[This is a partial re-post of an entry on the STEALTHbits blog. I think it's relevant here and open for discussion on the concepts surrounding clean migrations and AD unification.]
It’s no secret that over the past decade, Active Directory has grown
out of control across many organizations. It’s partly due to
organizational mergers or disparate Active Directory domains that
sprouted up over time, but you may find yourself looking at dozens or
even hundreds of Active Directory domains and realize that it's time to
consolidate. And it probably feels overpowering. But despite the effort
in front of you, there’s an easy way and a right way.
Domain consolidation is not a simple task. Whether you're moving from
one platform to another, trying to implement a new security model, or
just consolidating domains for improved management and reduced cost,
there are numerous steps, lots of unknowns and an overwhelming feeling
that you might be missing something. Sound familiar?
According to Gartner analyst Andrew Walls, “The
allure of a single AD forest with a simple domain design is not fool’s
gold. There are real benefits to be found in a consolidated AD
environment. A shared AD infrastructure enables user mobility, common
user provisioning processes, consolidated reporting, unified management
of machines, etc.”
Walls goes on to discuss the politics, cost justification, and complexity of these projects noting that “An
AD consolidation has to unite and rationalize the ID formats, password
policy objects, user groups, group policy objects, schema designs and
application integration methods that have grown and spread through all
of the existing AD environments. At times, this can feel like spring
cleaning at the Aegean stables. Of course, if you miss something, users
will not be able to log in, or find their file shares, or access
applications. No pressure.”
Walls offers advice on how to avoid some of the pain. “You fight
proliferation of AD at every turn and realize that consolidation is not a
onetime event. The optimal design for AD is a single domain within a
single forest. Any deviation from this approach should be justified on
the basis of operational requirements that a unified model cannot
possibly support.”
What does this mean for you? Well, the most significant take-away
from Walls’ advise is that it’s not a onetime event. AD Unification is
an ongoing effort. You don’t simply move objects from point-A to point-B
and then pack it in for the day. The easy way fails to meet the core objectives of an improved security model, simplified management, reduced cost, and a common provisioning process (think integration with Identity Management solutions).
If you take everything from three source domains and simply move it all
to a target domain, you haven’t achieved any of the objectives other
than now having a single Active Directory. There’s a good chance that
your security model will remain fragmented, management will become more
difficult, and your user provisioning processes will require additional
logic to accommodate for the new mess. On a positive note, if this
model is your intent, there are numerous solutions on the market that
will help.
STEALTHbits, of course, embraces the right way. “Control through Visibility”
is about improving your security posture and your ability to manage IT
by increasing your visibility into the critical infrastructure.
If you'd like to learn more about the solution, you can start by reading the rest of this blog entry or contact STEALTHbits.