In our last article, the GovCyberHub sat down with Quest Software’s Chris Esler to examine the reasons why federal agencies migrate and consolidate their Active Directory (AD) environments, as well as delve into the many different benefits these processes deliver to organizations.
This week, Chris returns to explore the different tools and solutions federal agencies can take advantage of that can assist in facilitating an AD migration and/or consolidation, and discuss the best practices organizations should follow when actually executing these AD projects.
Here is what he had to say:
GovCyberHub (GCH): After agencies have a plan in place, what best practices should they follow when executing the actual migration/consolidation process?
Chris Esler: First, agencies should have clearly documented their desired end-state. For example, they should have figured out what their forests and domains should look like, which group policies need to be applied, how are they applied, etc. Also, agencies should also give some thought to their legal requirements. Within the federal ecosystem, there are often compliance requirements that should be considered when an agency is moving forward with a migration plan.
The second consideration would be for agencies to perform a thorough discovery. Agencies should have a very detailed understanding of the current state of their Active Directories. This could include what group policies are currently enforced, and understanding the users, computers, groups, etc. It’s also important that agencies understand any custom application, service, or other components that rely on Active Directory.
The third best practice would be for agencies to have a comprehensive plan, but – at the same time – be ready for changes. Planning is great, but based on testing and pilot migrations, things can change midstream. For instance, if an agency is testing its time to migrate, that time can actually change based on what they’re migrating. Testing can uncover lots of issues which can be addressed in an agency’s plan. However, once they start their pilot migrations, that is where they find a lot of unexpected results. And, again, as agencies are testing and running pilot migrations in an iterative migration process, their plan can change. Be prepared for variability.
Another best practice would be to address compliance from the beginning of a project. Don’t let addressing compliance become a surprise that can completely throw a project off. If you’re in a federal environment, compliance obligations are coming from multiple directions. It’s important to understand those obligations up front and plan for them. While compliance can drive changes with your plan, I’ve often seen projects come off track because when an organization makes any decisions to control or comply with certain types of sentiment control to be in compliance, they might not choose the most efficient control available.
Another best practice is communication. Like I mentioned, a communication plan is critical, as it includes who’s going to be communicated to, how often, along with instructions on how these folks will be communicated to. Since Active Directory is touching the entire organization, it’s important to have a robust communication plan not only with the technology team but with the business team as well.
Employing a phased migration to reduce risks is another best practice. A phased migration only exposes a certain portion of the organization to migration risks, and it gives agencies the opportunity to refine its migration process with each iteration. It can encapsulate some of that risk for projects.
Finally, using tools is very important for any AD migration in today’s Active Directory environment. Since Active Directory has been around for quite some time, the AD tools are quite mature. Not only can they execute a migration, but they are built with a migration project in mind. Conjoined, they can take a lot of the work and risk out of the project.
GCH: AD migration and consolidation can seem like extremely daunting tasks for federal agencies to take on. Are there any solutions or products that can simplify these processes for federal IT departments?
Chris Esler: Quest Software is a tools company. We help organizations migrate, manage, and secure their IT environments. As such, we have many tools that can help with a migration.
First, I’d recommend the Quest Enterprise Reporter solution for an Active Directory, as well as the Security Explorer Module. This will provide comprehensive pre- and post-migration analysis. This is where agencies can understand what they have, how they want to modify that into their target environment, and actually compare their AD migration results when they’re done. Quest Enterprise Reporter also integrates with our Security Explorer tool which can give agencies point-and-click security or remediation, and changes as they look at Active Directory reports.
The next tool I’d recommend is Quest Binary Tree Migrator Pro for Active Directory. This is not just a migration tool. It can not only execute the actual migration, but it will provide for coexistence during the migration. Therefore, users will not even know that a migration is taking place until they’ve actually migrated to their new domain. Coexistence is a critical piece of the puzzle.
Binary Tree also provides rollback. Like we discussed, when agencies execute an AD migration, they might get some unexpected results or business requirements may change midstream. Agencies can execute a rollback with zero risk with Binary Tree. The solution has a test mode built into it so when agencies conduct their initial testing, they can fine tune how their migrations are configured. And because Binary Tree has been the go-to tool for Active Directory migrations for some time, there is a project module built into it as well. This helps agencies manage their migration projects with some features that are built directly into the tool.
Another tool which can be incredibly valuable during migrations and consolidations is Quest Recovery Manager for Active Directory. Anytime agencies are executing a migration or making changes within their environment, it’s very important they have backup recovery set up to support their business. Unexpected things can happen and it’s very important to have a solid Active Directory recovery tool available.
And then finally, when we talk about migrations and consolidations, we’re really talking about making operating environment more secure and efficient. While these large organizations can manage Active Directory moving forward using native tools, Quest has a tool called Active Roles. Active Roles is a comprehensive Active Directory management tool, which will eliminate a significant amount of work in managing an agency’s day-to-day activities within Active Directory. It can eliminate a lot of the complexity that agencies might have to build into Active Directory to maintain security.
Another tool that helps organizations move close to a Zero Trust environment is Change Auditor for Active Directory. Change Auditor provides real-time threat monitoring and security tracking of all key user activity and administrator changes. This tool is tunable, augments native logs with additional, critical information, makes logs easy to analyze and vastly reduces storage costs.
To learn how Quest’s On Demand Migration solution can facilitate your government agency’s workload and Active Directory migration, click HERE.