Active Directory Migration – A Case Study

Introduction

During the process of merging two companies it is important to eliminate duplication of resources and to ensure that normalcy of operations is maintained. Merging may be divided into managerial and infrastructural. At the infrastructural level, it involves merging of databases and resource such as Active Directory migration (AD migration). This is usually the most crucial part of consolidation since the process involves transfer of core company data and as such proper care and procedures must be put in place to guide the process. Microsoft provides some of the tools as well as best practices that would be required in the process. This document discusses the processes followed during the merger of Quality Inc. and Crescent Inc.’s core services. Key considerations taken in establishment of trust relationships between the two companies domains, Quality.ad and Crescent.ad are discussed. The unemployed professors also suggests a method of consolidating the two networks services by providing a plan for integrating the active directory forests of the two corporations in a seamless manner while avoiding duplication.

Creating trust relationships

            Trust relationships facilitate the sharing of portions of the whole Active Directory database among forests. Since this processes involve access to critical company data, one of the considerations in establishing trusts is security. Core company documents are generally the most highly secured documents and as such are only shared among the main company’s executives in their domain. General employees are usually note granted permission to access such material. Also important are a company’s engineering data. The data usually entails the main business of the company and includes copyrighted research and innovation, designs and research work. The material is normally accessible to the engineering team and top executives only.

            Establishment of trust relationships is also guided by the hierarchy in leadership or roles of the employees. A forest would normally contain a set of people of devices that are purposed to perform the same job. Whether the trust between two forests is one way, two way or otherwise, is a question of the hierarchy. For instance, relationship between the executives and general employees could be one-way as normally, employees take orders from their bosses and at the same time, their bosses can check on the progress of their work. A two-way trust may exist between the engineering team and the sales and marketing team in the sense that engineers would require to know the specifics of the products the company intends to sell out while marketers would require to get updates on the product being developed and perhaps offer appropriate guidance. Another important consideration is name resolution. Usually, everyone who participates in a forest will use the same Domain Name System to resolve names throughout the forest. Other consideration are networks. If all organizations in a forest trust each other, they may have put a private network
in place (Nelson Ruest & Danielle Ruest, 2003).

            Since we are acquiring Crescent Inc., the best method of consolidating out services is to migrate objects from their domains into ours. Therefore, this implies that for instance an account migration would entail merging selected accounts from Crescent.ad to our domain Quality.ad. Since the engineering department at for Crescent is essentially an extension of ours, it would be important not to decommission it instead retail their location, Austin. As Crescent has one Certificate Authority, coordination and plan will be made to ensure a smooth transition to a deployed CAs in the Quality.ad domain as well as any application utilizing the certificate from the Crescent Inc.

AD Forest Migration Plan

            To consolidate the two network services, the Active Migration Tool (ADTM) is used. This is a freely downloadable tool provided by Microsoft to customers using their software products to help them make easier, quicker and faster migrations. There are numerous ways of using the ADTM tool which include writing executable scripts, command prompts or using the console. Before the ADMT is run, there are a couple of set ups that need to be carried out. These are establishment of a suitable Internet Protocol (IP) addressing scheme to enable successful site-to-site communication. Active Directory and the underlying Domain Name Systems (DNS) usually require use of a unique IP addressing scheme at the juncture of two sites for successful communication between them. Microsoft further provides best practices for using the ADMT. It is required that for safety purposes, one must often make backups of the domain controllers on both sides of the merger as the process goes on. Another important measure is to ensure that all the encrypted files are decrypted by using the Encryption File System (EFS). This is because if the files are not decrypted, there will be data loss since they will not be accessed after migration. Lastly, it is important to make sure that system times are properly synchronised in each domain from which objects are to be migrated.

            During the restructuring of Quality Inc., it could be necessary that some users of group accounts will be migrated. As such, some measures would need to be put in place to ensure that the process is successful. Regular backups of the domain controllers should be made between the target and source domains during the whole process. It is further recommended that migration be done in batches of sizes say 100 to make the process easy to manage.

            The procedure of restructuring Active Directory domains involves planning, preparing of the source and target domains, migrating accounts and finally migrating resources. The Active Directory Migration Tool helps migrate accounts and resources while preserving user and object permissions. This means that by using the ADMT, users on both domains will continue accessing the required resources thus a smooth integration is achieved. The initial planning stage entails determination of the process of account migration, assigning the objects to be migrated locations and roles, designing a test plan, creating rollback plans for usage in case of failure of migration, managing users, groups and creation of a communication plan for the source and the target.

            According to the unemployed professors ,the merging process, it is required that user retain, their access rights to specific resources. With the ADMT, we can use the security identifier (SID) history to maintain resource permissions as we migrate the accounts. With the SID enabled in both the target and source domains, we can safely migrate user accounts while using SID history for resource access. We remove SID filtering on the forest trusts already created between the domains to enable users access resources in the source domain using the SID history.

Global groups will be used to arrange users while domain local groups will serve to protect resources. Global groups will then be placed into domain local groups so as to grant the user members of the global group access to the resources. Of course global groups will contain members of its own domain such that when users are migrated between domains, the global groups to which they belong are also migrated. The migrated user can then log into the target domain and both the new SID and the old SID are added to the access token of the user. Resources that have source and target domains resolve their access control lists (ACLs) to SIDs and check if there is a match between their ACLs and the access token when giving or denying access to users. The SID history is important during several accesses including roaming, certificate authority, software installation and remote.

            The next step after determining account migration process is the assignment of locations and roles to objects. Since the organizational units of structure of Quality Inc. and Crescent Inc. are the same, an object assignment table which lists the roles and locations of all the objects that we will be migrating will be created. One table, indicating the source and target destinations, for the accounts objects for example users, groups and service accounts will be created. Another table will also be created for resource objects which include workstations, profiles and domain controllers (DCs). This table will also indicate the source and target destinations.

            A test plan will be developed in order to test each of the objects after they have been migrated to the new domain. The testing is important because it allows us to test for continuity of operations after the migration is done. We will be able to verify that our users will be able to log on to the new system and access resources based on their group membership and be granted access as per their credentials. The testing of user migration is followed by testing of groups and even larger sizes of objects.

            As with any other major system upgrade or change, there is need for a rollback plan or a failover facilitation process. This is important because it the occurrence of the unexpected event, we can easily revert back to the old configurations without disrupting already ongoing operations. Although it is possible to isolate and resolve any problems that occur during each phase of migration, it is crucial that possible risks are analyzed and their effect on users determined so that we can know the amount time the system won’t be functional hence necessitating rollback. Rollbacks would be done is the case where users cannot log on to their accounts, or cannot access resource after migration and also if the whole process halts or becomes unsuccessful among other reasons.

            After creating a rollback plan, we would then determine how users and groups would be managed as we merge the different forests. “By creating administrative procedures to be used for migration objects, it is possible to preserve the objects both in source domain and the target domain. Consequently, you can revert to the environment prior to migration if the restructure process is not successful.” (Jim Becker & Margery Spears, 2014). Administering accounts is important so as to resolve conflicts that arise because we expect that there could be similar accounts on both the target and source domains. This resolution helps eliminate duplication of roles in the new system.

            The final step as stated by unemployed professors, the creation of a communication plan to inform all the affected users prior to migration about the upcoming migration, in order to make sure that they understand their responsibilities, the impact of the migration process and contacts for help or support if they might require. The migration process can then be started by migrating batches of around 100 users at an instance.

References

Jim Becker, Margery Spears (2014). ADMT Guide: Migrating and Restructuring Active Directory Domains. Microsoft Corporation.

Nelson Ruest & Danielle Ruest (2003). Windows Server 2003: Best Practices for Enterprise Deployment. McGraw-Hill/Osborne 3, 79-138.