What is it?
Microsoft Active Directory is a foundational component of the IT landscape for a vast number of
organizations. Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in Windows Server operating systems as a set of processes and services. User identities, access and authorization and workstation management are features of AD, and for many organizations it is the basis for IT security.
Active Directory Modernization is the re-structuring of the organizational hierarchies and containers managed in AD. The complexity of some AD environments is staggering as many organizations are operating multiple forests with multiple domains in each forest and a complex network of trust relationships. When an organization that relies on Microsoft Active Directory experiences some type of organizational re-structuring, such as an acquisition, merger or divestiture, an Active Directory
consolidation or divestiture may be called for. This can be a challenge for any enterprise: these restructuring efforts are not a routine undertaking.
Why the difficulties?
When AD was first released, it was an extension of Windows for Workgroups and was implemented as a departmental, localized solution. Years later, AD has become an enterprise solution, but many organizations are still managing it as a departmental solution. This legacy architecture keeps a lot of AD administrators employed and enables departments to act as a separate fiefdom within the overall enterprise. Although this local autonomy has some benefit, the complexity produced by multiple, unique AD implementations can prevent, or drastically increase the cost of, deployments of new, enterprise wide software and work processes.
Re-structuring AD is made difficult by two key realities:
- Active Directory administrators rarely, if ever, endeavor to take on the task.
- The migration to cloud based systems for identity and device management such as Azure Active Directory has marginalized the ability to successfully deliver AD modernization projects for service providers.
There is no avoiding the pain of consolidation when the existing environment is already fragmented, but once the core AD environment is built, the pain should be over. Many organizations that experience regular mergers and acquisitions have established defined processes with timelines for integrating new subsidiaries into the collective.
The pain of modernization increases the longer you wait to grapple with the situation. Develop a strategy for modernization now (full consolidation has taken years to complete in very complex environments) and get started on implementation right away. While you are consolidating the existing AD, environments do not allow any new domains or forests to be created.
What do we recommend?
The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified by operational requirements that a unified model cannot possibly support Deployment of AD in an Internet-facing DMZ is an exception.
The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc. The reasons for consolidation are clear, but there are significant barriers to success.
- Politics is usually the biggest problem when considering an AD consolidation. No one likes to give up local control of users and machines to a centralized bureaucracy. From a technical perspective, a consolidated AD model is clearly a more elegant approach to AD management. From the perspective of local versus centralized control, the best model is not so clear.
- Cost justification- It is very hard to write a business case for an AD consolidation project. Does consolidation reduce costs? Maybe, but probably not by much. You might be able to produce minor reductions in license costs but, consolidation rarely results in AD administrators being laid off. On the other hand, the actual consolidation project can cost a considerable amount. I have reviewed AD consolidation proposals from systems integrators that range in price from ~$200k to over $5 million. The benefits derived from consolidation tend to be qualitative rather than quantitative. User portability, shared GAL (Global Address List) and consolidated reporting enhance productivity, but can you measure that enhancement in dollars?
- Complexity- An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their file shares, or access applications. No pressure at all.
What are the benefits?
Your Active Directory (AD) keeps your whole organization running on a daily basis. It is crucial to operations that IT Management often overlooks when they sit down to budget technology upgrades. Budget an AD upgrade once, and it will save you money for years.
Cost Savings
When you consolidate, you will spend less on servers and lower your licensing costs. Not to mention, because your system will be easier to use for your employees, you will save a lot of time and money on help desk calls, as well.
Ease of Management
Your IT Department will be easier to manage when you modernize your AD. All directory tasks and infrastructure will be in one single domain, meaning that all of your object management, software updates — everything will take less effort.
Security
Your data will be more secure, since administrators can set rules of access that are maintained across all departments. A system with few domains saves time by making it easier to remove people who should not have access. Every location in a modernized AD has a full domain back-up, which means your important data will not be lost.
Single foundation
Having a single directory service or Global Catalog (GC) means a single foundation for all other directoryaware services, including messaging and monitoring. Having a single management infrastructure means there is just one infrastructure for all other directory services tasks, such as software deployment, inventory, and object managementsharing and delegation (such as for user accounts). With a single Group Policy container (GPC) management polices need to be defined only once and can be used throughout the entire enterprise without the need to manually export and import Group Policy Objects (GPOs).
Backup and recovery
Having only a single domain means better resiliency because every location has a full domain backup.
Less hardware
In an organization with multiple domains, every location needs two domain controllers (DCs). With a single domain, each location needs only a single DC because if the local DC fails, the locations can use hub DCs. Reduced hardware also means fewer licenses, less management software, and less overhead for server management. There is no need to back up remote DCs because the remote DCs just hold the same information as the central DCs—assuming the DCs only perform directory services.
Who Can Help?
Let Cloud Navigator do the heavy lifting by working all the phases of an Active Directory Modernization. Our CTO is an ex-Microsoft Active Directory specialist and Exchange Ranger who completed large-scale AD re-structuring projects worldwide. As a company, our focus on cloud migrations has equipped our team to orchestrate and execute these unique projects because they are frequently a pre-requisite to migrating directory servicesto Azure AD. Moving a single domain AD to the Microsoft Azure cloud is much more straightforward than moving multiple forests and multiple domains to one Azure AD.
Cloud Navigator will work with your organization to execute the project in five distinct phases presenting a structured approach: Discover, Design, Prepare, Test, and Migrate. This approach provides a deployment strategy with defined entrance and exit criteria and deliverables and presents high-level timeframes that control the pace of the deployment while keeping individual tasks serialized.