Active Directory Migration Planning

repared lor Cornell unlverslLy
age ll
2010 ldea lnLegraLlon
kev|s|on and S|gnoff Sheet
Change kecord
Date Author Vers|on Change reference
06/14/11 uavld
1hompson
10 lnlLlal urafL
06/23/11 uavld
1hompson
11 lnLernal 8evlew
06/30/11 uavld
1hompson
12 llnal verslon

kev|ewers
Name Vers|on approved os|t|on Date
Chrls Lavelle 11 06/26/2010

repared lor Cornell unlverslLy
age lll
@ab|e of Contents
1 Introduct|on 4
11 LxecuLlve Summary 4
2 Intended Aud|ence S
3 M|grat|on Cverv|ew 6
31 MlgraLlon Challenges 6
32 key leaLures of CuesL MlgraLlon Manager for AcLlve ulrecLory 7
33 MlgraLlon rocess Cvervlew 9
34 1eam ComposlLlon 9
4 Current Act|ve D|rectory Infrastructure 11
41 CC8nLLLLuu 11
42 AddlLlonal loresLs/uomalns 11
43 uevelopmenL/Lab LnvlronmenL 12
S Areas of kemed|at|on 13
31 Cngolng vlrLuallzaLlon and Lxchange MlgraLlon ro[ecLs 13
32 LxlsLlng MlcrosofL ShareolnL ueploymenLs 13
33 LxlsLlng MlcrosofL SysLem CenLer ConflguraLlon Manager ueploymenLs 13
34 LxlsLlng MlcrosofL SCL Server ueploymenLs 13
33 LxlsLlng MlcrosofL Wlndows Server updaLe Servlce (WSuS) 13
33 CerLlflcaLe Servlces 14
36 CenLrallzed 8ackups 1lvoll ConflguraLlon Manager 14
37 Schema LxLenslons (8lomeLrlcs) 14
38 WorksLaLlon 8ename 8equlremenL 14
39 8AuluS AuLhenLlcaLlon roxy ollcy 14
310 ueployed vn SoluLlons 14
311 SLandAlone WorksLaLlon MlgraLlons 14
6 |ann|ng kecommendat|ons 16
Append|x A Samp|e n|gh Leve| AD M|grat|on ro[ect |an 17

repared for Cornell unlverslLy
age 4

. Introduction
Cornell unlverslLy ls movlng Loward esLabllshlng a raLlonallzed l1 archlLecLure whlch wlll provlde an
LnLerprlse Shared Servlces plaLform for common servlces such as auLhenLlcaLlon messaglng and
collaboraLlon 1he AcLlve ulrecLory MlgraLlon ro[ecL ls belng underLaken Lo provlde Lhe base
lnfrasLrucLure on whlch Lhese servlces wlll be provlded ln addlLlon creaLlng a CenLrallzed uaLa
CenLer SupporL Model for a campuswlde vlrLuallzed Server lnfrasLrucLure ls a key cosLsavlng drlver
belng underLaken aL Lhe unlverslLy and ls dlrecLly llnked Lo Lhe AcLlve ulrecLory MlgraLlon ro[ecL

. Executive Summary
1he ob[ecLlves of Lhls engagemenL as lndlcaLed ln Lhe SLaLemenL of Work are Lo dellver soluLlon
recommendaLlons wlLh conslderaLlon for Lhe followlng lLems of scope and drlvers Lo Lhe buslness
O aLher and revlew Lhe exlsLlng AcLlve ulrecLory loresL and uomaln lmplemenLaLlon
and assoclaLed documenLaLlon provlded by Lhe cllenL
O 8evlew Lhe varlous approaches for consolldaLlon and make recommendaLlons of rlsk
mlLlgaLlon sLraLegles and Lool selecLlon
O eneraLe an execuLlve reporL ouLllnlng hlgh level consolldaLlon approach acLlvlLles
and LoolseLs
O eneraLe hlgh level work efforL Lasklng and Llmellne for domaln consolldaLlon
efforL

As parL of Lhe unlverslLy's Server vlrLuallzaLlon ro[ecL Lhe supporL model dlcLaLes all vlrLuallzed
servers be member servers of Lhe cornelledu AcLlve ulrecLory loresL/uomaln Schedullng has
already begun for some of Lhe 70+ domaln across Lhe campus Lo vlrLuallze Lhelr server
lnfrasLrucLure lL ls lmperaLlve LhaL a coordlnaLed AcLlve ulrecLory MlgraLlon ro[ecL schedule be
prepared and lmplemenLed ln supporL of Lhls Server vlrLuallzaLlon ro[ecL 1he LranslLlon for
Cornell unlverslLy Lo funcLlon ln Lhls cenLrallzed envlronmenL wlll lnLroduce Lhe followlng challenges
O Cperat|ona| Comp|ex|ty 1he Cl1 ldenLlLy ManagemenL SLaff wlll now be responslble for all
Au admlnlsLraLlon of domaln conLrollers and all AcLlve ulrecLory funcLlonallLy (malnly
securlLy relaLed) CrganlzaLlonal unlL (Cu) AdmlnlsLraLlon delegaLlon ls ln place Lo allow
lndlvldual l1 groups across Lhe unlverslLy Lo manage Lhelr own Cu lnfrasLrucLure relaLlng Lo
user/roup admlnlsLraLlon as well as rlghLs/permlsslons Lo resources
O nterpr|se App||cat|ons Schema LxLenslons LuA auLhenLlcaLlon eLc wlll all occur under
Lhls cenLrallzed AcLlve ulrecLory envlronmenL More deslgn and pollcy creaLlon may be
requlred Lo produce a unlform way of LnLerprlse AppllcaLlons exlsLence ln Lhls envlronmenL
O Ag|||ty rowLh and resLrucLurlng are parL of normal operaLlons for Cornell unlverslLy 1he
l1 lnfrasLrucLure needs Lo handle Lhese evenLs as a more naLural parL of Lhe l1 ecosysLem
lnsLead of as a ma[or excepLlon Lo Lhe l1 operaLlons CrganlzaLlonal resLrucLurlng should
noL alLer Lhe sLrucLure of Lhe dlrecLory servlce
age 3

. Intended Audience
1hls documenL was wrlLLen for and lnLended for Cornell unlverslLy l1 sLaff and supporLlng
personnel lL ls deslgned as a gulde and roadmap for Lhe developmenL of an AcLlve ulrecLory
MlgraLlon lan aL Cornell All Cornell unlverslLy l1 sLaff and supporLlng personnel should be
famlllar wlLh Lhe concepLs and Lermlnology LhaL follows ln Lhls documenL

age 6

. Migration Uverview
AcLlve ulrecLory mlgraLlons can be monumenLal Lasks 1hls ls especlally Lrue for large dlsLrlbuLed
and complex envlronmenLs as dlscovered aL Cornell unlverslLy lL ls essenLlal LhaL a solld dlscovery
and analysls be compleLed on Lhe enLlre enLerprlse prlor Lo mlgraLlon All LesLlng should be
performed ln an envlronmenL LhaL mlrrors Lhe producLlon envlronmenL as exacLly as posslble
Cornell unlverslLy's lab envlronmenL wlll be a key asseL ln Lhls LesLlng AlLhough no Lwo mlgraLlon
pro[ecLs are exacLly Lhe same uLlllzlng lndusLrles besL pracLlces and parLnerlng wlLh an experlenced
soluLlons provlder wlll greaLly enhance Lhe chances of compleLlng a successful mlgraLlon
. Migration Cballenges
O S|ze and comp|ex|ty A resLrucLurlng pro[ecL requlres you Lo manage change Lo a large
number of users and resources Cornell unlverslLy has 70+ domalns Lo consolldaLe ranglng
from several Lhousand users and dozens of servers Lo domalns wlLh only a few dozen users
and a handful of servers
O Impact on users ldeally changes Lo your dlrecLory should occur wlLhouL dlsrupLlng user
producLlvlLy or requlrlng calls Lo Lhe varlous help desk for supporL users should noL need Lo
log off and Lhey should conLlnue Lo be able Lo access all approprlaLe resources durlng and
afLer Lhe resLrucLurlng pro[ecL Schedullng offhours worksLaLlon mlgraLlons aL Cornell could
furLher reduce Lhe lmpacL on faculLy and sLaff
O Doub|e adm|n|strat|on dur|ng the trans|t|on per|od When execuLlng lnLerforesL
mlgraLlons Lhere's lnevlLably a perlod of Llme when boLh old and new envlronmenLs are
lnLacL lor some of Lhe larger Servlce Areas/Colleges lL mlghL Lake a conslderable amounL of
Llme before everyone ls mlgraLed and Lhe old envlronmenL can be decommlssloned uurlng
LhaL Llme any changes made ln one dlrecLory have Lo be made ln Lhe oLher as well
O L|m|ted I@ resources A resLrucLurlng pro[ecL can sLreLch your overworked l1 deparLmenL
AdmlnlsLraLors mlghL need Lo work nlghLs or weekends CverLlme mlghL be needed and Lhe
resLrucLurlng pro[ecL could drag on for many monLhs
O Lack of too|s naLlve Lools and mosL LhlrdparLy Lools do noL handle all aspecLs of AcLlve
ulrecLory resLrucLurlng AcLlve ulrecLory does noL lnclude Lools Lo auLomaLlcally merge Lwo
or more domalns spllL domalns move ob[ecLs beLween domalns and foresLs or perform
oLher AcLlve ulrecLory reconflguraLlon procedures ln addlLlon naLlve Lools and mosL Lhlrd
parLy Lools do noL mlgraLe all Lypes of AcLlve ulrecLory ob[ecLs and aLLrlbuLes nor do Lhey
updaLe permlsslons across all plaLforms such as Lxchange SCL and AcLlve ulrecLory ?ou
mlghL face several resLrucLurlng lssues LhaL cannoL be addressed wlLh your exlsLlng Lools
O k|sk Changes made dlrecLly Lo your producLlon Cornelledu envlronmenL can be rlsky ?ou
need a way Lo resLrucLure your dlrecLory LhaL also allows you Lo prevlew and LesL your
changes before applylng Lhem Lo your neLwork ?ou also need a way Lo selecLlvely roll back
changes lf someLhlng unexpecLed occurs
O Secur|ty concerns uurlng resLrucLurlng exlsLlng securlLy measures such as passwords and
permlsslons musL be preserved 1o malnLaln a secure envlronmenL you need Lo clean up
SluPlsLory and Lrack and deleLe source ob[ecLs LhaL have been mlgraLed 1hese Lasks are noL
easlly accompllshed wlLh naLlve Lools

age 7

. Key Features of Quest Migration Manager for Active Directory
O eroIMAC@ on Users MlgraLlon Manager for AcLlve ulrecLory provldes AcLlve ulrecLory
resLrucLurlng wlLh no dlsrupLlon Lo users or your neLwork MlgraLlon Manager for AcLlve
ulrecLory performs resLrucLurlng acLlvlLles whlle allowlng users Lo malnLaln unlnLerrupLed
access Lo all Lhelr resources regardless of wheLher Lhe resources are belng moved users
can be mlgraLed whlle Lhey are onllne and Lhey don'L have Lo rebooL Lhelr compuLers or log
ln and ouL of Lhelr accounLs afLer Lhe move
O D|rectory Synchron|zat|on MlgraLlon Manager for AcLlve ulrecLory has bullLln
synchronlzaLlon capablllLles Lo ease Lhe burden of coexlsLence lL can synchronlze accounL
properLles group membershlp and even passwords (even Lhough Lhls ls noL requlred ln your
envlronmenL) so admlnlsLraLors can slmply make necessary changes ln one envlronmenL
and have Lhose changes auLomaLlcally repllcaLed Lo Lhe oLher envlronmenL 1hls reduces
Lhe admlnlsLraLlve burden and lmproves securlLy by keeplng Lhe envlronmenLs conslsLenL
O @est Mode A mlgraLlon sesslon can be execuLed ln LesL mode ln LesL mode MlgraLlon
Manager for AcLlve ulrecLory aLLempLs Lo acLually perform Lhe mlgraLlon buL does noL
creaLe/merge Lhe accounLs ln Lhe Cornelledu LargeL envlronmenL uurlng Lhls LesL Lhe Lool
deLecLs mosL of Lhe posslble lssues wlLh Lhe mlgraLlon lncludlng lack of permlsslons
maLchlng confllcLs and mlsslng llnked ob[ecLs (such as group members) 1hls leLs you safely
experlmenL wlLh mlgraLlons and resolve lssues so Lhey do noL arlse ln your real mlgraLlon
O Centra||zed ro[ect Management MlgraLlon Manager for AcLlve ulrecLory glves
admlnlsLraLors conLrol of Lhe mlgraLlon pro[ecL leaLures lnclude
4 De|egat|on of perm|ss|ons over the m|grat|on pro[ect lor example a local
admlnlsLraLor mlghL geL readonly access Lo Lhe pro[ecL buL full conLrol over a Lask Lo
mlgraLe a seL of Cus 1hls ls noL normally used buL wanLed Lo menLlon lL ln case durlng
Lhe plannlng of Lhe mlgraLlons lL becomes an opLlon we wanL Lo lmplemenL
4 Cn||ne queues for errors match|ng conf||cts and m|ss|ng ||nked ob[ects (eg m|ss|ng
group members) MlgraLlon Lnglneers can check Lhe queues and Lake correcLlve acLlons
for problems Cne opLlon ls for MlgraLlon Manager for AcLlve ulrecLory keeps Lrylng Lo
perform Lhe synchronlzaLlon Cnce Lhe lssue geLs resolved MlgraLlon Manager for AcLlve
ulrecLory auLomaLlcally synchronlzes Lhe ob[ecLs
4 Stat|st|cs porta| MlgraLlon Manager for AcLlve ulrecLory shlps wlLh SLaLlsLlcs orLal
whlch provldes Webbased reporLlng and monlLorlng of Lhe mlgraLlon pro[ecL lL
provldes boLh hlghlevel sLaLlsLlcs lnformaLlon and lowlevel mlgraLlon deLalls WlLh Lhls
Lool lL ls easy Lo glve readonly access Lo Lhe mlgraLlon lnformaLlon Lo anyone lnvolved ln
Lhe pro[ecL 1hls Lool requlres addlLlonal seLup requlremenLs lf lL ls deemed LhaL Lhls
level of reporLlng ls needed
O @ask De|egat|on MlgraLlon Manager for AcLlve ulrecLory was creaLed wlLh largescale
mlgraLlon pro[ecLs ln mlnd leaLures lnclude
4 ko|ebased adm|n|strat|on MlgraLlon Lasks have permlsslons assoclaLed wlLh Lhem As
we dlscussed a posslble mulLlLeam approach aL Cornell mlgraLlon pro[ecLs can be spllL
beLween mlgraLlon Leams wlLhouL rlsk of lnLerferlng wlLh each oLher's pro[ecL Lasks
age 8

4 kep||cated pro[ect database MlgraLlon Manager for AcLlve ulrecLory uses MlcrosofL
AcLlve ulrecLory ln AppllcaLlon Mode (AuAM) as lLs backend daLabase 8ecause AuAM
has bullLln repllcaLlon and supporL for AcLlve ulrecLory securlLy model you can now seL
up MlgraLlon Manager for AcLlve ulrecLory ln mulLlple locaLlons glve each Leam
permlsslons for Lhelr parLs of Lhe pro[ecL and seL repllcaLlon so LhaL all Lhese mlgraLlon
Lasks are sLlll accompllshed wlLhln Lhe same common pro[ecL
O Integrated roduct Set Slnce MlgraLlon Manager for AcLlve ulrecLory was deslgned
speclflcally for AcLlve ulrecLory resLrucLurlng you can mlgraLe any Lype of ob[ecL lncludlng
slLes and subneLs conLacLs prlnLer queues and volume ob[ecLs ?ou can mlgraLe all ob[ecL
aLLrlbuLes lncludlng passwords securlLy descrlpLors and llnked aLLrlbuLes SynchronlzaLlon
and schedullng ls lnLegraLed lnLo Lhe Lool so you don'L have Lo use Lhe command llne or seL
up Wlndows Scheduled 1asks Also lncluded ls a resource klL wlLh uLlllLles LhaL asslsL wlLh
resLrucLurlng Lasks and furLher mlnlmlze Lhe lmpacL Lo users 1he C mlgraLlon Lool ls one
example of a provlded uLlllLy LhaL would asslsL ln Lhe consolldaLlon of Lhe domalns lnLo Lhelr
respecLlve Cus wlLhln Cornelledu
O Comprehens|ve kesource Update 1o ensure LhaL users reLaln access Lo neLwork resources
durlng and afLer resLrucLurlng MlgraLlon Manager for AcLlve ulrecLory provldes
comprehenslve resource updaLlng AfLer mlgraLlon you musL updaLe neLwork resources Lo
apply Lhe permlsslons from source ob[ecLs Lo LargeL ob[ecLs MlgraLlon Manager for AcLlve
ulrecLory can process all flles and folders regardless of Lhe permlsslons or ownershlp lL can
updaLe all resources lncludlng
4 ulsLrlbuLed resources such as flles folders servlces and user proflles
4 SecurlLy descrlpLors of AcLlve ulrecLory ob[ecLs
4 MlcrosofL SCL Server verslon 70 2000 2003 and 2008 permlsslons
4 MlcrosofL lnLerneL lnformaLlon Servlces (llS) Server verslon 4 3 and 6 permlsslons
4 MlcrosofL SysLems ManagemenL Server 2003 and SysLem CenLer CperaLlons Manager
2007 permlsslons
MlgraLlon Manager for AcLlve ulrecLory updaLes resources qulckly and efflclenLly by
performlng resource updaLe locally ln addlLlon lL updaLes permlsslons for all mlgraLed users
and compuLers aL Lhe same Llme even lf Lhey were mlgraLed from dlfferenL source domalns
MlgraLlon Manager for AcLlve ulrecLory also allows you Lo schedule resource updaLlng for
offpeak hours and Lo reLry aL speclfled lnLervals lf a compuLer ls offllne
O ranu|ar Undo Capab|||t|es MlgraLlon Manager for AcLlve ulrecLory offers several undo
opLlons so LhaL you can qulckly roll back changes should someLhlng unexpecLed occur as a
resulL of resLrucLurlng ?ou can roll back any change you've made from changes made ln
several sesslons Lo a slngle operaLlon on a slngle ob[ecL As you mlgraLe ob[ecLs a pro[ecL
daLabase capLures all Lhe changes made ln Lhe LargeL Cornelledu domaln by any mlgraLlon
sesslon and Lhe source domaln remalns unLouched unLll dlsabled or deleLed All resource
updaLe Lools have reverL mode ln whlch Lhey resLore source permlsslons ln resource ACLs
O ostM|grat|on C|eanup MlgraLlon Manager for AcLlve ulrecLory provldes several opLlons
and Lools Lo ensure maxlmum securlLy lnLegrlLy and performance of your resLrucLured
envlronmenL 1o make sure LhaL resources are accessed properly afLer resLrucLurlng
MlgraLlon Manager for AcLlve ulrecLory allows you Lo deleLe SluPlsLory enLrles for mlgraLed
accounLs and remove references Lo source accounLs from ACLs MlgraLlon Manager for
age 9

AcLlve ulrecLory also provldes opLlons Lo dlsable or deleLe source accounLs and clean your
neLwork of any unused ob[ecLs LhaL could affecL Lhe securlLy and sLablllLy of your
envlronmenL

. Migration Process Uverview
1he sLeps ouLllned below are meanL as a hlgh level overvlew of Lhe mlgraLlon process lannlng
ulscovery and remlgraLlon Lasks (servlce accounL creaLlon esLabllshlng Lwoway LrusLs dlsabllng
SluPlsLory fllLerlng eLc) are also crlLlcal componenLs of a successful mlgraLlon LhaL wlll be llsLed ln
greaLer deLall when a mlgraLlon plan ls puL ln place for Lhe mlgraLlon of a source domaln Lo Lhe
LargeL Cornelledu domaln
O Account M|grat|on SelecLed accounLs are merged (Lhrough Lhe use of a mapplng flle) from
selecLed source domalns Lo Lhe LargeL Cornelledu domaln
O Cngo|ng D|rectory Synchron|zat|on lor all or selecLed mlgraLed accounLs synchronlzaLlon
can be esLabllshed so Lhe accounL properLles lncludlng group membershlp are kepL ln sync
for Lhe coexlsLence perlod 1hls ls a requlremenL lf CMM ls belng used for an Lxchange
mlgraLlon as well ln Cornell's envlronmenL lL may noL be necessary for dlrecLory
synchronlzaLlon Lo be used More deLall on Lhls wlll appear durlng dlscusslons of an acLual
mlgraLlon plannlng sesslon
O kesource rocess|ng Access permlsslons Lo flles shares prlnLers and oLher securable
ob[ecLs are updaLed 1hls can run mulLlple Llmes lf needed We wlll need Lo follow up on
Lhe LesLlng of Lhe 1SM 8ackup agenL Lo deLermlne besL approach
O Sw|tch|ng to the New Doma|n Source accounLs are dlsabled lf posslble Lo prevenL users
from conLlnulng Lo log lnLo Lhe source domaln users begln uslng Lhelr Cornelledu (neLlu)
accounLs and passwords Lo log lnLo Lhe Cornelledu domaln
O ostM|grat|on C|eanup Source accounLs are cleaned up and deleLed and SluPlsLory ls
removed for all LargeL accounLs Lo ensure maxlmum securlLy lnLegrlLy and performance of
Lhe LargeL envlronmenL
. Team Composition
1he Leam member descrlpLlons ouLllned below ldenLlfles crlLlcal sklllseLs requlred for a successful
AcLlve ulrecLory MlgraLlon ro[ecL
O ro[ect Manager As wlLh any ma[or pro[ecL havlng Lhe rlghL person(s) ln Lhe ro[ecL
Manager role ls a ma[or reason for Lhe success or fallure of a pro[ecL uslng proven pro[ecL
managemenL framework (l1lL MSl eLc) wlll asslsL ln Lhe successful Lracklng of asslgned
Lasks and deadllnes as well as rlsk managemenL and slgnoff when exlLlng ma[or
mllesLones rovldlng Llmely sLaLus reporLs wlll alerL managemenL Lo any crlLlcal lssues
resource consLralnLs or budgeLlng/burn raLe concerns asL mlgraLlon experlence ls helpful
buL noL a requlremenL Worklng closely wlLh Lhe 1echnlcal ro[ecL Lead can overcome lack
of mlgraLlon experlence
O @echn|ca| ro[ect Lead 1hls person acLs as Lhe Sub[ecL MaLLer LxperL (SML) for Lhe enLlre
mlgraLlon pro[ecL Works closely wlLh Lhe ro[ecL Manager for asslgnmenL and schedullng of
Lasks ALLends Lechnlcal as well as nonLechnlcal meeLlngs AcLs as Lhe llalson beLween l1
age 10

managemenL and Lhe mlgraLlon englneers AsslsL Lhe ro[ecL Manager ln Lhe klckoff
meeLlngs by glvlng a mlgraLlon overvlew presenLaLlon addresslng deparLmenLal concerns
and beglns Lhe dlscovery process for each source domaln scheduled for mlgraLlon
O M|grat|on ng|neer 1hls person(s) acLs as Lhe Lechnlcal englneer Lxperlence wlLh Lhe
mlgraLlon Lools and havlng compleLed large scale mlgraLlon pro[ecLs ls a musL 8esponslble
for Lhe lnsLallaLlon and conflguraLlon of Lhe mlgraLlon Lools Works wlLh l1 sLaff Lo compleLe
all necessary seLup (producLlon and lab envlronmenL lf posslble) LesLlng and successful LesL
case compleLlon Wlll ralse any concerns Lo Lhe 1echnlcal ro[ecL Lead for resoluLlon and
Lracklng Wlll be responslble for Lhe compleLlon of Lhe acLual mlgraLlon sLeps as relaLed Lo
Lhe LoolseL Wlll ensure Lhe healLh of Lhe mlgraLlon LoolseL and lLs relaLed daLabase
O Corne|| I@ Staff Member 1hls person(s) wlll work wlLh Lhe mlgraLlon englneer durlng Lhe
enLlre process Wlll need Lo have exLenslve knowledge of Lhe currenL producLlon
envlronmenL as well as knowledge of Lhe source domalns LargeLed for mlgraLlons Wlll
work wlLh mlgraLlon englneer and source domaln l1 sLaff ln Lhe compleLlon of Lhe pre
mlgraLlon Lasks 8esolves any lssues relaLed Lo Lhe LargeL domaln (permlsslons rlghLs
avallablllLy eLc)

age 11

. Current Active Directory Infrastructure
uurlng luLA lnLegraLlon's onslLe vlslL a brlef overvlew of Lhe currenL LargeL domaln (cornelledu) was
provlded MeeLlngs were held wlLh a sampllng of oLher colleges/servlce areas LhaL may become
some of Lhe flrsL source domalns Lo be mlgraLed Agaln brlef overvlews of Lhese source domalns
were provlded durlng our meeLlngs A Lhorough dlscovery process would occur for each of Lhese
source domalns when scheduled for an acLual mlgraLlon pro[ecL
. CURNELL.EDU
O 1hls ls Lhe currenL campuswlde foresL/domaln conLalnlng nearly 400k user accounLs
O lL ls currenLly runnlng ln naLlve 2008 domaln and foresL funcLlonal levels
O 1here ls one chlld domaln (clLsLaffcornelledu) LhaL ls ln Lhe process of belng
decommlssloned
O All users campuswlde have an accounL (neLlu) ln Lhls domaln provlsloned by lLM An
lnsLance of Ml1 kerberos ls ln place for provlslonlng of Lhe neLlu accounL and malnLalns
password synchronlzaLlon wlLh Lhe cornelledu domaln
O 1he neLlu accounL also serves as Lhe auLhenLlcaLlon meLhod for CuWebLogln (access Lo
mosL campus web appllcaLlons)
O uesLs (users wlLhouL a neLlu) are provlsloned ln Lhe cornelledu domaln uslng a guesL lu
namlng convenLlon
O Campus wlde MlcrosofL Lxchange 2007 envlronmenL ls conLalned ln Lhe cornelledu foresL as
well lans Lo upgrade Lo Lxchange 2010 are ln place
O Cu AdmlnlsLraLlon uelegaLlon has been seL up uslng CuLS1 AcLlve 8ole Server (A8S) Lo granL
College/Servlce Area l1 sLaff rlghLs Lo admlnlsLer Lhelr asslgned Cu upon compleLlon of Lhe
consolldaLlon efforL
O All uomaln ConLrollers are locaLed wlLhln Lhe campuses Lwo daLa cenLers A posslble Lhlrd
daLa cenLer wlll be sLood up for dlsasLer recovery proLecLlon and would conLaln addlLlonal
uomaln ConLrollers
. Additional ForestsJDomains
As parL of Lhls engagemenL ldea meL wlLh Lhe followlng sampllng of source domalns and supporL
sLaff durlng onslLe vlslL
O ac|||t|es
O S C
O A L|fe Serv|ces
O Campus L|fe ] Adm|n Serv|ces
O Nanosca|e ] Iohnson Schoo| of Management ] Law Schoo|
O xchange Adm|n|strat|on

1he lnformaLlon obLalned durlng Lhese producLlve meeLlngs has asslsLed greaLly wlLh Lhe conLenL
and recommendaLlons llsLed ln Lhls documenL

age 12

. DevelopmentJLab Environment
1here ls a vlrLuallzed lab envlronmenL for Lhe Cornelledu domaln bullL on vMware Lechnology 1he
CMM Console and uaLabase are fully supporLed ln a vlrLual envlronmenL and as sLaLed prevlously
Lhe avallablllLy of Lhls LesL envlronmenL could prove cruclal Lo a successful mlgraLlon experlence
1esLlng of Lhe mlgraLlon process and compleLlng Lhe LesL cases and poLenLlally more lmporLanL Lhe
LesLlng and slgnoff of Lhe source domaln appllcaLlons deemed crlLlcal or hlghrlsk wlll bulld
confldence ln Lhe mlgraLlon process and greaLly asslsL ln sLaylng on Lrack wlLh Lhe schedullng of
Lasks

age 13

. Areas of Remediation
A ma[or componenL Lo Lhe overall plan of a pro[ecL ls 8lsk ManagemenL 8lsk ManagemenL ls Lhe
ldenLlflcaLlon assessmenL and prlorlLlzaLlon of rlsks followed by a sLraLegy Lo manage Lhe ldenLlfled
rlsks Avoldlng Lhe rlsk reduclng Lhe rlsk or even accepLlng some or all of Lhe consequences of a
parLlcular rlsk are all examples of managlng rlsks 1he ldenLlfled areas below are some of Lhe rlsks
dlscovered durlng Lhe onslLe vlslL LhaL wlll requlre some Lype of remedlaLlon A more compleLe 8lsk
AssessmenL would be parL of Lhe acLual pro[ecL plan for Lhe AcLlve ulrecLory MlgraLlon ro[ecL
. Ungoing Virtualization and Excbange Migration Pro|ects
1here are several ongolng and planned pro[ecLs aL Cornell 1he lnLroducLlon of more Lhan
'one' change aL a Llme durlng a mlgraLlon pro[ecL ls noL deslrable and can lead Lo an
unsaLlsfacLory user experlence Careful collaboraLlon wlLh Lhe vlrLuallzaLlon and Lxchange
MlgraLlon pro[ecLs ls lmperaLlve Lach separaLe pro[ecL should have lLs own 'freeze' perlod
by whlch no oLher changes are belng made whlle Lhe currenL pro[ecL ls progresslng A sLrong
pro[ecL managemenL presence ls requlred Lo ensure communlcaLlons and Lasks schedullng
are compleLed and documenLed
. Existing Microsoft SbarePoint Deployments
Whlle a coexlsLence perlod wlll be kepL Lo a mlnlmum user experlence can be affecLed
durlng Lhls Llmeframe ShareolnL ls a webbased appllcaLlon and as such does noL beneflL
from Lhe use of SldPlsLory for granLlng access Lo a parLlcular workspace new accounL
access wlll need Lo be granLed prlor Lo a user's mlgraLlon or Lhe user wlll be prompLed for lLs
username/password from Lhe source domaln unLll Lhe ShareolnL deploymenL has been
'moved' lnLo Lhe LargeL domaln (cornelledu) 1here have been some prellmlnary
dlscusslons abouL deploylng a campuswlde ShareolnL
. Existing Microsoft System Center Configuration Manager Deployments
uurlng coexlsLence worksLaLlons LhaL have [olned Lhe LargeL domaln buL are sLlll belng
managed by a SCCM deploymenL ln Lhe source domaln wlll lose some funcLlonallLy 1he
ablllLy Lo deploy by Cu ls a key llmlLaLlon A campuswlde SCCM deploymenL pro[ecL has
sLarLed and would be Lhe flnal soluLlon aL some polnL
. Existing Microsoft SQL Server Deployments
8lghLs Lo daLabases on SCL servers LhaL are asslgned vla domaln accounLs wlll need Lo be
updaLed durlng mlgraLlon of Lhe SCL servers when Lhey are [olned Lo Lhe LargeL domaln
1hls can be done vla scrlpLlng or lf an auLomaLe LoolseL (CMM for Au) ls belng leveraged for
Lhe mlgraLlon Lhe LoolseL should be able Lo auLomaLe Lhls process Lhrough Lhe SCL resource
updaLe process
. Existing Microsoft Windows Server Update Service {WSUS]
1hls ls a mlnlmal lssue normally durlng a mlgraLlon lf a campuswlde WSuS server ls
avallable for use when Lhe mlgraLed worksLaLlons are [olned Lo Lhe LargeL domaln a slmple
updaLe on Lhe worksLaLlon Lo polnL Lo Lhe new WSuS server wlll be requlred 1hls can be
done vla roup ollcy Cb[ecL (C)
age 14

. Certificate Services
uurlng Lhe dlscovery process of Lhe pro[ecL any deployed cerLlflcaLe servlces wlll need Lo be
addressed CerLaln deploymenLs (le Wlreless AuLhenLlcaLlon) can be mlLlgaLed by Lhe
deploymenL of addlLlonal Cornelledu domaln cerLlflcaLes lf an acLual CerLlflcaLe AuLhorlLy
has been deployed ln a source domaln coordlnaLlon ln Lhe pro[ecL plan wlll need Lo be
Lracked Lo ensure a smooLh LranslLlon Lo a deployed CA ln Lhe Cornelledu domaln as well as
any appllcaLlon uLlllzlng cerLlflcaLes from Lhe source CA
. Centralized Backups - Tivoli Configuration Manager
CoordlnaLlon (or posslble halLlng) of Lhe worksLaLlon backup agenL wlll need Lo occur Lo
ensure no lnLerrupLlon of Lhe mlgraLlon process AddlLlonal LesLlng ls Laklng place currenLly
Lo deLermlne behavlor of a newly [olned worksLaLlon Lo Lhe LargeL domaln and/or
permlsslon changes of flles and folders Lo documenL behavlor of Lhe backup posL mlgraLlon
(full backup vs lncremenLal)
. Scbema Extensions {Biometrics]
A declslon paper and Lhen evenLually a campuswlde pollcy needs Lo be ln effecL regardlng
Lhe handllng of Schema LxLenslons ln Lhe Cornelledu domaln lor Lhls parLlcular exLenslon
Lhe use of oLher LwofacLor auLhenLlcaLlon opLlons could posslbly allow Lhe use of 8lomeLrlcs
Lo be dlsconLlnued ln Lhe Cornelledu domaln
.8 Workstation Rename Requirement
All worksLaLlons [olnlng Lhe LargeL domaln wlll need Lo comply wlLh Lhe campuswlde
namlng sLandard 1hls addlLlonal sLep can be performed prlor Lo durlng or posL mlgraLlon
1he requlremenL durlng Lhe dlscovery phase of Lhe mlgraLlon pro[ecL Lo produce an accuraLe
worksLaLlon lnvenLory for each source domaln usually means renamlng worksLaLlons prlor Lo
mlgraLlon works mosL efflclenLly AnoLher facLor ln Lhe Cornell envlronmenL Lo Lake lnLo
conslderaLlon ls worksLaLlons LhaL uLlllze Lhe 1SM 8ackup agenL and Lhe need Lo
reload/updaLe Lhe machlne names upon belng renamed wlLhln 1lvoll
.9 RADIUS - Autbentication Proxy Policy
lf source domaln accounLs are belng used Lo auLhenLlcaLe users vla a 8AuluS deploymenL
sLeps need Lo be ln place on Lhe 8AuluS server Lo ensure LargeL domaln accounLs are also
searchable for auLhenLlcaLlon lf unlversal neLlu accounLs are belng used no furLher sLeps
should be requlred
. Deployed VPN Solutions
A declslon paper and an evenLual campuswlde pollcy should be ln place regardlng Lhe use of
a campuswlde vn soluLlon or conLlnue Lo allow each college/servlce area Lo malnLaln Lhelr
own vn soluLlon lnpuL from SecurlLy would be requlred Lo ensure lLs pollcles are belng
meL
. Stand-Alone Workstation Migrations
WorksLaLlons LhaL are noL currenLly [olned Lo a domaln would requlre a slmple [oln Lo Lhe
LargeL domaln updaLlng Lhelr proflles on Lhe worksLaLlon would requlre some Lype of scrlpL
or program deslgned for Lhls purpose 1hls would be a subseL of Lasks ln Lhe mlgraLlon
age 13

pro[ecL plan ouLslde of normal mlgraLlon acLlvlLles ldea would work wlLh Cornell l1 sLaff ln
Lhe developmenL of Lhls process and evaluaLe scrlpLs/Lools LhaL would provlde Lhe maxlmum
beneflL Lo compleLlng Lhls requlred Lask

age 16

. Planning Recommendations
1he followlng recommendaLlons are proposed for revlew and dlscusslon
O Use of uest M|grat|on Manager (MM) for Act|ve D|rectory 8ased on Lhe slze duraLlon
and complexlLy of Lhls pro[ecL ldea sLrongly recommends Lhe use of a compleLe endLoend
mlgraLlon soluLlon lncluslve of Lhe CuesL mlgraLlon Lools key feaLures and beneflLs of uslng
CMM are noLed ln secLlon 32 of Lhls documenL and address Lhe mlgraLlon concerns noLed ln
secLlon 31 use of Lhls LoolseL wlll allow for a repeaLable mlgraLlon process for each source
domaln LargeLed for mlgraLlon LhaL can conLlnually be reflned durlng Lhe enLlre AcLlve
ulrecLory MlgraLlon pro[ecL
O Comm|tment to ro[ect Management (M) As noLed earller ln Lhe documenL ldea would
recommend (requlre) dedlcaLed M(s) Lo Lhe mlgraLlon pro[ecL 1hls ls essenLlal Lo a
successful mlgraLlon
O Cne M|grat|on @eam vs Mu|t|p|e M|grat|on @eams 1hls ls normally dlcLaLed by balanclng
cosL versus pro[ecL deadllnes A mlgraLlon Leam (composlLlon llsLed prevlously ln documenL)
can handle up Lo Lhree source domaln mlgraLlons ln dlfferenL phases of Lhe mlgraLlon
process (one ln premlgraLlon one ln acLlve mlgraLlon and one ln posLmlgraLlon) lf Lwo
mlgraLlon Leams are uLlllzed a poLenLlal of slx source domaln mlgraLlons could be managed
WlLh over 70+ domalns Lo consolldaLe by a poLenLlal deadllne of !uly 2012 ldea
recommends sLrong conslderaLlon should be glven Lo uLlllzlng Lhls mulLlple mlgraLlon Leam
scenarlo
O Coord|nated Schedu||ng w|th other ongo|ng pro[ects er onslLe dlscusslons AcLlve
ulrecLory mlgraLlons on a parLlcular source domaln should occur prlor Lo LhaL college/servlce
area's vlrLuallzaLlon ro[ecL 1hls would ellmlnaLe Lhe need for mulLlple sLeps focused
around permlsslons/admlnlsLraLlon and make for a more smooLh LranslLlon Lo a vlrLuallzed
envlronmenL ln addlLlon Lhere are ongolng emall/Lxchange mlgraLlons occurrlng LhaL wlll
need Lo be Laken lnLo accounL when schedullng college/servlce areas for AcLlve ulrecLory
mlgraLlons Lo ensure no confllcLs or undeslrable enduser experlences ldea recommends
Lhe merglng of Lhe Au mlgraLlon pro[ecL plan Lo a slngle consolldaLed pro[ecL plan for each
College/Servlce Area scheduled for consolldaLlon 1hls consolldaLed pro[ecL plan would noL
only Lrack Lhe Au mlgraLlon porLlon of Lhe pro[ecL buL also ensure LhaL Lhe addlLlonal
pro[ecLs (vlrLuallzaLlon and emall mlgraLlons) for each source domaln are scheduled
efflclenLly and wlLhouL confllcL of one anoLher
O koadmaps and r|or|t|zat|on for CampusW|de Serv|ces An area of concern LhaL mosL
people expressed durlng our meeLlngs was around Llmellnes for SCCM and ShareolnL
Addresslng Lhese concerns wlLh some valld Llmellnes would asslsL ln Lhe rlsk mlLlgaLlon
plannlng durlng Lhe dlscovery phase of Lhe pro[ecL ldea recommends Lhe developmenL and
creaLlon of a Lask force or sLeerlng commlLLee LhaL conslsLs of Lhe sponsor and aL leasL one
Leam member of each relaLed pro[ecL (Au Lxchange vlrLuallzaLlon SCCM and ShareolnL
deploymenL) so LhaL each group has vlslblllLy lnLo Lhe schedullng and rlsk mlLlgaLlon
acLlvlLles supporLlng Lhe Au pro[ecLs and undersLand poLenLlal lmpacLs Lo Lhelr pro[ecLs

age 17

Appendix A: Sample Higb Level AD Migration Pro|ect Plan

Task Name
High LeveI AD Migration Project PIan ExampIe
Envisioning
Project Kickoff
High Level Project Plan
Set-up Project Management Office
Vision\Scope definition
Communication Plan
Envisioning closeout
PIanning
Capture - Current State Analysis
Architecture/Design
Deployment Scheduling
Detailed Project Plan
Planning closeout
DeveIoping
Lab BuiId Out
Design Lab Architecture
Design physical layout
Design logical layout
Determine hardware requirements
Finalize lab architecture
Infrastructure Servers BuiId
mplement Network Topology
Load base server OS
Lab Environments
BuiId out Infrastructure
nstall Active Directory Environment
nstall and Configure Quest Migration Tools
Migration Testing
User Synchronization
Workstation Migration
Resource Update Manager
Member Server Migration
Other Services (DNS, DHCP, Linux, Etc.)
Test PIans
Develop test plans
Verify test plans
Execute test plans with QA
Develop Migration Plans
Build Migration Documents
Pre-production Tasks
Provision required Hardware in Production
Disable SDHistory Filtering
Verify Quest Account Permissions
nstall Quest tools into Production
Finalize Pilot Group
AD Synchronization
Development closeout
StabiIization
PiIot RoIIout/Testing
Coordinate/Execute ScheduIe for User/Workstation Migration
Execute Migration
Validate results
Migration ScheduIing
Develop Migration Sessions
Approve/Finalize Session Schedule
HeIpdesk Coordination
age 18

Knowledge Transfer
Coordinate Migration Activities
Go - No Go meeting
Stabilization closeout
Pre-DepIoyment Tasks
Coordinate Change Control
Agent nstalls
DepIoyment
User/Groups Migration
Workstation Migration
Resource/Profile Updating
User Switch (Workstation Move)
Member Server Migration
Coordinate with Server/Application Owner
Submit Change Control
Post Migration Activities
Deployment Closeout

Active Directory Migration Planning

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Active Directory Migration Planning

Hochgeladen von

Copyright:

Verfügbare Formate

repared lor Cornell unlverslLy

Das könnte Ihnen auch gefallen