As federal IT continues to evolve, it is not uncommon for government agencies to reorganize how they conduct business to match the pace of advancements in technologies. Add into the mix that administrations and leadership can change every four years, federal goals may also change, requiring internal reshufflings that can entail a considerable amount of behind-the-scenes work to align agencies’ IT operating environments with current priorities.
To keep agency business running while simultaneously adapting to shifting priorities, federal IT teams must consider how to migrate and/or consolidate their agencies’ Active Directory (AD) environments, tools, and solutions to reflect the restructuring of their agencies’ missions and goals.
To learn more about federal AD migration and consolidation and the benefits they can deliver to federal agencies, as well as advice on how organizations should approach the processes before executing them, the GovCyberHub sat down with Quest Software’s Chris Esler.
Here is what he had to say:
GovCyberHub (GCH): What spurs the need for federal agencies to migrate and/or consolidate within their AD environments? What are some examples of why federal agencies may need to do this?
Chris Esler: This answer could fall into one of three categories. The first would be due to business changes to the federal government. Based on what’s going on within the government, agencies may go through reorganizations, mergers, and divestitures. This mostly happens within civilian agencies, but lately we’ve seen several U.S. Department of Defense (DoD) organizations revise how certain commands are structured. And since they had to restructure the commands, they also decided to restructure all the data and tools in Active Directory to meet those needs.
The second reason would be due to technology changes. Once the government decides to make tech changes like upgrading servers, migrating to a new cloud host, or moving to a hybrid operating environment, these decisions drive the migration business. Further, with Quest’s federal customers, we’ve seen historically commercial cloud tenants move to federal-dedicated cloud tenants, like Microsoft GCC and GCC High.
Also, with the rush to cloud, we’ve seen federal customers moving to shared department-level tenants. As departments want to move to the cloud, they move with a department-level tenant where all the subagencies or federal groups of that department can move into and share costs. But what they found is – oftentimes – a shared tenant will not meet their functional business needs. As a result, some departments or sub-organizations within a department will move into this shared tenant, then move out to their own tenant.
The third reason for AD migrations and consolidations is a logical architecture change. The logical architecture is how Active Directory is actually organized within the organization. You can have one general domain for a federal agency and then sub-domains for departments, such as accounting or human resources.
As technology and business changes progress, federal agencies find they need to rearchitect their logical domains to meet their business needs, and there’s a couple reasons for that.
First is efficiency. In the early stages of Active Directory, lots of organizations ended up with a lot of domains in multiple forests. Over time, they found that these types of models were very complex and difficult to manage, therefore they wanted to consolidate their domains into a single domain.
“Consolidation reduces the security perimeter.” – Chris Esler
Another reason is due to general technology changes. Initially, Microsoft was recommending a tiered access model for Active Directory, where you have a tier zero, a tier one, and a tier two. Tier zero being your administrators, tier one being managers, and tier two being client-side machines or end-users. This was the way to control security. As the technology and business use cases change, they move to a different model called the Enhanced Security Admin Environment (ESAE) also known as the “red forest.” This was a more nuanced approach to crafting a logical architecture in order to provide better security. However, due to the complexity of this model, Microsoft has since moved away from it.
They moved away from this model because managing the model was so complex, and because the model did not consider the hybrid architectures that are more popular today. No federal agency that I know of is truly in the cloud. It’s a Software as a Service (SaaS) model, but agencies are currently hybrid-built. There are servers on-premises, as well as hybrid to the cloud. So that technology changed for Microsoft.
GCH: What benefits does AD migration/consolidation provide to federal agencies? What outcomes should they expect to see after a successful migration/consolidation?
Chris Esler: AD migration helps federal agencies achieve the goals they are driving towards. AD consolidation can help ensure that an agency’s AD logical architecture is set up to best achieve security for their organization. For instance, when you consolidate your AD architecture, you can achieve different outcomes.
First, consolidation reduces the security perimeter. Since you’ll only have one forest or a single domain, your security boundary is reduced and the complexity of managing security across multiple domains is no longer an issue.
The administrative overhead of managing multiple forests and domains can be complex and time consuming. It requires more resources and expertise, and it opens up the possibility for further risk due to the complexity. By consolidating, agencies would have improved operational visibility.
“Another benefit [of consolidation] is simplifying the impact of small changes in a forest or domain.” – Chris Esler
Imagine, if you will, 60 forests and 300 domains. Trying to understand what’s happening within that system as opposed to a single forest and single domain is exponentially more difficult. With consolidation, reporting is much easier and much less complex. And you have better visibility and control over what’s happening, in addition to having reduced management overhead.
Another benefit is simplifying the impact of small changes in a forest or domain. For agencies that have multiple forests and domains, making a small change can be extremely complex. When those organizations make small changes in security or a policy that needs to be replicated across many domains, it expands management overhead.
Finally, consolidation can improve your security posture. There are multiple risks associated with multiple domains within Active Directory. There’s increased traffic between the domains, and this can cause a strain on network resources and lead to decreased performance. There’s also a risk of data inconsistency. If data is not properly replicated across domains, there is a risk of getting inconsistency and data loss in environments with multiple domains.
GCH: In order for federal agencies to have a successful AD migration/consolidation journey, I’m sure they need to have a robust and detailed plan ahead of time. What factors do agencies need to consider and include during the planning of the migration/consolidation process?
Chris Esler: First, federal agencies must decide on a measurable definition of success. Oftentimes, I see people who embark on these complex, large projects without a well-defined goal of what success should look like. That’s always number one, from my perspective.
A close second is a communication plan between teams. Given these federal environments are often very large, quite often agencies will have separate teams managing different aspects of the IT environment. They’ll have a desktop services team, an Active Directory team, a database team, a network team, etc. And due to the nature of how federal IT operates, these teams don’t always communicate as much as they should.
An example could be if a federal agency has service contracts out for their network environment, as well as – say – their Active Directory team. Those contracts can have different start and end dates. They could have different teams coming on board at different times, causing a lack of communication and a lot of confusion. Team consistency and familiarity might not be there as it might be in a commercial environment.
Other factors when embarking on a migration or a consolidation include ensuring an agency’s backup and recovery capabilities are up to snuff. An agency’s recovery time and recovery point must be understood and planned for during the migration. Roll back capabilities are critical. As agencies progress with their migration or consolidation, unexpected results can occur – even after they’re testing a pilot group. They can still have unexpected results. In order to have a safe path for the situation, agencies will need pullback capabilities.
Another consideration would be coexistence. That means agencies that are embarking on a migration or consolidation project should ensure that the project does not affect its users. Active Directory is the core of any IT organization. Without Active Directory, an agency’s staff cannot perform their work, which is absolutely critical.
“Agencies will want to determine the impact of consolidating and restructuring AD groups. Migration analysis should include a comparison between an agency’s planned results with its actual results.” – Chris Esler
Testing capabilities are also a critical component to have in place before executing a migration or consolidation. Organizations should have the hardware resources required to set up a test environment to first run any migrations through. The tools they decide to use should also have a test mode where they can execute changes and observe how it affects the target environment before actually making any changes.
Next would be implementing project timelines based on real data. Because migrations are events – rather than regular operations and maintenance – the folks that are executing the migration are not going to have historic data to rely upon. When they execute a migration for the first time, they aren’t really sure how long that project is going to take. Therefore, test migrations run specifically to determine project milestones and timelines are important.
Another factor would be reporting, both pre-migration and post-migration. Reporting is critical to understanding if an agency has achieved its goal or definition of success. For instance, pre-migration analysis can include how many domains, users, and groups an agency has. It can also include determining if there are duplicate users, computers, or groups with dependencies. If conflicts might be in the environment, pre-migration analysis could also include which accounts, files, or groups can be excluded from a migration project. It’s all about making the migration as clean as possible.
And finally, agencies will want to determine the impact of consolidating and restructuring AD groups. Migration analysis should include a comparison between an agency’s planned results with its actual results. Post-migration analysis would then include getting rid of any historical data that an agency plans to get rid of.
Be sure to check back for Part 2 of our conversation with Chris Esler, as he explores the different tools and solutions that can assist federal agencies with their AD migration and consolidation projects.