Preparing Active Directory for the Cloud
IT departments in organizations of all sizes can expect to be moving resources to one cloud or another in the very near future. This is becoming a fact that all IT professionals are going to need to deal with in the coming years.
One factor that can impact the success of migrations to cloud services is the overall health and preparedness of your on-premises Active Directory. In my experience this is a step that many organizations overlook in their move to cloud resources.
In this blog post, we are going to look at some of the steps an organization can take to prepare an on-premises Active Directory forest before moving resources to the Microsoft cloud. I assume many of these steps will also be relevant for migration to other cloud services, but my focus here is going to be Microsoft cloud services.
Why should I care if my AD is “ready” for the cloud?
Fair question. The point of moving to Office 365 or Azure is that Microsoft runs the infrastructure for those services for you. That infrastructure includes Azure Active Directory, so your organization’s on-premises Active Directory’s impact on Office 365 is limited.
On the other hand, your on-premises AD does contribute to your Office 365 tenant in several ways. First, the whole point of AAD Connect is to copy accounts from your on-premises AD into Azure AD. If those source accounts are poorly configured, then you will have poorly configured Azure AD accounts. It is worthwhile to ensure that all the information in your on-premises AD accounts is correct and complete. Phone numbers, managers, direct reports, office locations, and other information does get copied into Azure AD and may be relevant to how you use Office 365 services. Your cloud migration project is always a good time to complete that work that always seems to fall down the priority list without this sort of migration project.
What aspects of Active Directory should I check?
The easy answer here is “all of them”. I suppose I can be somewhat more helpful than that though.
The first and most obvious AD remediation I would recommend is to clean up AD objects that will be synchronized into Azure AD via AAD Connect. IDFIx is the tool that Microsoft has created for that purpose, and I find it a great place to start.
Beyond what improvements you can via from the information provided by IDFIx, here are some other places I recommend customers review before moving to the cloud.
Password Policies – Passwords are a poor way to secure your accounts, and hopefully will be a thing of the past in the next few years but while we are still relying on them so heavily I strongly recommend customers review their password policies and make sure they reflect the current best practice guidance.
Current password guidance from NIST can be found here. I have a series of blog posts on my personal blog addressing my recommendations for securing accounts in Azure AD as well.
Organizational Units – OUs are one the primary ways organizations use to keep track of where objects are in AD. They are also the best way to filter what objects are synchronized into Azure AD via AAD Connect. Ensuring your organization’s OUs are well configured before you start sync’ing AD to Azure AD is a really good idea that will probably save lots of headaches down the road.
Group Policy Objects – Microsoft has recently added a preview feature to Intune that will analyze on-premises GPOs and give you information about how they will translate to related cloud settings. More information on that feature can be found here.
This tool is not for “migrating” your GPOs to the cloud so much as showing you what on-prem GPO setting you have in place can be replicated within Intune. No doubt this functionality will grow and improve over time.
DNS – A well setup DNS deployment is essential to Active Directory health. While this can be setup outside of Active Directory, many organizations use Active Directory integrated DNS so I am including it on the list here.
Make sure your DNS is clean and well organized, and all lookups work as expected. TTL values can be very important in cloud migrations where many changes are being made. Differences in internal and external responses should be well understood as a cloud migration will likely bring changes in where specific resources are finding their DNS results.
Overall AD Health – This seems a little self-evident to warrant much space in this post, but I find that when I work with customers to do a migration there is often work to be done on this front. Replication, time services, disabled accounts, backup and restore procedures, trusts, site configuration, and group configuration and organization are all important. Other AD based services like Certificate Authorities and AD FS servers can also be very important to the success of your migration depending on the configuration you use.
Documentation – Documentation is probably the most important part of maintaining your Active Directory deployment unless your working in a one-person shop, and probably even then. If your organization is subject to any sort of compliance rules, good documentation is the most important step to meeting those obligations.
Your cloud migration success will very likely be affected by the health of your on-premises Active Directory, and possibly in ways you will not initially expect. My personal experience has taught me to be very careful with a review of the on-premises Active Directory before attempting to start any cloud migration.
There is a lot of ground that can be covered in ensuring that your on-premises Active Directory is up to snuff. IT can be a time-consuming effort, but one I find is very almost always well worth the effort.
Monitor Your Active Directory with ENow
Active Directory as the foundation of your network, and the structure that controls access to some of the most critical resources in your organization. ENow uncovers cracks in your Active Directory that can cause a security breach or poor end user experience. In particular, ENow enables you to:
- Report on highly privileged groups (domain admins)
- AD replication errors
- Identify Expensive LDAP queries
- DNS and name resolution problems
- Troubleshoot poor Exchange performance caused by Active Directory
Don’t take our word for it. Start your free trial today!