do a discovery on your on-premises AD environment is a start. To help take stock, leverage an Active Directory Monitoring and Reporting tool. Use them to do an inventory of all of your accounts and what they are for. Take a look at your forests and how they are configured. Is it an account resource or empty root model? If you have multiple forests, you likely have trusts pointing in all different directions, which can easily form a tangled mess and impose security risks.
Simplify and consolidate
Now that you know what you have, you can make intelligent decisions to simplify, consolidate, or otherwise clean house. Let’s assume that you do a discovery and find that you have multiple domains. So you decide you need to simplify or collapse/consolidate your existing forests. As you go down that path, you need to understand how permissions are granted, which can also cause issues later.
Active Directory Monitoring and Reporting
Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.
AmyKelly Petruzzella is a marketing executive who focuses on Microsoft Exchange, Office 365, and Active Directory trends, challenges, and business outcomes for enterprises. Over the years, AmyKelly regularly engages with Gartner industry analysts, and she has been recognized several times for Top 50 Microsoft Marketing Excellence. She is a frequent speaker and blogger and an industry veteran who advocates for women in technology.
Active Directory Monitoring: LDAP Query Management